Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1533087
MD5:	c67cbe41403958f6ad49944b43713681
SHA1:	0ef52d2c7999e0fb7ba72bfc548fdbcbe07d71ef
SHA256:	296bd1a15214fe2da44eed3c0af8e217f4ccfdb9e4ef60a31bd29a0dfe967505
Tags:	exeuser-Bitsight
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Found malware configuration

Multi AV Scanner detection for domain / URL

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Hides threads from debuggers

LummaC encrypted strings found

Machine Learning detection for sample

PE file contains section with special chars

Sample uses string decryption to hide its real strings

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Detected potential crypto function

Entry point lies outside standard sections

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://steamcommunity.com/profiles/76561199724331900	URL Reputation: Label: malware
Source: https://steamcommunity.com:443/profiles/76561199724331900	URL Reputation: Label: malware

Found malware configuration

Source: file.exe.7416.0.memstrmin

Malware Configuration Extractor: LummaC {"C2 url": ["dissapoiznw.store", "licendfilteo.site", "spirittunek.store", "bathdoomgaz.store", "clearancek.site", "eaglepawnoy.store", "studennotediw.store", "mobbipenju.store"], "Build id": "4SD0y4--legendaryy"}

Multi AV Scanner detection for domain / URL

Source: spirittunek.store	Virustotal: Detection: 21%	Perma Link
Source: dissapoiznw.store	Virustotal: Detection: 21%	Perma Link
Source: mobbipenju.store	Virustotal: Detection: 21%	Perma Link
Source: clearancek.site	Virustotal: Detection: 17%	Perma Link
Source: studennotediw.store	Virustotal: Detection: 17%	Perma Link
Source: bathdoomgaz.store	Virustotal: Detection: 21%	Perma Link
Source: eaglepawnoy.store	Virustotal: Detection: 18%	Perma Link
Source: licendfilteo.site	Virustotal: Detection: 15%	Perma Link
Source: https://bathdoomgaz.store:443/api	Virustotal: Detection: 21%	Perma Link
Source: https://dissapoiznw.store:443/api	Virustotal: Detection: 21%	Perma Link
Source: bathdoomgaz.store	Virustotal: Detection: 21%	Perma Link
Source: studennotediw.store	Virustotal: Detection: 17%	Perma Link
Source: clearancek.site	Virustotal: Detection: 17%	Perma Link
Source: https://eaglepawnoy.store:443/api	Virustotal: Detection: 21%	Perma Link
Source: spirittunek.store	Virustotal: Detection: 21%	Perma Link
Source: eaglepawnoy.store	Virustotal: Detection: 18%	Perma Link
Source: dissapoiznw.store	Virustotal: Detection: 21%	Perma Link
Source: licendfilteo.site	Virustotal: Detection: 15%	Perma Link
Source: https://spirittunek.store:443/api	Virustotal: Detection: 21%	Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.1748487953.0000000000801000.00000040.00000001.01000000.00000003.sdmp	String decryptor: clearancek.site
Source: 00000000.00000002.1748487953.0000000000801000.00000040.00000001.01000000.00000003.sdmp	String decryptor: licendfilteo.site
Source: 00000000.00000002.1748487953.0000000000801000.00000040.00000001.01000000.00000003.sdmp	String decryptor: spirittunek.store
Source: 00000000.00000002.1748487953.0000000000801000.00000040.00000001.01000000.00000003.sdmp	String decryptor: bathdoomgaz.store
Source: 00000000.00000002.1748487953.0000000000801000.00000040.00000001.01000000.00000003.sdmp	String decryptor: studennotediw.store
Source: 00000000.00000002.1748487953.0000000000801000.00000040.00000001.01000000.00000003.sdmp	String decryptor: dissapoiznw.store
Source: 00000000.00000002.1748487953.0000000000801000.00000040.00000001.01000000.00000003.sdmp	String decryptor: eaglepawnoy.store
Source: 00000000.00000002.1748487953.0000000000801000.00000040.00000001.01000000.00000003.sdmp	String decryptor: mobbipenju.store
Source: 00000000.00000002.1748487953.0000000000801000.00000040.00000001.01000000.00000003.sdmp	String decryptor: clearancek.site
Source: 00000000.00000002.1748487953.0000000000801000.00000040.00000001.01000000.00000003.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.1748487953.0000000000801000.00000040.00000001.01000000.00000003.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.1748487953.0000000000801000.00000040.00000001.01000000.00000003.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.1748487953.0000000000801000.00000040.00000001.01000000.00000003.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.1748487953.0000000000801000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.1748487953.0000000000801000.00000040.00000001.01000000.00000003.sdmp	String decryptor: 4SD0y4--legendaryy

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49730 version: TLS 1.2

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_008450FA
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_0080D110
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_0080D110
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C274D4CAh	0_2_008463B8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00845700
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh	0_2_008499D0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 27BAF212h	0_2_0084695B
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	0_2_0080FCA0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	0_2_00810EEC
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	0_2_00846094
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, dword ptr [edx]	0_2_00801000
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	0_2_00816F91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then dec ebx	0_2_0083F030
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h	0_2_00844040
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	0_2_0082D1E1
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	0_2_008142FC
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], dx	0_2_00822260
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [esi], ax	0_2_00822260
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	0_2_008323E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	0_2_008323E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	0_2_008323E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_008323E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	0_2_008323E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+14h]	0_2_008323E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebp, eax	0_2_0080A300
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C274D4CAh	0_2_008464B8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	0_2_0082E40C
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	0_2_0081B410
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	0_2_00841440
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_0081D457
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	0_2_0082C470
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00829510
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 7789B0CBh	0_2_00847520
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	0_2_00816536
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_0083B650
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	0_2_0082E66A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	0_2_0082D7AF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	0_2_008467EF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, word ptr [edi+eax]	0_2_00847710
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], dx	0_2_008228E9
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	0_2_008049A0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 62429966h	0_2_00843920
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	0_2_0081D961
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_00811ACD
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_00811A3C
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h	0_2_00844A40
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	0_2_00805A50
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_2_00830B80
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	0_2_00813BE2
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+40h]	0_2_00811BEE
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh	0_2_00849B60
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+000006B8h]	0_2_0081DB6F
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F8FD61B8h	0_2_0081DB6F
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_0082AC91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [edx], ax	0_2_0082AC91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], C85F7986h	0_2_0082CCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_0082CCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C85F7986h	0_2_0082CCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00849CE0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 9ECF05EBh	0_2_00849CE0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	0_2_00827C00
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], A70A987Fh	0_2_0083FC20
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [eax+esi+02h], 0000h	0_2_0082EC48
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00848D8A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [esp+1Ch], 5E46585Eh	0_2_0082FD10
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	0_2_0082DD29
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+40h]	0_2_00811E93
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	0_2_00806EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, word ptr [ebp+00h]	0_2_0080BEB0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp byte ptr [ebx], 00000000h	0_2_00816EBF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edi, ecx	0_2_00814E2A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, word ptr [ecx]	0_2_0082AE57
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00827E60
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00825E70
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	0_2_00816F91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], F3285E74h	0_2_00847FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00847FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	0_2_00808FD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	0_2_00845FD6
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [edx], 0000h	0_2_0081FFDF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_00829F62
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_0083FF70

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2056479 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store) : 192.168.2.4:55338 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056483 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store) : 192.168.2.4:53118 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056473 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site) : 192.168.2.4:64432 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056477 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store) : 192.168.2.4:55846 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056471 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site) : 192.168.2.4:50490 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056475 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store) : 192.168.2.4:61083 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056481 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store) : 192.168.2.4:64873 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056485 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store) : 192.168.2.4:63011 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.4:49730 -> 104.102.49.254:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: dissapoiznw.store
Source: Malware configuration extractor	URLs: licendfilteo.site
Source: Malware configuration extractor	URLs: spirittunek.store
Source: Malware configuration extractor	URLs: bathdoomgaz.store
Source: Malware configuration extractor	URLs: clearancek.site
Source: Malware configuration extractor	URLs: eaglepawnoy.store
Source: Malware configuration extractor	URLs: studennotediw.store
Source: Malware configuration extractor	URLs: mobbipenju.store

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 104.102.49.254 104.102.49.254

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: AKAMAI-ASUS AKAMAI-ASUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

Source: file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=2f97cd0204db43a7733b20f8; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type25489Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveMon, 14 Oct 2024 11:07:05 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000003.1748212239.00000000012DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ne' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: clearancek.site
Source: global traffic	DNS traffic detected: DNS query: mobbipenju.store
Source: global traffic	DNS traffic detected: DNS query: eaglepawnoy.store
Source: global traffic	DNS traffic detected: DNS query: dissapoiznw.store
Source: global traffic	DNS traffic detected: DNS query: studennotediw.store
Source: global traffic	DNS traffic detected: DNS query: bathdoomgaz.store
Source: global traffic	DNS traffic detected: DNS query: spirittunek.store
Source: global traffic	DNS traffic detected: DNS query: licendfilteo.site
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com

Source: file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748212239.00000000012DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: file.exe, 00000000.00000002.1749802376.00000000012CD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748258682.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748175798.00000000012CD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: file.exe, 00000000.00000002.1749802376.00000000012CD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748258682.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748175798.00000000012CD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000000.00000002.1749802376.00000000012CD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748258682.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748175798.00000000012CD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: file.exe, 00000000.00000003.1748258682.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: file.exe, 00000000.00000003.1748212239.00000000012DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: file.exe, 00000000.00000003.1748278382.000000000128F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1749683516.000000000128F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bathdoomgaz.store:443/api
Source: file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748212239.00000000012DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748212239.00000000012DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/
Source: file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748212239.00000000012DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: file.exe, 00000000.00000003.1748278382.000000000128F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1749683516.000000000128F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clearancek.site:443/api5
Source: file.exe, 00000000.00000003.1748212239.00000000012DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/
Source: file.exe, 00000000.00000003.1748258682.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748115100.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1749837386.00000000012CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=2Ih2WOq7ErXY&a
Source: file.exe, 00000000.00000003.1748258682.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: file.exe, 00000000.00000003.1748258682.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/fatalerror.css?v=wctRWaBvNt2z&l=engli
Source: file.exe, 00000000.00000003.1748258682.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: file.exe, 00000000.00000002.1749802376.00000000012CD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748258682.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748175798.00000000012CD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: file.exe, 00000000.00000002.1749802376.00000000012CD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748258682.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748175798.00000000012CD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: file.exe, 00000000.00000002.1749802376.00000000012CD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748258682.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748175798.00000000012CD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=bz0kMfQA
Source: file.exe, 00000000.00000002.1749802376.00000000012CD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748258682.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748175798.00000000012CD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=hgPi
Source: file.exe, 00000000.00000003.1748258682.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
Source: file.exe, 00000000.00000003.1748258682.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: file.exe, 00000000.00000003.1748258682.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: file.exe, 00000000.00000003.1748258682.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: file.exe, 00000000.00000003.1748258682.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: file.exe, 00000000.00000003.1748258682.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: file.exe, 00000000.00000003.1748258682.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
Source: file.exe, 00000000.00000003.1748258682.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: file.exe, 00000000.00000003.1748258682.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: file.exe, 00000000.00000003.1748258682.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: file.exe, 00000000.00000003.1748258682.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: file.exe, 00000000.00000003.1748258682.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: file.exe, 00000000.00000003.1748258682.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp
Source: file.exe, 00000000.00000003.1748258682.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
Source: file.exe, 00000000.00000003.1748258682.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: file.exe, 00000000.00000003.1748258682.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: file.exe, 00000000.00000003.1748278382.000000000128F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1749683516.000000000128F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dissapoiznw.store:443/api
Source: file.exe, 00000000.00000003.1748278382.000000000128F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1749683516.000000000128F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eaglepawnoy.store:443/api
Source: file.exe, 00000000.00000003.1748212239.00000000012DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: file.exe, 00000000.00000003.1748258682.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: file.exe, 00000000.00000003.1748278382.000000000128F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1749683516.000000000128F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://licendfilteo.site:443/apig5
Source: file.exe, 00000000.00000003.1748212239.00000000012DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748212239.00000000012DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748212239.00000000012DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748212239.00000000012DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748212239.00000000012DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748212239.00000000012DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748212239.00000000012DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748212239.00000000012DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: file.exe, 00000000.00000003.1748278382.000000000128F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1749683516.000000000128F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spirittunek.store:443/api
Source: file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748212239.00000000012DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748212239.00000000012DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748212239.00000000012DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748212239.00000000012DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: file.exe, 00000000.00000002.1749802376.00000000012CD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748258682.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748175798.00000000012CD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com
Source: file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1749683516.000000000128F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: file.exe, 00000000.00000003.1748258682.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: file.exe, 00000000.00000003.1748258682.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: file.exe, 00000000.00000002.1749802376.00000000012CD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748258682.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748175798.00000000012CD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: file.exe, 00000000.00000003.1748258682.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: file.exe, 00000000.00000003.1748258682.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: file.exe, 00000000.00000003.1748278382.000000000128F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1749683516.000000000128F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: file.exe, 00000000.00000003.1748278382.000000000128F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1749683516.000000000128F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900F
Source: file.exe, 00000000.00000003.1748258682.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: file.exe, 00000000.00000003.1748278382.000000000128F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1749683516.000000000128F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com:443/profiles/76561199724331900
Source: file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: file.exe, 00000000.00000002.1749886308.00000000012DE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748212239.00000000012DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f
Source: file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: file.exe, 00000000.00000003.1748258682.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: file.exe, 00000000.00000002.1749802376.00000000012CD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748258682.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748175798.00000000012CD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: file.exe, 00000000.00000003.1748258682.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: file.exe, 00000000.00000003.1748258682.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: file.exe, 00000000.00000003.1748258682.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: file.exe, 00000000.00000003.1748258682.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000000.00000003.1748258682.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: file.exe, 00000000.00000003.1748258682.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: file.exe, 00000000.00000003.1748258682.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: file.exe, 00000000.00000003.1748278382.000000000128F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1749683516.000000000128F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://studennotediw.store:443/api94
Source: file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748212239.00000000012DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: file.exe, 00000000.00000003.1748212239.00000000012DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748212239.00000000012DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748212239.00000000012DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: file.exe, 00000000.00000003.1748258682.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748115100.00000000012CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748212239.00000000012DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748212239.00000000012DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443

