Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1538068
MD5:	ae7fda647df94fb9207204a517856151
SHA1:	57e738f83c355c72b9d48e0b120a27c40889c38e
SHA256:	7da052a541128f2cdacb400d37b765039cac8b4e293fc53a88ac721c144950c9
Tags:	exeuser-Bitsight
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

LummaC encrypted strings found

Machine Learning detection for sample

PE file contains section with special chars

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Checks for debuggers (devices)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Entry point lies outside standard sections

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Searches for user specific document files

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://steamcommunity.com:443/profiles/76561199724331900

URL Reputation: Label: malware

Found malware configuration

Source: file.exe.7436.0.memstrmin

Malware Configuration Extractor: LummaC {"C2 url": ["clearancek.site", "mobbipenju.store", "dissapoiznw.store", "bathdoomgaz.store", "studennotediw.store", "eaglepawnoy.store", "licendfilteo.site", "spirittunek.store"], "Build id": "4SD0y4--legendaryy"}

Multi AV Scanner detection for domain / URL

Source: sergei-esenin.com	Virustotal: Detection: 19%	Perma Link
Source: bathdoomgaz.store	Virustotal: Detection: 21%	Perma Link
Source: spirittunek.store	Virustotal: Detection: 21%	Perma Link

Multi AV Scanner detection for submitted file

Source: file.exe

Virustotal: Detection: 43%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.1851513309.00000000004D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: clearancek.site
Source: 00000000.00000002.1851513309.00000000004D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: licendfilteo.site
Source: 00000000.00000002.1851513309.00000000004D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: spirittunek.store
Source: 00000000.00000002.1851513309.00000000004D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: bathdoomgaz.store
Source: 00000000.00000002.1851513309.00000000004D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: studennotediw.store
Source: 00000000.00000002.1851513309.00000000004D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: dissapoiznw.store
Source: 00000000.00000002.1851513309.00000000004D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: eaglepawnoy.store
Source: 00000000.00000002.1851513309.00000000004D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: mobbipenju.store
Source: 00000000.00000002.1851513309.00000000004D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: clearancek.site
Source: 00000000.00000002.1851513309.00000000004D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.1851513309.00000000004D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.1851513309.00000000004D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.1851513309.00000000004D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.1851513309.00000000004D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.1851513309.00000000004D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: 4SD0y4--legendaryy

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:49739 version: TLS 1.2

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2056483 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store) : 192.168.2.4:55049 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056477 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store) : 192.168.2.4:49241 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056481 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store) : 192.168.2.4:59702 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056479 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store) : 192.168.2.4:51355 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056475 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store) : 192.168.2.4:64120 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056473 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site) : 192.168.2.4:62543 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056485 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store) : 192.168.2.4:63670 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056471 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site) : 192.168.2.4:59915 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49731 -> 104.21.53.8:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49731 -> 104.21.53.8:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49732 -> 104.21.53.8:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49732 -> 104.21.53.8:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49734 -> 104.21.53.8:443
Source: Network traffic	Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.4:49730 -> 104.102.49.254:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49739 -> 104.21.53.8:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: clearancek.site
Source: Malware configuration extractor	URLs: mobbipenju.store
Source: Malware configuration extractor	URLs: dissapoiznw.store
Source: Malware configuration extractor	URLs: bathdoomgaz.store
Source: Malware configuration extractor	URLs: studennotediw.store
Source: Malware configuration extractor	URLs: eaglepawnoy.store
Source: Malware configuration extractor	URLs: licendfilteo.site
Source: Malware configuration extractor	URLs: spirittunek.store

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 104.21.53.8 104.21.53.8
Source: Joe Sandbox View	IP Address: 104.102.49.254 104.102.49.254