Source: unknown

HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49730 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00810228	0_2_00810228
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0084A0D0	0_2_0084A0D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00801000	0_2_00801000
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00812030	0_2_00812030
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00844040	0_2_00844040
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0080E1A0	0_2_0080E1A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008071F0	0_2_008071F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008B5154	0_2_008B5154
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00805160	0_2_00805160
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008382D0	0_2_008382D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008312D0	0_2_008312D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008012F7	0_2_008012F7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00978222	0_2_00978222
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0089F264	0_2_0089F264
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0080B3A0	0_2_0080B3A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008013A3	0_2_008013A3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008323E0	0_2_008323E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0080A300	0_2_0080A300
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00814487	0_2_00814487
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0081049B	0_2_0081049B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008364F0	0_2_008364F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0082C470	0_2_0082C470
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008035B0	0_2_008035B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0081C5F0	0_2_0081C5F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009D46BB	0_2_009D46BB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008486F0	0_2_008486F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0083F620	0_2_0083F620
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0080164F	0_2_0080164F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00848652	0_2_00848652
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008D4663	0_2_008D4663
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008D175C	0_2_008D175C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008B9750	0_2_008B9750
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0083E8A0	0_2_0083E8A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0083B8C0	0_2_0083B8C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009CD8E7	0_2_009CD8E7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00831860	0_2_00831860
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0082098B	0_2_0082098B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008489A0	0_2_008489A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009C89EB	0_2_009C89EB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00848A80	0_2_00848A80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00847AB0	0_2_00847AB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0087DAF8	0_2_0087DAF8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00844A40	0_2_00844A40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00807BF0	0_2_00807BF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009D2B74	0_2_009D2B74
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0081DB6F	0_2_0081DB6F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00846CBF	0_2_00846CBF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0082CCD0	0_2_0082CCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00848C02	0_2_00848C02
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009B5D8A	0_2_009B5D8A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0082FD10	0_2_0082FD10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0082DD29	0_2_0082DD29
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00828D62	0_2_00828D62
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0080BEB0	0_2_0080BEB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00816EBF	0_2_00816EBF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00814E2A	0_2_00814E2A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0082AE57	0_2_0082AE57
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00848E70	0_2_00848E70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009D0FB3	0_2_009D0FB3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00847FC0	0_2_00847FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00808FD0	0_2_00808FD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0080AF10	0_2_0080AF10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009CBF30	0_2_009CBF30

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0080CAA0 appears 48 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0081D300 appears 152 times

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe

Static PE information: Section: ZLIB complexity 0.9994907693894389

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@9/1

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00838220 CoCreateInstance,

0_2_00838220

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior

Source: file.exe

Static file information: File size 2941952 > 1048576

Source: file.exe

Static PE information: Raw size of rgumwtgv is bigger than: 0x100000 < 0x2a4c00

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.800000.0.unpack :EW;.rsrc :W;.idata :W;rgumwtgv:EW;govlmwxo:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W;rgumwtgv:EW;govlmwxo:EW;.taggant:EW;

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

PE file contains an invalid checksum

Source: file.exe

Static PE information: real checksum: 0x2d6dcb should be: 0x2dda1b

PE file contains sections with non-standard names

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name: rgumwtgv
Source: file.exe	Static PE information: section name: govlmwxo
Source: file.exe	Static PE information: section name: .taggant

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A8908E push eax; mov dword ptr [esp], edi	0_2_00A890C2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A8F0EB push 3C94F1E4h; mov dword ptr [esp], ebp	0_2_00A8F134
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009F60D7 push 69DCE1F1h; mov dword ptr [esp], eax	0_2_009F60F7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009720E3 push ecx; mov dword ptr [esp], edx	0_2_0097210B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009720E3 push 281F024Ah; mov dword ptr [esp], ebp	0_2_00972132
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009720E3 push ebp; mov dword ptr [esp], esi	0_2_0097215E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009720E3 push edx; mov dword ptr [esp], ebx	0_2_00972191
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A5C02A push edi; mov dword ptr [esp], ebx	0_2_00A5C04F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A5C02A push 084F39B0h; mov dword ptr [esp], ebx	0_2_00A5C065
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A5C02A push eax; mov dword ptr [esp], edx	0_2_00A5C096
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A8E1B9 push 46224FDFh; mov dword ptr [esp], ebx	0_2_00A8E1D1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A8E1B9 push edi; mov dword ptr [esp], 7FEBD5CAh	0_2_00A8E1DF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A8E1B9 push edx; mov dword ptr [esp], 6EC2EC5Bh	0_2_00A8E20F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A8E1B9 push ebx; mov dword ptr [esp], 363DD299h	0_2_00A8E27E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AB4139 push edx; mov dword ptr [esp], eax	0_2_00AB417D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009EF125 push 5F407170h; mov dword ptr [esp], ecx	0_2_009EF2D3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009FE17E push 4C82B64Bh; mov dword ptr [esp], ebp	0_2_009FE1A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AB42E0 push 63810B0Ch; mov dword ptr [esp], ecx	0_2_00AB4327
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A842E4 push eax; mov dword ptr [esp], edx	0_2_00A842ED
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009F22D2 push 0055A040h; mov dword ptr [esp], eax	0_2_009F2342
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009F22D2 push edi; mov dword ptr [esp], 0E706F26h	0_2_009F235E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008E823C push 02F0B78Fh; mov dword ptr [esp], esi	0_2_008E8264
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008E823C push ebx; mov dword ptr [esp], ecx	0_2_008E82F8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009EE22A push edi; mov dword ptr [esp], 2C008E6Eh	0_2_009EE256
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00978222 push ecx; mov dword ptr [esp], edi	0_2_00978257
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0089F264 push 7C3DE7CFh; mov dword ptr [esp], ebp	0_2_0089F278
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0089F264 push 33D3964Bh; mov dword ptr [esp], eax	0_2_0089F2BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0089F264 push edx; mov dword ptr [esp], ebp	0_2_0089F2F2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0089F264 push 1BBD649Dh; mov dword ptr [esp], esi	0_2_0089F339
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0089F264 push eax; mov dword ptr [esp], edx	0_2_0089F364
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0089F264 push eax; mov dword ptr [esp], edi	0_2_0089F3C4

Source: file.exe

Static PE information: section name: entropy: 7.975310756181989

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 864413 second address: 864419 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 864419 second address: 86441D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DED7D second address: 9DED81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DED81 second address: 9DED85 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DED85 second address: 9DED8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DEF2F second address: 9DEF7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 push ebx 0x00000008 pushad 0x00000009 jg 00007F3998DAA3D6h 0x0000000f jc 00007F3998DAA3D6h 0x00000015 popad 0x00000016 pop ebx 0x00000017 nop 0x00000018 push 00000000h 0x0000001a push edx 0x0000001b call 00007F3998DAA3D8h 0x00000020 pop edx 0x00000021 mov dword ptr [esp+04h], edx 0x00000025 add dword ptr [esp+04h], 00000016h 0x0000002d inc edx 0x0000002e push edx 0x0000002f ret 0x00000030 pop edx 0x00000031 ret 0x00000032 mov dword ptr [ebp+122D3BC1h], edi 0x00000038 push 00000000h 0x0000003a or dx, A77Bh 0x0000003f push C95F40D4h 0x00000044 push ecx 0x00000045 push esi 0x00000046 push eax 0x00000047 push edx 0x00000048 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DEF7B second address: 9DF024 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop ecx 0x00000006 add dword ptr [esp], 36A0BFACh 0x0000000d push 00000000h 0x0000000f push ebp 0x00000010 call 00007F3998BCD1A8h 0x00000015 pop ebp 0x00000016 mov dword ptr [esp+04h], ebp 0x0000001a add dword ptr [esp+04h], 00000014h 0x00000022 inc ebp 0x00000023 push ebp 0x00000024 ret 0x00000025 pop ebp 0x00000026 ret 0x00000027 mov dword ptr [ebp+122D268Ah], esi 0x0000002d push 00000003h 0x0000002f mov dword ptr [ebp+122D1DCDh], ebx 0x00000035 push 00000000h 0x00000037 push 00000003h 0x00000039 push 00000000h 0x0000003b push esi 0x0000003c call 00007F3998BCD1A8h 0x00000041 pop esi 0x00000042 mov dword ptr [esp+04h], esi 0x00000046 add dword ptr [esp+04h], 00000017h 0x0000004e inc esi 0x0000004f push esi 0x00000050 ret 0x00000051 pop esi 0x00000052 ret 0x00000053 push ED15ADDEh 0x00000058 jmp 00007F3998BCD1AFh 0x0000005d xor dword ptr [esp], 2D15ADDEh 0x00000064 xor esi, 690C5F5Ch 0x0000006a mov ecx, dword ptr [ebp+122D2BF8h] 0x00000070 lea ebx, dword ptr [ebp+1244EC7Dh] 0x00000076 mov esi, 70BA83C5h 0x0000007b xchg eax, ebx 0x0000007c push eax 0x0000007d push edx 0x0000007e pushad 0x0000007f jmp 00007F3998BCD1B6h 0x00000084 push edx 0x00000085 pop edx 0x00000086 popad 0x00000087 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DF024 second address: 9DF042 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F3998DAA3D8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c jnc 00007F3998DAA3DCh 0x00000012 push eax 0x00000013 push edx 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DF09C second address: 9DF0BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3998BCD1B3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e jno 00007F3998BCD1A6h 0x00000014 pop eax 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DF0BF second address: 9DF0C4 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DF179 second address: 9DF17D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DF17D second address: 9DF1AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F3998DAA3D8h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f add dword ptr [esp], 715938E9h 0x00000016 mov dword ptr [ebp+122D2A1Ah], esi 0x0000001c lea ebx, dword ptr [ebp+1244EC88h] 0x00000022 mov dword ptr [ebp+122D23AAh], edi 0x00000028 xchg eax, ebx 0x00000029 pushad 0x0000002a push esi 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DF1AA second address: 9DF1CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007F3998BCD1AFh 0x0000000a popad 0x0000000b push eax 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F3998BCD1ABh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FDA40 second address: 9FDA4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FDA4B second address: 9FDA4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FDA4F second address: 9FDA5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FDBC3 second address: 9FDBCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FDEE2 second address: 9FDEF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 js 00007F3998DAA3DCh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FDEF3 second address: 9FDEF9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FDEF9 second address: 9FDF0F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3998DAA3E2h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FE090 second address: 9FE096 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FE35C second address: 9FE3A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3998DAA3DCh 0x00000009 jnl 00007F3998DAA3DCh 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F3998DAA3E4h 0x00000017 pushad 0x00000018 pushad 0x00000019 popad 0x0000001a pushad 0x0000001b popad 0x0000001c jmp 00007F3998DAA3E4h 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FE3A9 second address: 9FE3CF instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F3998BCD1B3h 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F3998BCD1ABh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FEAAB second address: 9FEAC4 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F3998DAA3E3h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FEDC4 second address: 9FEDD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F3998BCD1A6h 0x0000000a jl 00007F3998BCD1A6h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FEDD9 second address: 9FEDDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FEDDD second address: 9FEDE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A06D7E second address: A06D82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A06D82 second address: A06D88 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A06D88 second address: A06DA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F3998DAA3E3h 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D41F1 second address: 9D4210 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 push ebx 0x00000008 jmp 00007F3998BCD1B0h 0x0000000d jns 00007F3998BCD1A6h 0x00000013 pop ebx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0BA4E second address: A0BA55 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0BBB7 second address: A0BBCD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007F3998BCD1B0h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0BBCD second address: A0BBEC instructions: 0x00000000 rdtsc 0x00000002 jp 00007F3998DAA3D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F3998DAA3E3h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0BBEC second address: A0BBF0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0BBF0 second address: A0BC29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jmp 00007F3998DAA3E2h 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 popad 0x00000013 jmp 00007F3998DAA3E9h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0BDA1 second address: A0BDA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0C1A1 second address: A0C1A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0D36B second address: A0D3BD instructions: 0x00000000 rdtsc 0x00000002 jno 00007F3998BCD1A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007F3998BCD1B1h 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 jmp 00007F3998BCD1B0h 0x00000019 mov eax, dword ptr [eax] 0x0000001b push edi 0x0000001c push edi 0x0000001d push ecx 0x0000001e pop ecx 0x0000001f pop edi 0x00000020 pop edi 0x00000021 mov dword ptr [esp+04h], eax 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007F3998BCD1B2h 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0D3BD second address: A0D3D2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3998DAA3E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0D3D2 second address: A0D3E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3998BCD1B3h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0D3E9 second address: A0D3ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0D3ED second address: A0D427 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 push 00000000h 0x0000000b push ecx 0x0000000c call 00007F3998BCD1A8h 0x00000011 pop ecx 0x00000012 mov dword ptr [esp+04h], ecx 0x00000016 add dword ptr [esp+04h], 00000014h 0x0000001e inc ecx 0x0000001f push ecx 0x00000020 ret 0x00000021 pop ecx 0x00000022 ret 0x00000023 mov edi, dword ptr [ebp+122D2427h] 0x00000029 push E3A59848h 0x0000002e push eax 0x0000002f push edx 0x00000030 jbe 00007F3998BCD1A8h 0x00000036 pushad 0x00000037 popad 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0D72E second address: A0D734 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0D734 second address: A0D738 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0DFE9 second address: A0E003 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F3998DAA3DCh 0x00000008 jc 00007F3998DAA3D6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edi 0x00000012 push eax 0x00000013 push edx 0x00000014 jc 00007F3998DAA3D6h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0E4C6 second address: A0E4CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0E604 second address: A0E628 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jnl 00007F3998DAA3D6h 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F3998DAA3E4h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0E628 second address: A0E65A instructions: 0x00000000 rdtsc 0x00000002 jo 00007F3998BCD1A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b nop 0x0000000c mov dword ptr [ebp+1244D814h], esi 0x00000012 call 00007F3998BCD1B2h 0x00000017 mov dword ptr [ebp+124777D6h], ecx 0x0000001d pop edi 0x0000001e xchg eax, ebx 0x0000001f push eax 0x00000020 push edx 0x00000021 push ebx 0x00000022 pushad 0x00000023 popad 0x00000024 pop ebx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0E65A second address: A0E65F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0EBB9 second address: A0EBC3 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F3998BCD1A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0EBC3 second address: A0EBE2 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F3998DAA3DCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jc 00007F3998DAA3E2h 0x00000011 jp 00007F3998DAA3DCh 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0F632 second address: A0F643 instructions: 0x00000000 rdtsc 0x00000002 js 00007F3998BCD1A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 pop ecx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1072F second address: A10735 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1112D second address: A11131 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A10F13 second address: A10F19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A11BDB second address: A11BF7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3998BCD1B3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A11BF7 second address: A11C00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A11C00 second address: A11C39 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F3998BCD1A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c mov dword ptr [ebp+1244FB61h], ebx 0x00000012 push 00000000h 0x00000014 mov si, dx 0x00000017 push 00000000h 0x00000019 mov dword ptr [ebp+122D2904h], ecx 0x0000001f mov esi, eax 0x00000021 xchg eax, ebx 0x00000022 push esi 0x00000023 pushad 0x00000024 push eax 0x00000025 pop eax 0x00000026 jc 00007F3998BCD1A6h 0x0000002c popad 0x0000002d pop esi 0x0000002e push eax 0x0000002f je 00007F3998BCD1B8h 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A11C39 second address: A11C3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A14A12 second address: A14AC9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F3998BCD1B5h 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e mov dword ptr [ebp+122D299Ch], esi 0x00000014 mov di, si 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push ecx 0x0000001c call 00007F3998BCD1A8h 0x00000021 pop ecx 0x00000022 mov dword ptr [esp+04h], ecx 0x00000026 add dword ptr [esp+04h], 0000001Ch 0x0000002e inc ecx 0x0000002f push ecx 0x00000030 ret 0x00000031 pop ecx 0x00000032 ret 0x00000033 add esi, 148895FEh 0x00000039 stc 0x0000003a jnc 00007F3998BCD1BAh 0x00000040 call 00007F3998BCD1ADh 0x00000045 mov esi, dword ptr [ebp+122D2ED0h] 0x0000004b pop esi 0x0000004c push 00000000h 0x0000004e push 00000000h 0x00000050 push ebp 0x00000051 call 00007F3998BCD1A8h 0x00000056 pop ebp 0x00000057 mov dword ptr [esp+04h], ebp 0x0000005b add dword ptr [esp+04h], 0000001Bh 0x00000063 inc ebp 0x00000064 push ebp 0x00000065 ret 0x00000066 pop ebp 0x00000067 ret 0x00000068 xchg eax, ebx 0x00000069 jno 00007F3998BCD1BDh 0x0000006f push eax 0x00000070 push esi 0x00000071 push eax 0x00000072 push edx 0x00000073 push eax 0x00000074 pop eax 0x00000075 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D2647 second address: 9D2667 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3998DAA3E5h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D2667 second address: 9D266B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D266B second address: 9D268C instructions: 0x00000000 rdtsc 0x00000002 js 00007F3998DAA3D6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F3998DAA3DFh 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D268C second address: 9D26A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F3998BCD1B1h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D26A8 second address: 9D26ED instructions: 0x00000000 rdtsc 0x00000002 js 00007F3998DAA3FFh 0x00000008 jmp 00007F3998DAA3E5h 0x0000000d jmp 00007F3998DAA3E4h 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F3998DAA3E2h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CEF3A second address: 9CEF3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1C8BE second address: A1C8C8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1C8C8 second address: A1C8CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1E3FA second address: A1E3FF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1F0AD second address: A1F0B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A20127 second address: A20132 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007F3998DAA3D6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A23F5A second address: A23F5E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A23F5E second address: A23F64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2311E second address: A231C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3998BCD1B0h 0x00000008 jmp 00007F3998BCD1B1h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov dword ptr [esp], eax 0x00000013 mov di, cx 0x00000016 push dword ptr fs:[00000000h] 0x0000001d pushad 0x0000001e mov cx, 2F77h 0x00000022 jmp 00007F3998BCD1B1h 0x00000027 popad 0x00000028 mov dword ptr fs:[00000000h], esp 0x0000002f jnp 00007F3998BCD1ACh 0x00000035 push edi 0x00000036 add bx, A95Dh 0x0000003b pop edi 0x0000003c mov eax, dword ptr [ebp+122D0309h] 0x00000042 sub dword ptr [ebp+1245817Bh], edx 0x00000048 mov dword ptr [ebp+122D2294h], esi 0x0000004e push FFFFFFFFh 0x00000050 push 00000000h 0x00000052 push edi 0x00000053 call 00007F3998BCD1A8h 0x00000058 pop edi 0x00000059 mov dword ptr [esp+04h], edi 0x0000005d add dword ptr [esp+04h], 00000016h 0x00000065 inc edi 0x00000066 push edi 0x00000067 ret 0x00000068 pop edi 0x00000069 ret 0x0000006a js 00007F3998BCD1ACh 0x00000070 jbe 00007F3998BCD1A6h 0x00000076 nop 0x00000077 push ebx 0x00000078 push eax 0x00000079 push edx 0x0000007a pushad 0x0000007b popad 0x0000007c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A23F64 second address: A23FD7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jbe 00007F3998DAA3EBh 0x0000000f jmp 00007F3998DAA3E5h 0x00000014 nop 0x00000015 push 00000000h 0x00000017 push ebx 0x00000018 call 00007F3998DAA3D8h 0x0000001d pop ebx 0x0000001e mov dword ptr [esp+04h], ebx 0x00000022 add dword ptr [esp+04h], 00000019h 0x0000002a inc ebx 0x0000002b push ebx 0x0000002c ret 0x0000002d pop ebx 0x0000002e ret 0x0000002f push 00000000h 0x00000031 jnp 00007F3998DAA3D7h 0x00000037 push 00000000h 0x00000039 push 00000000h 0x0000003b push ebp 0x0000003c call 00007F3998DAA3D8h 0x00000041 pop ebp 0x00000042 mov dword ptr [esp+04h], ebp 0x00000046 add dword ptr [esp+04h], 00000014h 0x0000004e inc ebp 0x0000004f push ebp 0x00000050 ret 0x00000051 pop ebp 0x00000052 ret 0x00000053 xchg eax, esi 0x00000054 push edx 0x00000055 push eax 0x00000056 push edx 0x00000057 pushad 0x00000058 popad 0x00000059 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A25018 second address: A2501C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2501C second address: A25022 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A240E6 second address: A240EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A26117 second address: A26199 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F3998DAA3D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jng 00007F3998DAA3D6h 0x00000013 popad 0x00000014 popad 0x00000015 push eax 0x00000016 jmp 00007F3998DAA3DEh 0x0000001b nop 0x0000001c sbb bh, 0000002Eh 0x0000001f jo 00007F3998DAA3DAh 0x00000025 mov bx, F692h 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push esi 0x0000002e call 00007F3998DAA3D8h 0x00000033 pop esi 0x00000034 mov dword ptr [esp+04h], esi 0x00000038 add dword ptr [esp+04h], 0000001Bh 0x00000040 inc esi 0x00000041 push esi 0x00000042 ret 0x00000043 pop esi 0x00000044 ret 0x00000045 push 00000000h 0x00000047 push 00000000h 0x00000049 push ebx 0x0000004a call 00007F3998DAA3D8h 0x0000004f pop ebx 0x00000050 mov dword ptr [esp+04h], ebx 0x00000054 add dword ptr [esp+04h], 0000001Bh 0x0000005c inc ebx 0x0000005d push ebx 0x0000005e ret 0x0000005f pop ebx 0x00000060 ret 0x00000061 xchg eax, esi 0x00000062 push ebx 0x00000063 push eax 0x00000064 push edx 0x00000065 pushad 0x00000066 popad 0x00000067 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A26199 second address: A261B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 pushad 0x00000009 jmp 00007F3998BCD1B3h 0x0000000e push esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A252A4 second address: A252A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A274CB second address: A274D1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A28443 second address: A2844D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F3998DAA3D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2844D second address: A28451 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A293AB second address: A293B5 instructions: 0x00000000 rdtsc 0x00000002 js 00007F3998DAA3D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A285D5 second address: A285DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A285DA second address: A285E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2953A second address: A2953E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2B28D second address: A2B291 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2953E second address: A29544 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A29544 second address: A2954A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2B291 second address: A2B317 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 mov dword ptr [esp], eax 0x0000000a pushad 0x0000000b jmp 00007F3998BCD1ADh 0x00000010 or esi, 2E9B17EAh 0x00000016 popad 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push ebp 0x0000001c call 00007F3998BCD1A8h 0x00000021 pop ebp 0x00000022 mov dword ptr [esp+04h], ebp 0x00000026 add dword ptr [esp+04h], 0000001Dh 0x0000002e inc ebp 0x0000002f push ebp 0x00000030 ret 0x00000031 pop ebp 0x00000032 ret 0x00000033 mov di, 07D6h 0x00000037 push 00000000h 0x00000039 push 00000000h 0x0000003b push esi 0x0000003c call 00007F3998BCD1A8h 0x00000041 pop esi 0x00000042 mov dword ptr [esp+04h], esi 0x00000046 add dword ptr [esp+04h], 0000001Ah 0x0000004e inc esi 0x0000004f push esi 0x00000050 ret 0x00000051 pop esi 0x00000052 ret 0x00000053 mov bl, BCh 0x00000055 xchg eax, esi 0x00000056 pushad 0x00000057 jnp 00007F3998BCD1ACh 0x0000005d push eax 0x0000005e push edx 0x0000005f js 00007F3998BCD1A6h 0x00000065 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2C316 second address: A2C324 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2B4A1 second address: A2B4B8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 js 00007F3998BCD1A6h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jng 00007F3998BCD1B4h 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2C324 second address: A2C3C4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007F3998DAA3D8h 0x0000000c push eax 0x0000000d pop eax 0x0000000e popad 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push ebx 0x00000013 call 00007F3998DAA3D8h 0x00000018 pop ebx 0x00000019 mov dword ptr [esp+04h], ebx 0x0000001d add dword ptr [esp+04h], 00000019h 0x00000025 inc ebx 0x00000026 push ebx 0x00000027 ret 0x00000028 pop ebx 0x00000029 ret 0x0000002a mov dword ptr [ebp+122D299Ch], esi 0x00000030 mov ebx, dword ptr [ebp+122D2973h] 0x00000036 push 00000000h 0x00000038 push 00000000h 0x0000003a push edi 0x0000003b call 00007F3998DAA3D8h 0x00000040 pop edi 0x00000041 mov dword ptr [esp+04h], edi 0x00000045 add dword ptr [esp+04h], 00000019h 0x0000004d inc edi 0x0000004e push edi 0x0000004f ret 0x00000050 pop edi 0x00000051 ret 0x00000052 mov edi, dword ptr [ebp+12475DD0h] 0x00000058 push 00000000h 0x0000005a pushad 0x0000005b mov ax, si 0x0000005e xor dword ptr [ebp+122D277Fh], edx 0x00000064 popad 0x00000065 xchg eax, esi 0x00000066 pushad 0x00000067 jmp 00007F3998DAA3E2h 0x0000006c push eax 0x0000006d push edx 0x0000006e jmp 00007F3998DAA3E7h 0x00000073 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2E550 second address: A2E55A instructions: 0x00000000 rdtsc 0x00000002 jg 00007F3998BCD1A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2E55A second address: A2E560 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A351B7 second address: A351BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A351BD second address: A351C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push edi 0x00000007 pop edi 0x00000008 pop esi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A351C6 second address: A351D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F3998BCD1A6h 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A351D2 second address: A351D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A34A74 second address: A34AAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007F3998BCD1B2h 0x0000000a popad 0x0000000b jnp 00007F3998BCD1D4h 0x00000011 pushad 0x00000012 push esi 0x00000013 pop esi 0x00000014 jns 00007F3998BCD1A6h 0x0000001a jmp 00007F3998BCD1AEh 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A34AAB second address: A34AB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A34AB3 second address: A34AB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A34BBF second address: A34BCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A34BCB second address: A34BDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3998BCD1AEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A34BDD second address: A34BE7 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F3998DAA3D6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A34BE7 second address: A34C12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F3998BCD1B9h 0x0000000c pushad 0x0000000d popad 0x0000000e jp 00007F3998BCD1A6h 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A34C12 second address: A34C1E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 je 00007F3998DAA3D6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A34C1E second address: A34C30 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F3998BCD1A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a je 00007F3998BCD1AEh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A392DA second address: A392DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A392DF second address: A392E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A392E5 second address: A392F7 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F3998DAA3D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 push edx 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A395C4 second address: A395CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A395CA second address: A395D4 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F3998DAA3DCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3DBE8 second address: A3DBF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3DBF3 second address: A3DBF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3DBF9 second address: A3DBFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3EA4F second address: A3EA53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3EA53 second address: A3EA5C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3EA5C second address: A3EA71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F3998DAA3D6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d pop esi 0x0000000e push ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3ED68 second address: A3ED75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnl 00007F3998BCD1A8h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A444A8 second address: A444B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 jns 00007F3998DAA3D8h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A47019 second address: A47025 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 ja 00007F3998BCD1A6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4D4B1 second address: A4D4B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4D4B5 second address: A4D4C4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jne 00007F3998BCD1A6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4C195 second address: A4C1BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push esi 0x00000007 pop esi 0x00000008 popad 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007F3998DAA3DDh 0x00000011 jo 00007F3998DAA3D6h 0x00000017 jng 00007F3998DAA3D6h 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4C1BB second address: A4C1CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push esi 0x00000008 pop esi 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c js 00007F3998BCD1A6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4C1CF second address: A4C1D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4C1D3 second address: A4C1D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4CBED second address: A4CC0D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F3998DAA3E2h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push edi 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4CEEC second address: A4CEF6 instructions: 0x00000000 rdtsc 0x00000002 je 00007F3998BCD1ACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4BBB4 second address: A4BBB9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4BBB9 second address: A4BBCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jnl 00007F3998BCD1ACh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4BBCE second address: A4BBD4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4BBD4 second address: A4BBD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A191F9 second address: A191FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A191FF second address: A19204 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A19204 second address: A1920A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1920A second address: A1920E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1920E second address: A1923E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b pushad 0x0000000c jbe 00007F3998DAA3DBh 0x00000012 mov eax, 55FF3E0Ah 0x00000017 adc dx, 45B2h 0x0000001c popad 0x0000001d lea eax, dword ptr [ebp+12488F5Fh] 0x00000023 mov ecx, dword ptr [ebp+1246C034h] 0x00000029 push eax 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1923E second address: A19242 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A19242 second address: A19246 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A19246 second address: A1924C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A192FD second address: A19301 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A19301 second address: A19316 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d jng 00007F3998BCD1ACh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A198A2 second address: A198A8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A198A8 second address: A198C5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F3998BCD1ACh 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jne 00007F3998BCD1A8h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A19A0B second address: A19A32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 mov dword ptr [esp], esi 0x00000008 sub dword ptr [ebp+122D1D84h], eax 0x0000000e nop 0x0000000f jmp 00007F3998DAA3DDh 0x00000014 push eax 0x00000015 push eax 0x00000016 push edx 0x00000017 jbe 00007F3998DAA3D8h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A19B00 second address: A19B1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3998BCD1ADh 0x00000009 popad 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jne 00007F3998BCD1A6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A19B1D second address: A19B4D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b jne 00007F3998DAA3EAh 0x00000011 mov eax, dword ptr [eax] 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 jne 00007F3998DAA3D6h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A19B4D second address: A19B5A instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F3998BCD1A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A19B5A second address: A19B7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F3998DAA3E3h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A19C56 second address: A19C5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A19C5B second address: A19C60 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A19DAC second address: A19DB6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A19DB6 second address: A19DBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A19DBA second address: A19DBE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1A0CB second address: A1A0D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1A0D1 second address: A1A0D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1A0D5 second address: A1A0D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1A3AD second address: A1A3B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1A3B3 second address: A1A3E0 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F3998DAA3E2h 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f jno 00007F3998DAA3DAh 0x00000015 mov eax, dword ptr [eax] 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1A3E0 second address: A1A3E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1A3E4 second address: A1A3F1 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F3998DAA3D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1A3F1 second address: A1A3F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A51463 second address: A514AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007F3998DAA3DCh 0x0000000c jl 00007F3998DAA3E7h 0x00000012 jmp 00007F3998DAA3DFh 0x00000017 pushad 0x00000018 popad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c jne 00007F3998DAA3DEh 0x00000022 jmp 00007F3998DAA3E0h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A514AD second address: A514DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007F3998BCD1A6h 0x00000009 jg 00007F3998BCD1A6h 0x0000000f jmp 00007F3998BCD1B3h 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F3998BCD1AAh 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A514DE second address: A514E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A51640 second address: A5164A instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F3998BCD1B2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A55ED1 second address: A55ED5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A56010 second address: A56027 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F3998BCD1B2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A564CE second address: A564D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A564D2 second address: A564D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A567D6 second address: A567F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jo 00007F3998DAA3D6h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jnl 00007F3998DAA3D8h 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A567F0 second address: A567F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A567F6 second address: A56806 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F3998DAA3D6h 0x00000008 jno 00007F3998DAA3D6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A56806 second address: A56826 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3998BCD1AFh 0x00000007 pushad 0x00000008 jmp 00007F3998BCD1AAh 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A599AC second address: A599B1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A59AE2 second address: A59AE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A59AE6 second address: A59AF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A59AF2 second address: A59AF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A59AF8 second address: A59AFE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A59AFE second address: A59B0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F3998BCD1A6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A59B0A second address: A59B0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5C25B second address: A5C266 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007F3998BCD1A6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5BDE4 second address: A5BDED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5BDED second address: A5BDF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F3998BCD1A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5BDF7 second address: A5BE1B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F3998DAA3E6h 0x0000000b push eax 0x0000000c push edx 0x0000000d jnp 00007F3998DAA3D6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5BFED second address: A5BFF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5FDF2 second address: A5FDFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push ebx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5FDFC second address: A5FE05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5FE05 second address: A5FE09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5FE09 second address: A5FE0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A658F1 second address: A65905 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F3998DAA3DCh 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A65EA8 second address: A65EC5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3998BCD1B8h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A19EEA second address: A19F71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 pushad 0x00000007 push edx 0x00000008 jng 00007F3998DAA3D6h 0x0000000e pop edx 0x0000000f jmp 00007F3998DAA3DCh 0x00000014 popad 0x00000015 nop 0x00000016 mov edx, dword ptr [ebp+1244FB61h] 0x0000001c cld 0x0000001d mov ebx, dword ptr [ebp+12488F9Eh] 0x00000023 push 00000000h 0x00000025 push eax 0x00000026 call 00007F3998DAA3D8h 0x0000002b pop eax 0x0000002c mov dword ptr [esp+04h], eax 0x00000030 add dword ptr [esp+04h], 0000001Ah 0x00000038 inc eax 0x00000039 push eax 0x0000003a ret 0x0000003b pop eax 0x0000003c ret 0x0000003d mov dword ptr [ebp+122D3055h], edx 0x00000043 mov dword ptr [ebp+122D3026h], ebx 0x00000049 add eax, ebx 0x0000004b push 00000000h 0x0000004d push esi 0x0000004e call 00007F3998DAA3D8h 0x00000053 pop esi 0x00000054 mov dword ptr [esp+04h], esi 0x00000058 add dword ptr [esp+04h], 00000018h 0x00000060 inc esi 0x00000061 push esi 0x00000062 ret 0x00000063 pop esi 0x00000064 ret 0x00000065 mov edi, dword ptr [ebp+122D29E0h] 0x0000006b nop 0x0000006c pushad 0x0000006d pushad 0x0000006e push edx 0x0000006f pop edx 0x00000070 push eax 0x00000071 push edx 0x00000072 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A19F71 second address: A19FBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F3998BCD1B1h 0x0000000a popad 0x0000000b push eax 0x0000000c jmp 00007F3998BCD1AAh 0x00000011 nop 0x00000012 mov ecx, dword ptr [ebp+122D2CD0h] 0x00000018 push 00000004h 0x0000001a mov edi, 46469D00h 0x0000001f nop 0x00000020 pushad 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F3998BCD1B6h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A19FBB second address: A19FD4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F3998DAA3DDh 0x0000000b popad 0x0000000c push eax 0x0000000d push ecx 0x0000000e push ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6605E second address: A66062 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A66062 second address: A66072 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jo 00007F3998DAA3D6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A66072 second address: A66081 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push edi 0x0000000a pop edi 0x0000000b push eax 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A69CC6 second address: A69CD0 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F3998DAA3D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A69CD0 second address: A69CDA instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F3998BCD1ACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6FBDE second address: A6FBE2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6FBE2 second address: A6FC05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007F3998BCD1A8h 0x0000000e pushad 0x0000000f popad 0x00000010 ja 00007F3998BCD1B0h 0x00000016 jmp 00007F3998BCD1AAh 0x0000001b push eax 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6FC05 second address: A6FC0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6FD5F second address: A6FD80 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F3998BCD1B9h 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6FD80 second address: A6FD84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A70B99 second address: A70BA9 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jl 00007F3998BCD1A6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d pushad 0x0000000e popad 0x0000000f pop ecx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A76034 second address: A76038 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A76038 second address: A7603D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7603D second address: A76059 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F3998DAA3DFh 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A76059 second address: A7605F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7605F second address: A76069 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F3998DAA3D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A79CC3 second address: A79CC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A79CC7 second address: A79CCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A79189 second address: A791AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3998BCD1B9h 0x00000009 popad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A791AC second address: A791BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3998DAA3DAh 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A82D86 second address: A82D8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A8101E second address: A81025 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A81025 second address: A81079 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3998BCD1B2h 0x00000007 push esi 0x00000008 jmp 00007F3998BCD1B6h 0x0000000d pop esi 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 jmp 00007F3998BCD1B1h 0x00000016 push eax 0x00000017 push edx 0x00000018 push ebx 0x00000019 pop ebx 0x0000001a jmp 00007F3998BCD1B0h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A8134B second address: A81351 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A814DD second address: A81500 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007F3998BCD1A6h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c pop eax 0x0000000d popad 0x0000000e jmp 00007F3998BCD1AAh 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push ecx 0x00000016 jc 00007F3998BCD1BBh 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A817B7 second address: A817BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A81C13 second address: A81C17 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A81C17 second address: A81C65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 js 00007F3998DAA3F5h 0x0000000f jmp 00007F3998DAA3DBh 0x00000014 jmp 00007F3998DAA3E4h 0x00000019 jnl 00007F3998DAA3F0h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A81C65 second address: A81C6C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A81DC8 second address: A81DCC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A81DCC second address: A81DD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A82BE4 second address: A82BE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A82BE8 second address: A82BF2 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F3998BCD1A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A80AE2 second address: A80AE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A80AE6 second address: A80AEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A868A0 second address: A868C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 pushad 0x00000009 pushad 0x0000000a jmp 00007F3998DAA3E8h 0x0000000f push eax 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A868C6 second address: A868F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F3998BCD1B0h 0x0000000a push eax 0x0000000b push edx 0x0000000c jno 00007F3998BCD1A6h 0x00000012 jmp 00007F3998BCD1ADh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A868F0 second address: A868F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A868F4 second address: A868FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A89681 second address: A8968B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push edi 0x00000007 pop edi 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A8968B second address: A896B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F3998BCD1ADh 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F3998BCD1B3h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A896B5 second address: A896BF instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F3998DAA3D6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A96D2B second address: A96D2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A96D2F second address: A96D61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3998DAA3DEh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jns 00007F3998DAA3D8h 0x00000011 jmp 00007F3998DAA3DCh 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a jnp 00007F3998DAA3D6h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C8586 second address: 9C858C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9B1C4 second address: A9B1CE instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9B1CE second address: A9B1D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9B352 second address: A9B358 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9B358 second address: A9B35D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9B35D second address: A9B37F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F3998DAA3E5h 0x00000008 jl 00007F3998DAA3D6h 0x0000000e pop ecx 0x0000000f push ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9E260 second address: A9E267 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9E267 second address: A9E285 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3998DAA3DDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d pop edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jp 00007F3998DAA3D6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9E285 second address: A9E289 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9E289 second address: A9E295 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9E295 second address: A9E2B4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3998BCD1B1h 0x00000007 jp 00007F3998BCD1A6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9E2B4 second address: A9E2B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9E2B8 second address: A9E2BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9E0ED second address: A9E11A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edi 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F3998DAA3E0h 0x0000000f jng 00007F3998DAA3D6h 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c jns 00007F3998DAA3D6h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CA004 second address: 9CA00B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AAAE4E second address: AAAE52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AAAE52 second address: AAAE62 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 js 00007F3998BCD1A6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d pushad 0x0000000e popad 0x0000000f pop edi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AAAE62 second address: AAAE8F instructions: 0x00000000 rdtsc 0x00000002 jno 00007F3998DAA3E7h 0x00000008 push eax 0x00000009 jbe 00007F3998DAA3D6h 0x0000000f pop eax 0x00000010 pop edx 0x00000011 pop eax 0x00000012 jc 00007F3998DAA3FCh 0x00000018 push eax 0x00000019 push edx 0x0000001a push ebx 0x0000001b pop ebx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AAAE8F second address: AAAEAA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3998BCD1AEh 0x00000007 jng 00007F3998BCD1A6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AADD34 second address: AADD4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F3998DAA3E0h 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB3957 second address: AB3980 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3998BCD1AEh 0x00000007 push eax 0x00000008 push edx 0x00000009 jno 00007F3998BCD1A6h 0x0000000f jmp 00007F3998BCD1B1h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB3F12 second address: AB3F17 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB4055 second address: AB406A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3998BCD1B1h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB406A second address: AB4092 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3998DAA3E8h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop eax 0x0000000c push edi 0x0000000d jne 00007F3998DAA3DCh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB7F35 second address: AB7F3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ABAE8D second address: ABAE95 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ABAE95 second address: ABAE9D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ABAE9D second address: ABAEB2 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F3998DAA3D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d jl 00007F3998DAA3E2h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ABAEB2 second address: ABAEB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ABAA12 second address: ABAA16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ABAA16 second address: ABAA26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F3998BCD1AAh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ABAA26 second address: ABAA56 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F3998DAA3E3h 0x0000000a pop ebx 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e jns 00007F3998DAA3DCh 0x00000014 jc 00007F3998DAA3E2h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ABD008 second address: ABD011 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ABD011 second address: ABD017 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ABD017 second address: ABD01B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ABD01B second address: ABD025 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F3998DAA3D6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ACB83A second address: ACB859 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F3998BCD1A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b push ebx 0x0000000c jmp 00007F3998BCD1AFh 0x00000011 push eax 0x00000012 push edx 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ADA228 second address: ADA22C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AEFBBC second address: AEFBC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AEFBC5 second address: AEFBDA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3998DAA3E1h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AEFBDA second address: AEFBE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AF34D2 second address: AF3518 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jne 00007F3998DAA3D6h 0x0000000b jmp 00007F3998DAA3E9h 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 popad 0x00000013 jg 00007F3998DAA3E2h 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d pushad 0x0000001e popad 0x0000001f je 00007F3998DAA3D6h 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AF3518 second address: AF351D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AF351D second address: AF3525 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AF3672 second address: AF3686 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3998BCD1B0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AF3BDA second address: AF3BE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 js 00007F3998DAA3DEh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AF3E98 second address: AF3EA0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AF7046 second address: AF704B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AF713A second address: AF713E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AF713E second address: AF7150 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3998DAA3DEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AFA0B6 second address: AFA0BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AFA0BB second address: AFA0CC instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 ja 00007F3998DAA3D6h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AFA0CC second address: AFA0D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F3998BCD1A6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AFBB46 second address: AFBB4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50B0CCB second address: 50B0D07 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov cl, 90h 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov ecx, dword ptr [eax+00000FDCh] 0x00000010 jmp 00007F3998BCD1B1h 0x00000015 test ecx, ecx 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a call 00007F3998BCD1B3h 0x0000001f pop eax 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50B0D07 second address: 50B0D0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50B0D0C second address: 50B0D12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50B0D12 second address: 50B0D16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50B0D16 second address: 50B0D49 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3998BCD1AEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jns 00007F3998BCD200h 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F3998BCD1B7h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50B0D49 second address: 50B0D61 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3998DAA3E4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50B0D61 second address: 50B0D99 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3998BCD1ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b add eax, ecx 0x0000000d jmp 00007F3998BCD1B6h 0x00000012 mov eax, dword ptr [eax+00000860h] 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b mov bl, D9h 0x0000001d movzx ecx, di 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50B0D99 second address: 50B0DC6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, esi 0x00000005 pushfd 0x00000006 jmp 00007F3998DAA3DAh 0x0000000b sbb eax, 4B139C28h 0x00000011 jmp 00007F3998DAA3DBh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a test eax, eax 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50B0DC6 second address: 50B0DCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50B0DCA second address: 50B0DE5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3998DAA3E7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50B0DE5 second address: 50B0DEB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50B0DEB second address: 50B0DEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50B0DEF second address: 50B0DF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50B0DF3 second address: 50B0E07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F3A098F033Ah 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50B0E07 second address: 50B0E0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50B0E0B second address: 50B0E0F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50B0E0F second address: 50B0E15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 863CD4 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: A2E5E0 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: A8F85D instructions caused by: Self-modifying code