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: AKAMAI-ASUS AKAMAI-ASUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sergei-esenin.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=bKmBZVeXetEUsJEvqQWppTmgKdLdaxlDFkrWihgCGmQ-1729406342-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 52Host: sergei-esenin.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1Cookie: __cf_mw_byp=bKmBZVeXetEUsJEvqQWppTmgKdLdaxlDFkrWihgCGmQ-1729406342-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18168Host: sergei-esenin.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1Cookie: __cf_mw_byp=bKmBZVeXetEUsJEvqQWppTmgKdLdaxlDFkrWihgCGmQ-1729406342-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8789Host: sergei-esenin.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1Cookie: __cf_mw_byp=bKmBZVeXetEUsJEvqQWppTmgKdLdaxlDFkrWihgCGmQ-1729406342-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20442Host: sergei-esenin.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1Cookie: __cf_mw_byp=bKmBZVeXetEUsJEvqQWppTmgKdLdaxlDFkrWihgCGmQ-1729406342-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1245Host: sergei-esenin.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1Cookie: __cf_mw_byp=bKmBZVeXetEUsJEvqQWppTmgKdLdaxlDFkrWihgCGmQ-1729406342-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 586556Host: sergei-esenin.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=bKmBZVeXetEUsJEvqQWppTmgKdLdaxlDFkrWihgCGmQ-1729406342-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 87Host: sergei-esenin.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: file.exe, 00000000.00000002.1852469176.0000000001281000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1850629516.0000000001271000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700772120.0000000001283000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ' https://cosergei-esenin.comsergei-esenin.comty/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcasQ7B equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000003.1690568055.000000000129E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000003.1690697919.000000000128B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C0e3d185a3e106e73b244decdec33a0ea; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=af6637e6d5cd8f076664704a; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type34508Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveSun, 20 Oct 2024 06:39:01 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000003.1690697919.000000000128B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000003.1690793016.0000000001295000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: t.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000003.1690793016.0000000001295000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: t.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C0e3d185a3e106e73b244decdec33a0ea; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=af6637e6d5cd8f076664704a; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type34508Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveSun, 20 Oct 2024 06:39:01 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000002.1852469176.0000000001281000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1850629516.0000000001271000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700772120.0000000001283000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ty/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcas equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: clearancek.site
Source: global traffic	DNS traffic detected: DNS query: mobbipenju.store
Source: global traffic	DNS traffic detected: DNS query: eaglepawnoy.store
Source: global traffic	DNS traffic detected: DNS query: dissapoiznw.store
Source: global traffic	DNS traffic detected: DNS query: studennotediw.store
Source: global traffic	DNS traffic detected: DNS query: bathdoomgaz.store
Source: global traffic	DNS traffic detected: DNS query: spirittunek.store
Source: global traffic	DNS traffic detected: DNS query: licendfilteo.site
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: sergei-esenin.com

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sergei-esenin.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Sun, 20 Oct 2024 06:39:02 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JuaMAjSNvLuGswKX4gwL3ISsU7GnOoH0MZusFU17FC9mbzufQz1G7FfB2N7Y92jiEyom3BtaFgA8Z0QU%2F39MyShlH%2F08IL7HYshTvlUjz98zeevg4wkRztf3156isbPjuHmEgA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8d5702296a0b535b-LAX