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\file.exe TID: 7576	Thread sleep time: -60000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7588	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: file.exe, 00000000.00000002.1748687444.00000000009E3000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.1749683516.0000000001286000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748278382.0000000001286000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000002.1749617706.000000000124E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWho+
Source: file.exe, 00000000.00000002.1749802376.00000000012B6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748175798.00000000012B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBn?r
Source: file.exe, 00000000.00000002.1748687444.00000000009E3000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\file.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks for debuggers (devices)

Source: C:\Users\user\Desktop\file.exe	File opened: NTICE
Source: C:\Users\user\Desktop\file.exe	File opened: SICE
Source: C:\Users\user\Desktop\file.exe	File opened: SIWVID

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00845BB0 LdrInitializeThunk,

0_2_00845BB0

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: file.exe	String found in binary or memory: licendfilteo.site
Source: file.exe	String found in binary or memory: clearancek.site
Source: file.exe	String found in binary or memory: bathdoomgaz.stor
Source: file.exe	String found in binary or memory: spirittunek.stor
Source: file.exe	String found in binary or memory: dissapoiznw.stor
Source: file.exe	String found in binary or memory: studennotediw.stor
Source: file.exe	String found in binary or memory: mobbipenju.stor
Source: file.exe	String found in binary or memory: eaglepawnoy.stor

Source: file.exe, 00000000.00000002.1748877593.0000000000A2D000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: 4Program Manager

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.102.49.254	steamcommunity.com	United States		16625	AKAMAI-ASUS	true

Contacted Domains

Name	IP	Active
steamcommunity.com	104.102.49.254	true
eaglepawnoy.store	unknown	unknown
bathdoomgaz.store	unknown	unknown
spirittunek.store	unknown	unknown
licendfilteo.site	unknown	unknown
studennotediw.store	unknown	unknown
mobbipenju.store	unknown	unknown
clearancek.site	unknown	unknown
dissapoiznw.store	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
bathdoomgaz.store	true	22%, Virustotal, Browse	unknown
studennotediw.store	true	18%, Virustotal, Browse	unknown
clearancek.site	true	18%, Virustotal, Browse	unknown
dissapoiznw.store	true	22%, Virustotal, Browse	unknown
https://steamcommunity.com/profiles/76561199724331900	true	URL Reputation: malware	unknown
spirittunek.store	true	22%, Virustotal, Browse	unknown
licendfilteo.site	true	16%, Virustotal, Browse	unknown
eaglepawnoy.store	true	19%, Virustotal, Browse	unknown
mobbipenju.store	true		unknown

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://steamcommunity.com/profiles/76561199724331900	URL Reputation: Label: malware
Source: https://steamcommunity.com:443/profiles/76561199724331900	URL Reputation: Label: malware

Found malware configuration

Source: file.exe.7416.0.memstrmin

Multi AV Scanner detection for domain / URL

Source: spirittunek.store	Virustotal: Detection: 21%	Perma Link
Source: dissapoiznw.store	Virustotal: Detection: 21%	Perma Link
Source: mobbipenju.store	Virustotal: Detection: 21%	Perma Link
Source: clearancek.site	Virustotal: Detection: 17%	Perma Link
Source: studennotediw.store	Virustotal: Detection: 17%	Perma Link
Source: bathdoomgaz.store	Virustotal: Detection: 21%	Perma Link
Source: eaglepawnoy.store	Virustotal: Detection: 18%	Perma Link
Source: licendfilteo.site	Virustotal: Detection: 15%	Perma Link
Source: https://bathdoomgaz.store:443/api	Virustotal: Detection: 21%	Perma Link
Source: https://dissapoiznw.store:443/api	Virustotal: Detection: 21%	Perma Link
Source: bathdoomgaz.store	Virustotal: Detection: 21%	Perma Link
Source: studennotediw.store	Virustotal: Detection: 17%	Perma Link
Source: clearancek.site	Virustotal: Detection: 17%	Perma Link
Source: https://eaglepawnoy.store:443/api	Virustotal: Detection: 21%	Perma Link
Source: spirittunek.store	Virustotal: Detection: 21%	Perma Link
Source: eaglepawnoy.store	Virustotal: Detection: 18%	Perma Link
Source: dissapoiznw.store	Virustotal: Detection: 21%	Perma Link
Source: licendfilteo.site	Virustotal: Detection: 15%	Perma Link
Source: https://spirittunek.store:443/api	Virustotal: Detection: 21%	Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.1748487953.0000000000801000.00000040.00000001.01000000.00000003.sdmp	String decryptor: clearancek.site
Source: 00000000.00000002.1748487953.0000000000801000.00000040.00000001.01000000.00000003.sdmp	String decryptor: licendfilteo.site
Source: 00000000.00000002.1748487953.0000000000801000.00000040.00000001.01000000.00000003.sdmp	String decryptor: spirittunek.store
Source: 00000000.00000002.1748487953.0000000000801000.00000040.00000001.01000000.00000003.sdmp	String decryptor: bathdoomgaz.store
Source: 00000000.00000002.1748487953.0000000000801000.00000040.00000001.01000000.00000003.sdmp	String decryptor: studennotediw.store
Source: 00000000.00000002.1748487953.0000000000801000.00000040.00000001.01000000.00000003.sdmp	String decryptor: dissapoiznw.store
Source: 00000000.00000002.1748487953.0000000000801000.00000040.00000001.01000000.00000003.sdmp	String decryptor: eaglepawnoy.store
Source: 00000000.00000002.1748487953.0000000000801000.00000040.00000001.01000000.00000003.sdmp	String decryptor: mobbipenju.store
Source: 00000000.00000002.1748487953.0000000000801000.00000040.00000001.01000000.00000003.sdmp	String decryptor: clearancek.site
Source: 00000000.00000002.1748487953.0000000000801000.00000040.00000001.01000000.00000003.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.1748487953.0000000000801000.00000040.00000001.01000000.00000003.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.1748487953.0000000000801000.00000040.00000001.01000000.00000003.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.1748487953.0000000000801000.00000040.00000001.01000000.00000003.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.1748487953.0000000000801000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.1748487953.0000000000801000.00000040.00000001.01000000.00000003.sdmp	String decryptor: 4SD0y4--legendaryy

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49730 version: TLS 1.2

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_008450FA
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_0080D110
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_0080D110
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C274D4CAh	0_2_008463B8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00845700
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh	0_2_008499D0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 27BAF212h	0_2_0084695B
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	0_2_0080FCA0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	0_2_00810EEC
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	0_2_00846094
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, dword ptr [edx]	0_2_00801000
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	0_2_00816F91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then dec ebx	0_2_0083F030
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h	0_2_00844040
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	0_2_0082D1E1
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	0_2_008142FC
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], dx	0_2_00822260
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [esi], ax	0_2_00822260
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	0_2_008323E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	0_2_008323E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	0_2_008323E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_008323E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	0_2_008323E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+14h]	0_2_008323E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebp, eax	0_2_0080A300
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C274D4CAh	0_2_008464B8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	0_2_0082E40C
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	0_2_0081B410
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	0_2_00841440
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_0081D457
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	0_2_0082C470
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00829510
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 7789B0CBh	0_2_00847520
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	0_2_00816536
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_0083B650
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	0_2_0082E66A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	0_2_0082D7AF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	0_2_008467EF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, word ptr [edi+eax]	0_2_00847710
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], dx	0_2_008228E9
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	0_2_008049A0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 62429966h	0_2_00843920
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	0_2_0081D961
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_00811ACD
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_00811A3C
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h	0_2_00844A40
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	0_2_00805A50
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_2_00830B80
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	0_2_00813BE2
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+40h]	0_2_00811BEE
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh	0_2_00849B60
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+000006B8h]	0_2_0081DB6F
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F8FD61B8h	0_2_0081DB6F
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_0082AC91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [edx], ax	0_2_0082AC91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], C85F7986h	0_2_0082CCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_0082CCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C85F7986h	0_2_0082CCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00849CE0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 9ECF05EBh	0_2_00849CE0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	0_2_00827C00
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], A70A987Fh	0_2_0083FC20
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [eax+esi+02h], 0000h	0_2_0082EC48
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00848D8A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [esp+1Ch], 5E46585Eh	0_2_0082FD10
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	0_2_0082DD29
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+40h]	0_2_00811E93
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	0_2_00806EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, word ptr [ebp+00h]	0_2_0080BEB0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp byte ptr [ebx], 00000000h	0_2_00816EBF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edi, ecx	0_2_00814E2A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, word ptr [ecx]	0_2_0082AE57
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00827E60
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00825E70
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	0_2_00816F91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], F3285E74h	0_2_00847FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00847FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	0_2_00808FD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	0_2_00845FD6
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [edx], 0000h	0_2_0081FFDF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_00829F62
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_0083FF70

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2056479 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store) : 192.168.2.4:55338 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056483 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store) : 192.168.2.4:53118 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056473 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site) : 192.168.2.4:64432 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056477 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store) : 192.168.2.4:55846 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056471 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site) : 192.168.2.4:50490 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056475 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store) : 192.168.2.4:61083 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056481 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store) : 192.168.2.4:64873 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056485 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store) : 192.168.2.4:63011 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.4:49730 -> 104.102.49.254:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: dissapoiznw.store
Source: Malware configuration extractor	URLs: licendfilteo.site
Source: Malware configuration extractor	URLs: spirittunek.store
Source: Malware configuration extractor	URLs: bathdoomgaz.store
Source: Malware configuration extractor	URLs: clearancek.site
Source: Malware configuration extractor	URLs: eaglepawnoy.store
Source: Malware configuration extractor	URLs: studennotediw.store
Source: Malware configuration extractor	URLs: mobbipenju.store

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 104.102.49.254 104.102.49.254

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: AKAMAI-ASUS AKAMAI-ASUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Uses a known web browser user agent for HTTP communication

Source: global traffic

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

Source: file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=2f97cd0204db43a7733b20f8; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type25489Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveMon, 14 Oct 2024 11:07:05 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000003.1748212239.00000000012DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ne' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: clearancek.site
Source: global traffic	DNS traffic detected: DNS query: mobbipenju.store
Source: global traffic	DNS traffic detected: DNS query: eaglepawnoy.store
Source: global traffic	DNS traffic detected: DNS query: dissapoiznw.store
Source: global traffic	DNS traffic detected: DNS query: studennotediw.store
Source: global traffic	DNS traffic detected: DNS query: bathdoomgaz.store
Source: global traffic	DNS traffic detected: DNS query: spirittunek.store
Source: global traffic	DNS traffic detected: DNS query: licendfilteo.site
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com

Source: file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748212239.00000000012DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: file.exe, 00000000.00000002.1749802376.00000000012CD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748258682.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748175798.00000000012CD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: file.exe, 00000000.00000002.1749802376.00000000012CD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748258682.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748175798.00000000012CD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000000.00000002.1749802376.00000000012CD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748258682.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748175798.00000000012CD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: file.exe, 00000000.00000003.1748258682.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: file.exe, 00000000.00000003.1748212239.00000000012DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: file.exe, 00000000.00000003.1748278382.000000000128F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1749683516.000000000128F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bathdoomgaz.store:443/api
Source: file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748212239.00000000012DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748212239.00000000012DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/
Source: file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748212239.00000000012DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: file.exe, 00000000.00000003.1748278382.000000000128F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1749683516.000000000128F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clearancek.site:443/api5
Source: file.exe, 00000000.00000003.1748212239.00000000012DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/
Source: file.exe, 00000000.00000003.1748258682.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748115100.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1749837386.00000000012CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=2Ih2WOq7ErXY&a
Source: file.exe, 00000000.00000003.1748258682.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: file.exe, 00000000.00000003.1748258682.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/fatalerror.css?v=wctRWaBvNt2z&l=engli
Source: file.exe, 00000000.00000003.1748258682.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: file.exe, 00000000.00000002.1749802376.00000000012CD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748258682.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748175798.00000000012CD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: file.exe, 00000000.00000002.1749802376.00000000012CD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748258682.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748175798.00000000012CD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: file.exe, 00000000.00000002.1749802376.00000000012CD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748258682.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748175798.00000000012CD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=bz0kMfQA
Source: file.exe, 00000000.00000002.1749802376.00000000012CD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748258682.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748175798.00000000012CD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=hgPi
Source: file.exe, 00000000.00000003.1748258682.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
Source: file.exe, 00000000.00000003.1748258682.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: file.exe, 00000000.00000003.1748258682.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: file.exe, 00000000.00000003.1748258682.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: file.exe, 00000000.00000003.1748258682.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: file.exe, 00000000.00000003.1748258682.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: file.exe, 00000000.00000003.1748258682.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
Source: file.exe, 00000000.00000003.1748258682.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: file.exe, 00000000.00000003.1748258682.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: file.exe, 00000000.00000003.1748258682.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: file.exe, 00000000.00000003.1748258682.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: file.exe, 00000000.00000003.1748258682.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: file.exe, 00000000.00000003.1748258682.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&amp
Source: file.exe, 00000000.00000003.1748258682.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
Source: file.exe, 00000000.00000003.1748258682.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: file.exe, 00000000.00000003.1748258682.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: file.exe, 00000000.00000003.1748278382.000000000128F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1749683516.000000000128F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dissapoiznw.store:443/api
Source: file.exe, 00000000.00000003.1748278382.000000000128F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1749683516.000000000128F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eaglepawnoy.store:443/api
Source: file.exe, 00000000.00000003.1748212239.00000000012DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: file.exe, 00000000.00000003.1748258682.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: file.exe, 00000000.00000003.1748278382.000000000128F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1749683516.000000000128F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://licendfilteo.site:443/apig5
Source: file.exe, 00000000.00000003.1748212239.00000000012DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748212239.00000000012DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748212239.00000000012DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748212239.00000000012DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748212239.00000000012DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748212239.00000000012DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748212239.00000000012DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748212239.00000000012DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: file.exe, 00000000.00000003.1748278382.000000000128F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1749683516.000000000128F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spirittunek.store:443/api
Source: file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748212239.00000000012DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748212239.00000000012DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748212239.00000000012DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748212239.00000000012DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: file.exe, 00000000.00000002.1749802376.00000000012CD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748258682.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748175798.00000000012CD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com
Source: file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1749683516.000000000128F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: file.exe, 00000000.00000003.1748258682.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: file.exe, 00000000.00000003.1748258682.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: file.exe, 00000000.00000002.1749802376.00000000012CD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748258682.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748175798.00000000012CD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: file.exe, 00000000.00000003.1748258682.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: file.exe, 00000000.00000003.1748258682.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: file.exe, 00000000.00000003.1748278382.000000000128F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1749683516.000000000128F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: file.exe, 00000000.00000003.1748278382.000000000128F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1749683516.000000000128F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900F
Source: file.exe, 00000000.00000003.1748258682.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: file.exe, 00000000.00000003.1748278382.000000000128F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1749683516.000000000128F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com:443/profiles/76561199724331900
Source: file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: file.exe, 00000000.00000002.1749886308.00000000012DE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748212239.00000000012DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd7fb65801182a5f
Source: file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: file.exe, 00000000.00000003.1748258682.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: file.exe, 00000000.00000002.1749802376.00000000012CD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748258682.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748175798.00000000012CD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: file.exe, 00000000.00000003.1748258682.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: file.exe, 00000000.00000003.1748258682.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: file.exe, 00000000.00000003.1748258682.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: file.exe, 00000000.00000003.1748258682.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000000.00000003.1748258682.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: file.exe, 00000000.00000003.1748258682.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: file.exe, 00000000.00000003.1748258682.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: file.exe, 00000000.00000003.1748278382.000000000128F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1749683516.000000000128F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://studennotediw.store:443/api94
Source: file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748212239.00000000012DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: file.exe, 00000000.00000003.1748212239.00000000012DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748212239.00000000012DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748212239.00000000012DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: file.exe, 00000000.00000003.1748258682.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748071835.0000000001318000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748115100.00000000012CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748212239.00000000012DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: file.exe, 00000000.00000003.1748071835.0000000001311000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748212239.00000000012DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443