Source: file.exe, 00000000.00000003.1690793016.0000000001295000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: file.exe, 00000000.00000003.1752865199.0000000005CDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: file.exe, 00000000.00000003.1752865199.0000000005CDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: file.exe, 00000000.00000003.1752865199.0000000005CDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: file.exe, 00000000.00000003.1752865199.0000000005CDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: file.exe, 00000000.00000003.1752865199.0000000005CDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: file.exe, 00000000.00000003.1752865199.0000000005CDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: file.exe, 00000000.00000003.1752865199.0000000005CDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: file.exe, 00000000.00000003.1752865199.0000000005CDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: file.exe, 00000000.00000003.1752865199.0000000005CDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: file.exe, 00000000.00000003.1752865199.0000000005CDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: file.exe, 00000000.00000003.1752865199.0000000005CDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: file.exe, 00000000.00000003.1719446245.0000000005BF7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1719628135.0000000005BF9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1719330275.0000000005C0F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: file.exe, 00000000.00000003.1700772120.0000000001283000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a61
Source: file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: file.exe, 00000000.00000002.1852469176.000000000124F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1850629516.000000000124F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690568055.000000000124F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700659896.000000000124F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bathdoomgaz.store:443/apibcryptPrimitives.dll(
Source: file.exe, 00000000.00000003.1690793016.0000000001295000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: file.exe, 00000000.00000003.1719446245.0000000005BF7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1719628135.0000000005BF9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1719330275.0000000005C0F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000000.00000003.1690697919.000000000128B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/
Source: file.exe, 00000000.00000003.1719446245.0000000005BF7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1719628135.0000000005BF9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1719330275.0000000005C0F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000003.1719446245.0000000005BF7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1719628135.0000000005BF9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1719330275.0000000005C0F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: file.exe, 00000000.00000003.1700772120.0000000001283000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: file.exe, file.exe, 00000000.00000003.1690568055.0000000001263000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1852469176.0000000001263000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1850629516.0000000001263000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700772120.0000000001265000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690697919.0000000001265000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700659896.0000000001263000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clearancek.site/api
Source: file.exe, 00000000.00000003.1690568055.000000000124F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700659896.000000000124F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clearancek.site:443/api
Source: file.exe, 00000000.00000003.1700772120.0000000001283000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/
Source: file.exe, 00000000.00000003.1690568055.0000000001248000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/css/applications/community/main.css?v=DVae4t4RZiHA&l=en
Source: file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/css/globalv2.css?v=dQy8Omh4p9PH&l=english
Source: file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/css/promo/summer2017/stickers.css?v=P8gOPraCSjV6&l=engl
Source: file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/css/skin_1/header.css?v=pTvrRy1pm52p&l=english
Source: file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1
Source: file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/css/skin_1/profilev2.css?v=t9xiI4DlPpEB&l=english
Source: file.exe, 00000000.00000003.1690568055.0000000001248000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: file.exe, 00000000.00000003.1690568055.0000000001248000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/javascript/applications/community/libraries~b28b7af69.js?v=
Source: file.exe, 00000000.00000003.1690568055.0000000001248000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/javascript/applications/community/main.js?v=4XouecKy8sZy&am
Source: file.exe, 00000000.00000003.1690568055.0000000001248000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/javascript/applications/community/manifest.js?v=r7a4-LYcQOj
Source: file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/javascript/global.js?v=7qlUmHSJhPRN&l=english
Source: file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/javascript/modalContent.js?v=XpCpvP7feUoO&l=english
Source: file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/javascript/profile.js?v=bbs9uq0gqJ-H&l=english
Source: file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/javascript/promo/stickers.js?v=W8NP8aTVqtms&l=english
Source: file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=english
Source: file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL&l=
Source: file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/javascript/webui/clientcom.js?v=jq1jQyX1843y&l=english
Source: file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/shared/css/buttons.css?v=-WV9f1LdxEjq&l=english
Source: file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/shared/css/motiva_sans.css?v=v7XTmVzbLV33&l=english
Source: file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/shared/css/shared_global.css?v=uF6G1wyNU-4c&l=english
Source: file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/shared/css/shared_responsive.css?v=kR9MtmbWSZEp&l=engli
Source: file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&l=engl
Source: file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/shared/javascript/shared_global.js?v=7glT1n_nkVCs&l=eng
Source: file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSvIAKtunf
Source: file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: file.exe, 00000000.00000002.1852469176.0000000001281000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1850629516.0000000001271000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700772120.0000000001283000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cosergei-esenin.comsergei-esenin.comty/public/assets/
Source: file.exe, 00000000.00000002.1852469176.000000000124F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1850629516.000000000124F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690568055.000000000124F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700659896.000000000124F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dissapoiznw.store:443/api
Source: file.exe, 00000000.00000003.1719446245.0000000005BF7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1719330275.0000000005C0F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000000.00000003.1719446245.0000000005BF7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1719330275.0000000005C0F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: file.exe, 00000000.00000003.1719446245.0000000005BF7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1719330275.0000000005C0F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: file.exe, 00000000.00000003.1700772120.0000000001283000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: file.exe, 00000000.00000003.1690568055.000000000124F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700659896.000000000124F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://licendfilteo.site:443/api