Source: unknown

HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49730 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00810228	0_2_00810228
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0084A0D0	0_2_0084A0D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00801000	0_2_00801000
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00812030	0_2_00812030
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00844040	0_2_00844040
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0080E1A0	0_2_0080E1A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008071F0	0_2_008071F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008B5154	0_2_008B5154
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00805160	0_2_00805160
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008382D0	0_2_008382D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008312D0	0_2_008312D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008012F7	0_2_008012F7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00978222	0_2_00978222
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0089F264	0_2_0089F264
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0080B3A0	0_2_0080B3A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008013A3	0_2_008013A3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008323E0	0_2_008323E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0080A300	0_2_0080A300
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00814487	0_2_00814487
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0081049B	0_2_0081049B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008364F0	0_2_008364F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0082C470	0_2_0082C470
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008035B0	0_2_008035B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0081C5F0	0_2_0081C5F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009D46BB	0_2_009D46BB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008486F0	0_2_008486F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0083F620	0_2_0083F620
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0080164F	0_2_0080164F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00848652	0_2_00848652
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008D4663	0_2_008D4663
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008D175C	0_2_008D175C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008B9750	0_2_008B9750
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0083E8A0	0_2_0083E8A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0083B8C0	0_2_0083B8C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009CD8E7	0_2_009CD8E7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00831860	0_2_00831860
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0082098B	0_2_0082098B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008489A0	0_2_008489A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009C89EB	0_2_009C89EB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00848A80	0_2_00848A80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00847AB0	0_2_00847AB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0087DAF8	0_2_0087DAF8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00844A40	0_2_00844A40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00807BF0	0_2_00807BF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009D2B74	0_2_009D2B74
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0081DB6F	0_2_0081DB6F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00846CBF	0_2_00846CBF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0082CCD0	0_2_0082CCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00848C02	0_2_00848C02
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009B5D8A	0_2_009B5D8A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0082FD10	0_2_0082FD10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0082DD29	0_2_0082DD29
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00828D62	0_2_00828D62
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0080BEB0	0_2_0080BEB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00816EBF	0_2_00816EBF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00814E2A	0_2_00814E2A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0082AE57	0_2_0082AE57
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00848E70	0_2_00848E70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009D0FB3	0_2_009D0FB3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00847FC0	0_2_00847FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00808FD0	0_2_00808FD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0080AF10	0_2_0080AF10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009CBF30	0_2_009CBF30

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0080CAA0 appears 48 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0081D300 appears 152 times

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe

Static PE information: Section: ZLIB complexity 0.9994907693894389

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@9/1

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00838220 CoCreateInstance,

0_2_00838220

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior

Source: file.exe

Static file information: File size 2941952 > 1048576

Source: file.exe

Static PE information: Raw size of rgumwtgv is bigger than: 0x100000 < 0x2a4c00

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.800000.0.unpack :EW;.rsrc :W;.idata :W;rgumwtgv:EW;govlmwxo:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W;rgumwtgv:EW;govlmwxo:EW;.taggant:EW;

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

PE file contains an invalid checksum

Source: file.exe

Static PE information: real checksum: 0x2d6dcb should be: 0x2dda1b

PE file contains sections with non-standard names

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name: rgumwtgv
Source: file.exe	Static PE information: section name: govlmwxo
Source: file.exe	Static PE information: section name: .taggant

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A8908E push eax; mov dword ptr [esp], edi	0_2_00A890C2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A8F0EB push 3C94F1E4h; mov dword ptr [esp], ebp	0_2_00A8F134
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009F60D7 push 69DCE1F1h; mov dword ptr [esp], eax	0_2_009F60F7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009720E3 push ecx; mov dword ptr [esp], edx	0_2_0097210B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009720E3 push 281F024Ah; mov dword ptr [esp], ebp	0_2_00972132
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009720E3 push ebp; mov dword ptr [esp], esi	0_2_0097215E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009720E3 push edx; mov dword ptr [esp], ebx	0_2_00972191
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A5C02A push edi; mov dword ptr [esp], ebx	0_2_00A5C04F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A5C02A push 084F39B0h; mov dword ptr [esp], ebx	0_2_00A5C065
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A5C02A push eax; mov dword ptr [esp], edx	0_2_00A5C096
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A8E1B9 push 46224FDFh; mov dword ptr [esp], ebx	0_2_00A8E1D1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A8E1B9 push edi; mov dword ptr [esp], 7FEBD5CAh	0_2_00A8E1DF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A8E1B9 push edx; mov dword ptr [esp], 6EC2EC5Bh	0_2_00A8E20F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A8E1B9 push ebx; mov dword ptr [esp], 363DD299h	0_2_00A8E27E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AB4139 push edx; mov dword ptr [esp], eax	0_2_00AB417D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009EF125 push 5F407170h; mov dword ptr [esp], ecx	0_2_009EF2D3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009FE17E push 4C82B64Bh; mov dword ptr [esp], ebp	0_2_009FE1A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AB42E0 push 63810B0Ch; mov dword ptr [esp], ecx	0_2_00AB4327
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A842E4 push eax; mov dword ptr [esp], edx	0_2_00A842ED
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009F22D2 push 0055A040h; mov dword ptr [esp], eax	0_2_009F2342
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009F22D2 push edi; mov dword ptr [esp], 0E706F26h	0_2_009F235E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008E823C push 02F0B78Fh; mov dword ptr [esp], esi	0_2_008E8264
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008E823C push ebx; mov dword ptr [esp], ecx	0_2_008E82F8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009EE22A push edi; mov dword ptr [esp], 2C008E6Eh	0_2_009EE256
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00978222 push ecx; mov dword ptr [esp], edi	0_2_00978257
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0089F264 push 7C3DE7CFh; mov dword ptr [esp], ebp	0_2_0089F278
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0089F264 push 33D3964Bh; mov dword ptr [esp], eax	0_2_0089F2BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0089F264 push edx; mov dword ptr [esp], ebp	0_2_0089F2F2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0089F264 push 1BBD649Dh; mov dword ptr [esp], esi	0_2_0089F339
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0089F264 push eax; mov dword ptr [esp], edx	0_2_0089F364
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0089F264 push eax; mov dword ptr [esp], edi	0_2_0089F3C4

Source: file.exe

Static PE information: section name: entropy: 7.975310756181989

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 864413 second address: 864419 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 864419 second address: 86441D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DED7D second address: 9DED81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DED81 second address: 9DED85 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DED85 second address: 9DED8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DEF2F second address: 9DEF7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 push ebx 0x00000008 pushad 0x00000009 jg 00007F3998DAA3D6h 0x0000000f jc 00007F3998DAA3D6h 0x00000015 popad 0x00000016 pop ebx 0x00000017 nop 0x00000018 push 00000000h 0x0000001a push edx 0x0000001b call 00007F3998DAA3D8h 0x00000020 pop edx 0x00000021 mov dword ptr [esp+04h], edx 0x00000025 add dword ptr [esp+04h], 00000016h 0x0000002d inc edx 0x0000002e push edx 0x0000002f ret 0x00000030 pop edx 0x00000031 ret 0x00000032 mov dword ptr [ebp+122D3BC1h], edi 0x00000038 push 00000000h 0x0000003a or dx, A77Bh 0x0000003f push C95F40D4h 0x00000044 push ecx 0x00000045 push esi 0x00000046 push eax 0x00000047 push edx 0x00000048 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DEF7B second address: 9DF024 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop ecx 0x00000006 add dword ptr [esp], 36A0BFACh 0x0000000d push 00000000h 0x0000000f push ebp 0x00000010 call 00007F3998BCD1A8h 0x00000015 pop ebp 0x00000016 mov dword ptr [esp+04h], ebp 0x0000001a add dword ptr [esp+04h], 00000014h 0x00000022 inc ebp 0x00000023 push ebp 0x00000024 ret 0x00000025 pop ebp 0x00000026 ret 0x00000027 mov dword ptr [ebp+122D268Ah], esi 0x0000002d push 00000003h 0x0000002f mov dword ptr [ebp+122D1DCDh], ebx 0x00000035 push 00000000h 0x00000037 push 00000003h 0x00000039 push 00000000h 0x0000003b push esi 0x0000003c call 00007F3998BCD1A8h 0x00000041 pop esi 0x00000042 mov dword ptr [esp+04h], esi 0x00000046 add dword ptr [esp+04h], 00000017h 0x0000004e inc esi 0x0000004f push esi 0x00000050 ret 0x00000051 pop esi 0x00000052 ret 0x00000053 push ED15ADDEh 0x00000058 jmp 00007F3998BCD1AFh 0x0000005d xor dword ptr [esp], 2D15ADDEh 0x00000064 xor esi, 690C5F5Ch 0x0000006a mov ecx, dword ptr [ebp+122D2BF8h] 0x00000070 lea ebx, dword ptr [ebp+1244EC7Dh] 0x00000076 mov esi, 70BA83C5h 0x0000007b xchg eax, ebx 0x0000007c push eax 0x0000007d push edx 0x0000007e pushad 0x0000007f jmp 00007F3998BCD1B6h 0x00000084 push edx 0x00000085 pop edx 0x00000086 popad 0x00000087 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DF024 second address: 9DF042 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F3998DAA3D8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c jnc 00007F3998DAA3DCh 0x00000012 push eax 0x00000013 push edx 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DF09C second address: 9DF0BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3998BCD1B3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e jno 00007F3998BCD1A6h 0x00000014 pop eax 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DF0BF second address: 9DF0C4 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DF179 second address: 9DF17D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DF17D second address: 9DF1AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F3998DAA3D8h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f add dword ptr [esp], 715938E9h 0x00000016 mov dword ptr [ebp+122D2A1Ah], esi 0x0000001c lea ebx, dword ptr [ebp+1244EC88h] 0x00000022 mov dword ptr [ebp+122D23AAh], edi 0x00000028 xchg eax, ebx 0x00000029 pushad 0x0000002a push esi 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DF1AA second address: 9DF1CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007F3998BCD1AFh 0x0000000a popad 0x0000000b push eax 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F3998BCD1ABh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FDA40 second address: 9FDA4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FDA4B second address: 9FDA4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FDA4F second address: 9FDA5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FDBC3 second address: 9FDBCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FDEE2 second address: 9FDEF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 js 00007F3998DAA3DCh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FDEF3 second address: 9FDEF9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FDEF9 second address: 9FDF0F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3998DAA3E2h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FE090 second address: 9FE096 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FE35C second address: 9FE3A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3998DAA3DCh 0x00000009 jnl 00007F3998DAA3DCh 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F3998DAA3E4h 0x00000017 pushad 0x00000018 pushad 0x00000019 popad 0x0000001a pushad 0x0000001b popad 0x0000001c jmp 00007F3998DAA3E4h 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FE3A9 second address: 9FE3CF instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F3998BCD1B3h 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F3998BCD1ABh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FEAAB second address: 9FEAC4 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F3998DAA3E3h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FEDC4 second address: 9FEDD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F3998BCD1A6h 0x0000000a jl 00007F3998BCD1A6h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FEDD9 second address: 9FEDDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FEDDD second address: 9FEDE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A06D7E second address: A06D82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A06D82 second address: A06D88 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A06D88 second address: A06DA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F3998DAA3E3h 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D41F1 second address: 9D4210 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 push ebx 0x00000008 jmp 00007F3998BCD1B0h 0x0000000d jns 00007F3998BCD1A6h 0x00000013 pop ebx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0BA4E second address: A0BA55 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0BBB7 second address: A0BBCD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007F3998BCD1B0h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0BBCD second address: A0BBEC instructions: 0x00000000 rdtsc 0x00000002 jp 00007F3998DAA3D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F3998DAA3E3h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0BBEC second address: A0BBF0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0BBF0 second address: A0BC29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jmp 00007F3998DAA3E2h 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 popad 0x00000013 jmp 00007F3998DAA3E9h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0BDA1 second address: A0BDA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0C1A1 second address: A0C1A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0D36B second address: A0D3BD instructions: 0x00000000 rdtsc 0x00000002 jno 00007F3998BCD1A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007F3998BCD1B1h 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 jmp 00007F3998BCD1B0h 0x00000019 mov eax, dword ptr [eax] 0x0000001b push edi 0x0000001c push edi 0x0000001d push ecx 0x0000001e pop ecx 0x0000001f pop edi 0x00000020 pop edi 0x00000021 mov dword ptr [esp+04h], eax 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007F3998BCD1B2h 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0D3BD second address: A0D3D2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3998DAA3E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0D3D2 second address: A0D3E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3998BCD1B3h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0D3E9 second address: A0D3ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0D3ED second address: A0D427 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 push 00000000h 0x0000000b push ecx 0x0000000c call 00007F3998BCD1A8h 0x00000011 pop ecx 0x00000012 mov dword ptr [esp+04h], ecx 0x00000016 add dword ptr [esp+04h], 00000014h 0x0000001e inc ecx 0x0000001f push ecx 0x00000020 ret 0x00000021 pop ecx 0x00000022 ret 0x00000023 mov edi, dword ptr [ebp+122D2427h] 0x00000029 push E3A59848h 0x0000002e push eax 0x0000002f push edx 0x00000030 jbe 00007F3998BCD1A8h 0x00000036 pushad 0x00000037 popad 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0D72E second address: A0D734 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0D734 second address: A0D738 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0DFE9 second address: A0E003 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F3998DAA3DCh 0x00000008 jc 00007F3998DAA3D6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edi 0x00000012 push eax 0x00000013 push edx 0x00000014 jc 00007F3998DAA3D6h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0E4C6 second address: A0E4CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0E604 second address: A0E628 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jnl 00007F3998DAA3D6h 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F3998DAA3E4h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0E628 second address: A0E65A instructions: 0x00000000 rdtsc 0x00000002 jo 00007F3998BCD1A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b nop 0x0000000c mov dword ptr [ebp+1244D814h], esi 0x00000012 call 00007F3998BCD1B2h 0x00000017 mov dword ptr [ebp+124777D6h], ecx 0x0000001d pop edi 0x0000001e xchg eax, ebx 0x0000001f push eax 0x00000020 push edx 0x00000021 push ebx 0x00000022 pushad 0x00000023 popad 0x00000024 pop ebx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0E65A second address: A0E65F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0EBB9 second address: A0EBC3 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F3998BCD1A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0EBC3 second address: A0EBE2 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F3998DAA3DCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jc 00007F3998DAA3E2h 0x00000011 jp 00007F3998DAA3DCh 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0F632 second address: A0F643 instructions: 0x00000000 rdtsc 0x00000002 js 00007F3998BCD1A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 pop ecx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1072F second address: A10735 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1112D second address: A11131 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A10F13 second address: A10F19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A11BDB second address: A11BF7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3998BCD1B3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A11BF7 second address: A11C00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A11C00 second address: A11C39 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F3998BCD1A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c mov dword ptr [ebp+1244FB61h], ebx 0x00000012 push 00000000h 0x00000014 mov si, dx 0x00000017 push 00000000h 0x00000019 mov dword ptr [ebp+122D2904h], ecx 0x0000001f mov esi, eax 0x00000021 xchg eax, ebx 0x00000022 push esi 0x00000023 pushad 0x00000024 push eax 0x00000025 pop eax 0x00000026 jc 00007F3998BCD1A6h 0x0000002c popad 0x0000002d pop esi 0x0000002e push eax 0x0000002f je 00007F3998BCD1B8h 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A11C39 second address: A11C3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A14A12 second address: A14AC9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F3998BCD1B5h 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e mov dword ptr [ebp+122D299Ch], esi 0x00000014 mov di, si 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push ecx 0x0000001c call 00007F3998BCD1A8h 0x00000021 pop ecx 0x00000022 mov dword ptr [esp+04h], ecx 0x00000026 add dword ptr [esp+04h], 0000001Ch 0x0000002e inc ecx 0x0000002f push ecx 0x00000030 ret 0x00000031 pop ecx 0x00000032 ret 0x00000033 add esi, 148895FEh 0x00000039 stc 0x0000003a jnc 00007F3998BCD1BAh 0x00000040 call 00007F3998BCD1ADh 0x00000045 mov esi, dword ptr [ebp+122D2ED0h] 0x0000004b pop esi 0x0000004c push 00000000h 0x0000004e push 00000000h 0x00000050 push ebp 0x00000051 call 00007F3998BCD1A8h 0x00000056 pop ebp 0x00000057 mov dword ptr [esp+04h], ebp 0x0000005b add dword ptr [esp+04h], 0000001Bh 0x00000063 inc ebp 0x00000064 push ebp 0x00000065 ret 0x00000066 pop ebp 0x00000067 ret 0x00000068 xchg eax, ebx 0x00000069 jno 00007F3998BCD1BDh 0x0000006f push eax 0x00000070 push esi 0x00000071 push eax 0x00000072 push edx 0x00000073 push eax 0x00000074 pop eax 0x00000075 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D2647 second address: 9D2667 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3998DAA3E5h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D2667 second address: 9D266B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D266B second address: 9D268C instructions: 0x00000000 rdtsc 0x00000002 js 00007F3998DAA3D6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F3998DAA3DFh 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D268C second address: 9D26A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F3998BCD1B1h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D26A8 second address: 9D26ED instructions: 0x00000000 rdtsc 0x00000002 js 00007F3998DAA3FFh 0x00000008 jmp 00007F3998DAA3E5h 0x0000000d jmp 00007F3998DAA3E4h 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F3998DAA3E2h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CEF3A second address: 9CEF3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1C8BE second address: A1C8C8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1C8C8 second address: A1C8CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1E3FA second address: A1E3FF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1F0AD second address: A1F0B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A20127 second address: A20132 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007F3998DAA3D6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A23F5A second address: A23F5E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A23F5E second address: A23F64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2311E second address: A231C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3998BCD1B0h 0x00000008 jmp 00007F3998BCD1B1h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov dword ptr [esp], eax 0x00000013 mov di, cx 0x00000016 push dword ptr fs:[00000000h] 0x0000001d pushad 0x0000001e mov cx, 2F77h 0x00000022 jmp 00007F3998BCD1B1h 0x00000027 popad 0x00000028 mov dword ptr fs:[00000000h], esp 0x0000002f jnp 00007F3998BCD1ACh 0x00000035 push edi 0x00000036 add bx, A95Dh 0x0000003b pop edi 0x0000003c mov eax, dword ptr [ebp+122D0309h] 0x00000042 sub dword ptr [ebp+1245817Bh], edx 0x00000048 mov dword ptr [ebp+122D2294h], esi 0x0000004e push FFFFFFFFh 0x00000050 push 00000000h 0x00000052 push edi 0x00000053 call 00007F3998BCD1A8h 0x00000058 pop edi 0x00000059 mov dword ptr [esp+04h], edi 0x0000005d add dword ptr [esp+04h], 00000016h 0x00000065 inc edi 0x00000066 push edi 0x00000067 ret 0x00000068 pop edi 0x00000069 ret 0x0000006a js 00007F3998BCD1ACh 0x00000070 jbe 00007F3998BCD1A6h 0x00000076 nop 0x00000077 push ebx 0x00000078 push eax 0x00000079 push edx 0x0000007a pushad 0x0000007b popad 0x0000007c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A23F64 second address: A23FD7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jbe 00007F3998DAA3EBh 0x0000000f jmp 00007F3998DAA3E5h 0x00000014 nop 0x00000015 push 00000000h 0x00000017 push ebx 0x00000018 call 00007F3998DAA3D8h 0x0000001d pop ebx 0x0000001e mov dword ptr [esp+04h], ebx 0x00000022 add dword ptr [esp+04h], 00000019h 0x0000002a inc ebx 0x0000002b push ebx 0x0000002c ret 0x0000002d pop ebx 0x0000002e ret 0x0000002f push 00000000h 0x00000031 jnp 00007F3998DAA3D7h 0x00000037 push 00000000h 0x00000039 push 00000000h 0x0000003b push ebp 0x0000003c call 00007F3998DAA3D8h 0x00000041 pop ebp 0x00000042 mov dword ptr [esp+04h], ebp 0x00000046 add dword ptr [esp+04h], 00000014h 0x0000004e inc ebp 0x0000004f push ebp 0x00000050 ret 0x00000051 pop ebp 0x00000052 ret 0x00000053 xchg eax, esi 0x00000054 push edx 0x00000055 push eax 0x00000056 push edx 0x00000057 pushad 0x00000058 popad 0x00000059 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A25018 second address: A2501C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2501C second address: A25022 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A240E6 second address: A240EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A26117 second address: A26199 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F3998DAA3D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jng 00007F3998DAA3D6h 0x00000013 popad 0x00000014 popad 0x00000015 push eax 0x00000016 jmp 00007F3998DAA3DEh 0x0000001b nop 0x0000001c sbb bh, 0000002Eh 0x0000001f jo 00007F3998DAA3DAh 0x00000025 mov bx, F692h 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push esi 0x0000002e call 00007F3998DAA3D8h 0x00000033 pop esi 0x00000034 mov dword ptr [esp+04h], esi 0x00000038 add dword ptr [esp+04h], 0000001Bh 0x00000040 inc esi 0x00000041 push esi 0x00000042 ret 0x00000043 pop esi 0x00000044 ret 0x00000045 push 00000000h 0x00000047 push 00000000h 0x00000049 push ebx 0x0000004a call 00007F3998DAA3D8h 0x0000004f pop ebx 0x00000050 mov dword ptr [esp+04h], ebx 0x00000054 add dword ptr [esp+04h], 0000001Bh 0x0000005c inc ebx 0x0000005d push ebx 0x0000005e ret 0x0000005f pop ebx 0x00000060 ret 0x00000061 xchg eax, esi 0x00000062 push ebx 0x00000063 push eax 0x00000064 push edx 0x00000065 pushad 0x00000066 popad 0x00000067 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A26199 second address: A261B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 pushad 0x00000009 jmp 00007F3998BCD1B3h 0x0000000e push esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A252A4 second address: A252A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A274CB second address: A274D1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A28443 second address: A2844D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F3998DAA3D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2844D second address: A28451 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A293AB second address: A293B5 instructions: 0x00000000 rdtsc 0x00000002 js 00007F3998DAA3D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A285D5 second address: A285DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A285DA second address: A285E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2953A second address: A2953E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2B28D second address: A2B291 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2953E second address: A29544 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A29544 second address: A2954A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2B291 second address: A2B317 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 mov dword ptr [esp], eax 0x0000000a pushad 0x0000000b jmp 00007F3998BCD1ADh 0x00000010 or esi, 2E9B17EAh 0x00000016 popad 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push ebp 0x0000001c call 00007F3998BCD1A8h 0x00000021 pop ebp 0x00000022 mov dword ptr [esp+04h], ebp 0x00000026 add dword ptr [esp+04h], 0000001Dh 0x0000002e inc ebp 0x0000002f push ebp 0x00000030 ret 0x00000031 pop ebp 0x00000032 ret 0x00000033 mov di, 07D6h 0x00000037 push 00000000h 0x00000039 push 00000000h 0x0000003b push esi 0x0000003c call 00007F3998BCD1A8h 0x00000041 pop esi 0x00000042 mov dword ptr [esp+04h], esi 0x00000046 add dword ptr [esp+04h], 0000001Ah 0x0000004e inc esi 0x0000004f push esi 0x00000050 ret 0x00000051 pop esi 0x00000052 ret 0x00000053 mov bl, BCh 0x00000055 xchg eax, esi 0x00000056 pushad 0x00000057 jnp 00007F3998BCD1ACh 0x0000005d push eax 0x0000005e push edx 0x0000005f js 00007F3998BCD1A6h 0x00000065 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2C316 second address: A2C324 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2B4A1 second address: A2B4B8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 js 00007F3998BCD1A6h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jng 00007F3998BCD1B4h 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2C324 second address: A2C3C4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007F3998DAA3D8h 0x0000000c push eax 0x0000000d pop eax 0x0000000e popad 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push ebx 0x00000013 call 00007F3998DAA3D8h 0x00000018 pop ebx 0x00000019 mov dword ptr [esp+04h], ebx 0x0000001d add dword ptr [esp+04h], 00000019h 0x00000025 inc ebx 0x00000026 push ebx 0x00000027 ret 0x00000028 pop ebx 0x00000029 ret 0x0000002a mov dword ptr [ebp+122D299Ch], esi 0x00000030 mov ebx, dword ptr [ebp+122D2973h] 0x00000036 push 00000000h 0x00000038 push 00000000h 0x0000003a push edi 0x0000003b call 00007F3998DAA3D8h 0x00000040 pop edi 0x00000041 mov dword ptr [esp+04h], edi 0x00000045 add dword ptr [esp+04h], 00000019h 0x0000004d inc edi 0x0000004e push edi 0x0000004f ret 0x00000050 pop edi 0x00000051 ret 0x00000052 mov edi, dword ptr [ebp+12475DD0h] 0x00000058 push 00000000h 0x0000005a pushad 0x0000005b mov ax, si 0x0000005e xor dword ptr [ebp+122D277Fh], edx 0x00000064 popad 0x00000065 xchg eax, esi 0x00000066 pushad 0x00000067 jmp 00007F3998DAA3E2h 0x0000006c push eax 0x0000006d push edx 0x0000006e jmp 00007F3998DAA3E7h 0x00000073 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2E550 second address: A2E55A instructions: 0x00000000 rdtsc 0x00000002 jg 00007F3998BCD1A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A2E55A second address: A2E560 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A351B7 second address: A351BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A351BD second address: A351C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push edi 0x00000007 pop edi 0x00000008 pop esi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A351C6 second address: A351D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F3998BCD1A6h 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A351D2 second address: A351D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A34A74 second address: A34AAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007F3998BCD1B2h 0x0000000a popad 0x0000000b jnp 00007F3998BCD1D4h 0x00000011 pushad 0x00000012 push esi 0x00000013 pop esi 0x00000014 jns 00007F3998BCD1A6h 0x0000001a jmp 00007F3998BCD1AEh 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A34AAB second address: A34AB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A34AB3 second address: A34AB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A34BBF second address: A34BCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A34BCB second address: A34BDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3998BCD1AEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A34BDD second address: A34BE7 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F3998DAA3D6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A34BE7 second address: A34C12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F3998BCD1B9h 0x0000000c pushad 0x0000000d popad 0x0000000e jp 00007F3998BCD1A6h 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A34C12 second address: A34C1E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 je 00007F3998DAA3D6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A34C1E second address: A34C30 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F3998BCD1A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a je 00007F3998BCD1AEh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A392DA second address: A392DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A392DF second address: A392E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A392E5 second address: A392F7 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F3998DAA3D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 push edx 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A395C4 second address: A395CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A395CA second address: A395D4 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F3998DAA3DCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3DBE8 second address: A3DBF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3DBF3 second address: A3DBF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3DBF9 second address: A3DBFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3EA4F second address: A3EA53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3EA53 second address: A3EA5C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3EA5C second address: A3EA71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F3998DAA3D6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d pop esi 0x0000000e push ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3ED68 second address: A3ED75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnl 00007F3998BCD1A8h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A444A8 second address: A444B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 jns 00007F3998DAA3D8h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A47019 second address: A47025 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 ja 00007F3998BCD1A6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4D4B1 second address: A4D4B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4D4B5 second address: A4D4C4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jne 00007F3998BCD1A6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4C195 second address: A4C1BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push esi 0x00000007 pop esi 0x00000008 popad 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007F3998DAA3DDh 0x00000011 jo 00007F3998DAA3D6h 0x00000017 jng 00007F3998DAA3D6h 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4C1BB second address: A4C1CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push esi 0x00000008 pop esi 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c js 00007F3998BCD1A6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4C1CF second address: A4C1D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4C1D3 second address: A4C1D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4CBED second address: A4CC0D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F3998DAA3E2h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push edi 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4CEEC second address: A4CEF6 instructions: 0x00000000 rdtsc 0x00000002 je 00007F3998BCD1ACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4BBB4 second address: A4BBB9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4BBB9 second address: A4BBCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jnl 00007F3998BCD1ACh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4BBCE second address: A4BBD4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4BBD4 second address: A4BBD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A191F9 second address: A191FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A191FF second address: A19204 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A19204 second address: A1920A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1920A second address: A1920E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1920E second address: A1923E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b pushad 0x0000000c jbe 00007F3998DAA3DBh 0x00000012 mov eax, 55FF3E0Ah 0x00000017 adc dx, 45B2h 0x0000001c popad 0x0000001d lea eax, dword ptr [ebp+12488F5Fh] 0x00000023 mov ecx, dword ptr [ebp+1246C034h] 0x00000029 push eax 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1923E second address: A19242 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A19242 second address: A19246 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A19246 second address: A1924C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A192FD second address: A19301 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A19301 second address: A19316 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d jng 00007F3998BCD1ACh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A198A2 second address: A198A8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A198A8 second address: A198C5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F3998BCD1ACh 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jne 00007F3998BCD1A8h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A19A0B second address: A19A32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 mov dword ptr [esp], esi 0x00000008 sub dword ptr [ebp+122D1D84h], eax 0x0000000e nop 0x0000000f jmp 00007F3998DAA3DDh 0x00000014 push eax 0x00000015 push eax 0x00000016 push edx 0x00000017 jbe 00007F3998DAA3D8h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A19B00 second address: A19B1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3998BCD1ADh 0x00000009 popad 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jne 00007F3998BCD1A6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A19B1D second address: A19B4D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b jne 00007F3998DAA3EAh 0x00000011 mov eax, dword ptr [eax] 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 jne 00007F3998DAA3D6h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A19B4D second address: A19B5A instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F3998BCD1A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A19B5A second address: A19B7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F3998DAA3E3h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A19C56 second address: A19C5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A19C5B second address: A19C60 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A19DAC second address: A19DB6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A19DB6 second address: A19DBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A19DBA second address: A19DBE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1A0CB second address: A1A0D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1A0D1 second address: A1A0D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1A0D5 second address: A1A0D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1A3AD second address: A1A3B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1A3B3 second address: A1A3E0 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F3998DAA3E2h 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f jno 00007F3998DAA3DAh 0x00000015 mov eax, dword ptr [eax] 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1A3E0 second address: A1A3E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1A3E4 second address: A1A3F1 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F3998DAA3D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1A3F1 second address: A1A3F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A51463 second address: A514AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007F3998DAA3DCh 0x0000000c jl 00007F3998DAA3E7h 0x00000012 jmp 00007F3998DAA3DFh 0x00000017 pushad 0x00000018 popad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c jne 00007F3998DAA3DEh 0x00000022 jmp 00007F3998DAA3E0h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A514AD second address: A514DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007F3998BCD1A6h 0x00000009 jg 00007F3998BCD1A6h 0x0000000f jmp 00007F3998BCD1B3h 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F3998BCD1AAh 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A514DE second address: A514E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A51640 second address: A5164A instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F3998BCD1B2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A55ED1 second address: A55ED5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A56010 second address: A56027 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F3998BCD1B2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A564CE second address: A564D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A564D2 second address: A564D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A567D6 second address: A567F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jo 00007F3998DAA3D6h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jnl 00007F3998DAA3D8h 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A567F0 second address: A567F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A567F6 second address: A56806 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F3998DAA3D6h 0x00000008 jno 00007F3998DAA3D6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A56806 second address: A56826 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3998BCD1AFh 0x00000007 pushad 0x00000008 jmp 00007F3998BCD1AAh 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A599AC second address: A599B1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A59AE2 second address: A59AE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A59AE6 second address: A59AF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A59AF2 second address: A59AF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A59AF8 second address: A59AFE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A59AFE second address: A59B0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F3998BCD1A6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A59B0A second address: A59B0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5C25B second address: A5C266 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007F3998BCD1A6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5BDE4 second address: A5BDED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5BDED second address: A5BDF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F3998BCD1A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5BDF7 second address: A5BE1B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F3998DAA3E6h 0x0000000b push eax 0x0000000c push edx 0x0000000d jnp 00007F3998DAA3D6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5BFED second address: A5BFF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5FDF2 second address: A5FDFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push ebx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5FDFC second address: A5FE05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5FE05 second address: A5FE09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5FE09 second address: A5FE0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A658F1 second address: A65905 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F3998DAA3DCh 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A65EA8 second address: A65EC5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3998BCD1B8h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A19EEA second address: A19F71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 pushad 0x00000007 push edx 0x00000008 jng 00007F3998DAA3D6h 0x0000000e pop edx 0x0000000f jmp 00007F3998DAA3DCh 0x00000014 popad 0x00000015 nop 0x00000016 mov edx, dword ptr [ebp+1244FB61h] 0x0000001c cld 0x0000001d mov ebx, dword ptr [ebp+12488F9Eh] 0x00000023 push 00000000h 0x00000025 push eax 0x00000026 call 00007F3998DAA3D8h 0x0000002b pop eax 0x0000002c mov dword ptr [esp+04h], eax 0x00000030 add dword ptr [esp+04h], 0000001Ah 0x00000038 inc eax 0x00000039 push eax 0x0000003a ret 0x0000003b pop eax 0x0000003c ret 0x0000003d mov dword ptr [ebp+122D3055h], edx 0x00000043 mov dword ptr [ebp+122D3026h], ebx 0x00000049 add eax, ebx 0x0000004b push 00000000h 0x0000004d push esi 0x0000004e call 00007F3998DAA3D8h 0x00000053 pop esi 0x00000054 mov dword ptr [esp+04h], esi 0x00000058 add dword ptr [esp+04h], 00000018h 0x00000060 inc esi 0x00000061 push esi 0x00000062 ret 0x00000063 pop esi 0x00000064 ret 0x00000065 mov edi, dword ptr [ebp+122D29E0h] 0x0000006b nop 0x0000006c pushad 0x0000006d pushad 0x0000006e push edx 0x0000006f pop edx 0x00000070 push eax 0x00000071 push edx 0x00000072 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A19F71 second address: A19FBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F3998BCD1B1h 0x0000000a popad 0x0000000b push eax 0x0000000c jmp 00007F3998BCD1AAh 0x00000011 nop 0x00000012 mov ecx, dword ptr [ebp+122D2CD0h] 0x00000018 push 00000004h 0x0000001a mov edi, 46469D00h 0x0000001f nop 0x00000020 pushad 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F3998BCD1B6h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A19FBB second address: A19FD4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F3998DAA3DDh 0x0000000b popad 0x0000000c push eax 0x0000000d push ecx 0x0000000e push ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6605E second address: A66062 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A66062 second address: A66072 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jo 00007F3998DAA3D6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A66072 second address: A66081 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push edi 0x0000000a pop edi 0x0000000b push eax 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A69CC6 second address: A69CD0 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F3998DAA3D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A69CD0 second address: A69CDA instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F3998BCD1ACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6FBDE second address: A6FBE2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6FBE2 second address: A6FC05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007F3998BCD1A8h 0x0000000e pushad 0x0000000f popad 0x00000010 ja 00007F3998BCD1B0h 0x00000016 jmp 00007F3998BCD1AAh 0x0000001b push eax 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6FC05 second address: A6FC0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6FD5F second address: A6FD80 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F3998BCD1B9h 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6FD80 second address: A6FD84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A70B99 second address: A70BA9 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jl 00007F3998BCD1A6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d pushad 0x0000000e popad 0x0000000f pop ecx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A76034 second address: A76038 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A76038 second address: A7603D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7603D second address: A76059 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F3998DAA3DFh 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A76059 second address: A7605F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7605F second address: A76069 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F3998DAA3D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A79CC3 second address: A79CC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A79CC7 second address: A79CCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A79189 second address: A791AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3998BCD1B9h 0x00000009 popad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A791AC second address: A791BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3998DAA3DAh 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A82D86 second address: A82D8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A8101E second address: A81025 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A81025 second address: A81079 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3998BCD1B2h 0x00000007 push esi 0x00000008 jmp 00007F3998BCD1B6h 0x0000000d pop esi 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 jmp 00007F3998BCD1B1h 0x00000016 push eax 0x00000017 push edx 0x00000018 push ebx 0x00000019 pop ebx 0x0000001a jmp 00007F3998BCD1B0h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A8134B second address: A81351 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A814DD second address: A81500 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007F3998BCD1A6h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c pop eax 0x0000000d popad 0x0000000e jmp 00007F3998BCD1AAh 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push ecx 0x00000016 jc 00007F3998BCD1BBh 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A817B7 second address: A817BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A81C13 second address: A81C17 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A81C17 second address: A81C65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 js 00007F3998DAA3F5h 0x0000000f jmp 00007F3998DAA3DBh 0x00000014 jmp 00007F3998DAA3E4h 0x00000019 jnl 00007F3998DAA3F0h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A81C65 second address: A81C6C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A81DC8 second address: A81DCC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A81DCC second address: A81DD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A82BE4 second address: A82BE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A82BE8 second address: A82BF2 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F3998BCD1A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A80AE2 second address: A80AE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A80AE6 second address: A80AEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A868A0 second address: A868C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 pushad 0x00000009 pushad 0x0000000a jmp 00007F3998DAA3E8h 0x0000000f push eax 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A868C6 second address: A868F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F3998BCD1B0h 0x0000000a push eax 0x0000000b push edx 0x0000000c jno 00007F3998BCD1A6h 0x00000012 jmp 00007F3998BCD1ADh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A868F0 second address: A868F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A868F4 second address: A868FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A89681 second address: A8968B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push edi 0x00000007 pop edi 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A8968B second address: A896B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F3998BCD1ADh 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F3998BCD1B3h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A896B5 second address: A896BF instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F3998DAA3D6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A96D2B second address: A96D2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A96D2F second address: A96D61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3998DAA3DEh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jns 00007F3998DAA3D8h 0x00000011 jmp 00007F3998DAA3DCh 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a jnp 00007F3998DAA3D6h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C8586 second address: 9C858C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9B1C4 second address: A9B1CE instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9B1CE second address: A9B1D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9B352 second address: A9B358 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9B358 second address: A9B35D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9B35D second address: A9B37F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F3998DAA3E5h 0x00000008 jl 00007F3998DAA3D6h 0x0000000e pop ecx 0x0000000f push ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9E260 second address: A9E267 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9E267 second address: A9E285 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3998DAA3DDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d pop edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jp 00007F3998DAA3D6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9E285 second address: A9E289 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9E289 second address: A9E295 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9E295 second address: A9E2B4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3998BCD1B1h 0x00000007 jp 00007F3998BCD1A6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9E2B4 second address: A9E2B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9E2B8 second address: A9E2BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9E0ED second address: A9E11A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edi 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F3998DAA3E0h 0x0000000f jng 00007F3998DAA3D6h 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c jns 00007F3998DAA3D6h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CA004 second address: 9CA00B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AAAE4E second address: AAAE52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AAAE52 second address: AAAE62 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 js 00007F3998BCD1A6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d pushad 0x0000000e popad 0x0000000f pop edi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AAAE62 second address: AAAE8F instructions: 0x00000000 rdtsc 0x00000002 jno 00007F3998DAA3E7h 0x00000008 push eax 0x00000009 jbe 00007F3998DAA3D6h 0x0000000f pop eax 0x00000010 pop edx 0x00000011 pop eax 0x00000012 jc 00007F3998DAA3FCh 0x00000018 push eax 0x00000019 push edx 0x0000001a push ebx 0x0000001b pop ebx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AAAE8F second address: AAAEAA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3998BCD1AEh 0x00000007 jng 00007F3998BCD1A6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AADD34 second address: AADD4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F3998DAA3E0h 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB3957 second address: AB3980 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3998BCD1AEh 0x00000007 push eax 0x00000008 push edx 0x00000009 jno 00007F3998BCD1A6h 0x0000000f jmp 00007F3998BCD1B1h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB3F12 second address: AB3F17 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB4055 second address: AB406A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3998BCD1B1h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB406A second address: AB4092 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3998DAA3E8h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop eax 0x0000000c push edi 0x0000000d jne 00007F3998DAA3DCh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB7F35 second address: AB7F3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ABAE8D second address: ABAE95 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ABAE95 second address: ABAE9D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ABAE9D second address: ABAEB2 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F3998DAA3D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d jl 00007F3998DAA3E2h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ABAEB2 second address: ABAEB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ABAA12 second address: ABAA16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ABAA16 second address: ABAA26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F3998BCD1AAh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ABAA26 second address: ABAA56 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F3998DAA3E3h 0x0000000a pop ebx 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e jns 00007F3998DAA3DCh 0x00000014 jc 00007F3998DAA3E2h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ABD008 second address: ABD011 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ABD011 second address: ABD017 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ABD017 second address: ABD01B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ABD01B second address: ABD025 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F3998DAA3D6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ACB83A second address: ACB859 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F3998BCD1A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b push ebx 0x0000000c jmp 00007F3998BCD1AFh 0x00000011 push eax 0x00000012 push edx 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ADA228 second address: ADA22C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AEFBBC second address: AEFBC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AEFBC5 second address: AEFBDA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3998DAA3E1h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AEFBDA second address: AEFBE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AF34D2 second address: AF3518 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jne 00007F3998DAA3D6h 0x0000000b jmp 00007F3998DAA3E9h 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 popad 0x00000013 jg 00007F3998DAA3E2h 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d pushad 0x0000001e popad 0x0000001f je 00007F3998DAA3D6h 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AF3518 second address: AF351D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AF351D second address: AF3525 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AF3672 second address: AF3686 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3998BCD1B0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AF3BDA second address: AF3BE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 js 00007F3998DAA3DEh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AF3E98 second address: AF3EA0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AF7046 second address: AF704B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AF713A second address: AF713E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AF713E second address: AF7150 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3998DAA3DEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AFA0B6 second address: AFA0BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AFA0BB second address: AFA0CC instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 ja 00007F3998DAA3D6h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AFA0CC second address: AFA0D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F3998BCD1A6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AFBB46 second address: AFBB4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50B0CCB second address: 50B0D07 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov cl, 90h 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov ecx, dword ptr [eax+00000FDCh] 0x00000010 jmp 00007F3998BCD1B1h 0x00000015 test ecx, ecx 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a call 00007F3998BCD1B3h 0x0000001f pop eax 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50B0D07 second address: 50B0D0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50B0D0C second address: 50B0D12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50B0D12 second address: 50B0D16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50B0D16 second address: 50B0D49 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3998BCD1AEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jns 00007F3998BCD200h 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F3998BCD1B7h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50B0D49 second address: 50B0D61 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3998DAA3E4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50B0D61 second address: 50B0D99 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3998BCD1ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b add eax, ecx 0x0000000d jmp 00007F3998BCD1B6h 0x00000012 mov eax, dword ptr [eax+00000860h] 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b mov bl, D9h 0x0000001d movzx ecx, di 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50B0D99 second address: 50B0DC6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, esi 0x00000005 pushfd 0x00000006 jmp 00007F3998DAA3DAh 0x0000000b sbb eax, 4B139C28h 0x00000011 jmp 00007F3998DAA3DBh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a test eax, eax 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50B0DC6 second address: 50B0DCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50B0DCA second address: 50B0DE5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3998DAA3E7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50B0DE5 second address: 50B0DEB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50B0DEB second address: 50B0DEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50B0DEF second address: 50B0DF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50B0DF3 second address: 50B0E07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F3A098F033Ah 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50B0E07 second address: 50B0E0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50B0E0B second address: 50B0E0F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50B0E0F second address: 50B0E15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 863CD4 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: A2E5E0 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: A8F85D instructions caused by: Self-modifying code

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\file.exe TID: 7576	Thread sleep time: -60000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7588	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: file.exe, 00000000.00000002.1748687444.00000000009E3000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.1749683516.0000000001286000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748278382.0000000001286000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000002.1749617706.000000000124E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWho+
Source: file.exe, 00000000.00000002.1749802376.00000000012B6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748175798.00000000012B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBn?r
Source: file.exe, 00000000.00000002.1748687444.00000000009E3000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\file.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks for debuggers (devices)

Source: C:\Users\user\Desktop\file.exe	File opened: NTICE
Source: C:\Users\user\Desktop\file.exe	File opened: SICE
Source: C:\Users\user\Desktop\file.exe	File opened: SIWVID

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00845BB0 LdrInitializeThunk,

0_2_00845BB0

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: file.exe	String found in binary or memory: licendfilteo.site
Source: file.exe	String found in binary or memory: clearancek.site
Source: file.exe	String found in binary or memory: bathdoomgaz.stor
Source: file.exe	String found in binary or memory: spirittunek.stor
Source: file.exe	String found in binary or memory: dissapoiznw.stor
Source: file.exe	String found in binary or memory: studennotediw.stor
Source: file.exe	String found in binary or memory: mobbipenju.stor
Source: file.exe	String found in binary or memory: eaglepawnoy.stor

Source: file.exe, 00000000.00000002.1748877593.0000000000A2D000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: 4Program Manager

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

ID:	1533087
Product:	CloudBasic
Start time:	13:06:06
Start date:	14.10.2024
Sample:	file.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	c67cbe41403958f6ad49944b43713681
SHA1:	0ef52d2c7999e0fb7ba72bfc548fdbcbe07d71ef
SHA256:	296bd1a15214fe2da44eed3c0af8e217f4ccfdb9e4ef60a31bd29a0dfe967505
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Windows Analysis Report
file.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Boot Survival

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Boot Survival

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
file.exe

Malware Threat Intel
Provided by