Source: file.exe, 00000000.00000003.1700772120.0000000001283000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: file.exe, 00000000.00000003.1690793016.0000000001295000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: file.exe, 00000000.00000003.1690793016.0000000001295000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: file.exe, 00000000.00000003.1690568055.000000000124F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700659896.000000000124F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mobbipenju.store:443/api
Source: file.exe, 00000000.00000003.1690793016.0000000001295000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: file.exe, 00000000.00000003.1700772120.0000000001283000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: file.exe, 00000000.00000003.1690793016.0000000001295000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: file.exe, 00000000.00000003.1700772120.0000000001283000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: file.exe, file.exe, 00000000.00000003.1850629516.00000000012DF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700772120.000000000128B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1851091044.00000000012DF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1853087164.00000000012DF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700849717.0000000001295000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com/
Source: file.exe, 00000000.00000003.1850629516.00000000012DF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1851091044.00000000012DF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1853087164.00000000012DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com/BK
Source: file.exe, 00000000.00000003.1700849717.0000000001295000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com/api
Source: file.exe, 00000000.00000002.1857604053.0000000005BD2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1851374834.0000000005BD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com/api(
Source: file.exe, 00000000.00000003.1700659896.0000000001248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com/apiHv$
Source: file.exe, 00000000.00000003.1851345687.0000000005BDD000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1858209085.0000000005BDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com/apieP
Source: file.exe, 00000000.00000003.1851345687.0000000005BDD000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1858209085.0000000005BDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com/apiwz
Source: file.exe, 00000000.00000003.1850629516.00000000012DF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1851091044.00000000012DF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1853087164.00000000012DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com/k
Source: file.exe, 00000000.00000003.1700772120.000000000128B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700849717.0000000001295000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com/za%
Source: file.exe, 00000000.00000002.1852469176.000000000124F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1850629516.000000000124F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com:443/api
Source: file.exe, 00000000.00000002.1852469176.000000000124F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1850629516.000000000124F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com:443/api4p.default-release/key4.dbPK
Source: file.exe, 00000000.00000002.1852469176.000000000124F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1850629516.000000000124F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com:443/api6
Source: file.exe, 00000000.00000002.1852469176.000000000124F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1850629516.000000000124F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com:443/apiK
Source: file.exe, 00000000.00000003.1700659896.000000000124F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com:443/apih
Source: file.exe, 00000000.00000003.1690793016.0000000001295000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: file.exe, 00000000.00000003.1700772120.0000000001283000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: file.exe, 00000000.00000003.1690793016.0000000001295000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: file.exe, 00000000.00000003.1690697919.000000000128B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: file.exe, 00000000.00000003.1690793016.0000000001295000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: file.exe, 00000000.00000003.1700772120.0000000001283000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: file.exe, 00000000.00000003.1690568055.000000000124F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/U
Source: file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/p
Source: file.exe, 00000000.00000003.1690568055.0000000001263000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690568055.000000000124F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690697919.0000000001265000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: file.exe, 00000000.00000003.1690568055.000000000124F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900&
Source: file.exe, 00000000.00000003.1690568055.0000000001248000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: file.exe, 00000000.00000002.1852469176.000000000124F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1850629516.000000000124F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690568055.000000000124F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700659896.000000000124F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com:443/profiles/76561199724331900
Source: file.exe, 00000000.00000003.1700772120.0000000001283000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: file.exe, 00000000.00000003.1690568055.000000000129E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690697919.000000000128B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690793016.0000000001295000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: file.exe, 00000000.00000003.1690697919.000000000128B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690793016.0000000001295000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C0e3d185a3e106e7
Source: file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: file.exe, 00000000.00000003.1718877156.0000000005C3E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.microsof
Source: file.exe, 00000000.00000003.1754118021.0000000005EF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: file.exe, 00000000.00000003.1754118021.0000000005EF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: file.exe, 00000000.00000003.1718877156.0000000005C3C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: file.exe, 00000000.00000003.1718877156.0000000005C3C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: file.exe, 00000000.00000003.1700772120.000000000128B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: file.exe, 00000000.00000003.1700849717.0000000001295000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/learning/access-
Source: file.exe, 00000000.00000003.1700628151.00000000012D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/
Source: file.exe, 00000000.00000003.1719446245.0000000005BF7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1719628135.0000000005BF9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1719330275.0000000005C0F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: file.exe, 00000000.00000003.1690793016.0000000001295000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: file.exe, 00000000.00000003.1719446245.0000000005BF7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1719330275.0000000005C0F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: file.exe, 00000000.00000003.1700772120.0000000001283000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: file.exe, 00000000.00000003.1700772120.0000000001283000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: file.exe, 00000000.00000003.1700772120.0000000001283000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: file.exe, 00000000.00000003.1754118021.0000000005EF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: file.exe, 00000000.00000003.1754118021.0000000005EF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: file.exe, 00000000.00000003.1754118021.0000000005EF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: file.exe, 00000000.00000003.1754118021.0000000005EF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: file.exe, 00000000.00000003.1754118021.0000000005EF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: file.exe, 00000000.00000003.1690793016.0000000001295000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: file.exe, 00000000.00000003.1700772120.0000000001283000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:49739 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe

Static PE information: Section: ZLIB complexity 0.9995487830033003

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/0@10/2

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe, 00000000.00000003.1719103299.0000000005C14000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: file.exe

Virustotal: Detection: 43%

Source: file.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: file.exe	String found in binary or memory: RtlAllocateHeap3Cannot find '%s'. Please, re-install this applicationThunRTMain__vbaVarTstNe

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: file.exe

Static file information: File size 3058688 > 1048576

Source: file.exe

Static PE information: Raw size of teechqve is bigger than: 0x100000 < 0x2c1600

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.4d0000.0.unpack :EW;.rsrc :W;.idata :W;teechqve:EW;nqocidhr:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W;teechqve:EW;nqocidhr:EW;.taggant:EW;

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

PE file contains an invalid checksum

Source: file.exe

Static PE information: real checksum: 0x2f67a0 should be: 0x2f4a1f

PE file contains sections with non-standard names

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name: teechqve
Source: file.exe	Static PE information: section name: nqocidhr
Source: file.exe	Static PE information: section name: .taggant

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_012F9C2C push 234F6F6Ch; ret	0_3_012F9C31
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_012F9C2C push 234F6F6Ch; ret	0_3_012F9C31
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_012F9C2C push 234F6F6Ch; ret	0_3_012F9C31
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_012F9C2C push 234F6F6Ch; ret	0_3_012F9C31
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_012F9C2C push 234F6F6Ch; ret	0_3_012F9C31
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_012FB71A push ecx; ret	0_3_012FB743
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_012FB71A push ecx; ret	0_3_012FB743
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_012FB71A push ecx; ret	0_3_012FB743
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_012FB71A push ecx; ret	0_3_012FB743
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_012FB71A push ecx; ret	0_3_012FB743
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_012FB71A push ecx; ret	0_3_012FB743
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_012FB71A push ecx; ret	0_3_012FB743
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_012F9F6A push ecx; ret	0_3_012F9FA1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_012F9F6A push ecx; ret	0_3_012F9FA1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_012F9F6A push ecx; ret	0_3_012F9FA1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_012F9F6A push ecx; ret	0_3_012F9FA1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_012F9F6A push ecx; ret	0_3_012F9FA1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_012FB9AA push ds; ret	0_3_012FB9AB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_012FB9AA push ds; ret	0_3_012FB9AB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_012FB9AA push ds; ret	0_3_012FB9AB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_012FB9AA push ds; ret	0_3_012FB9AB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_012FB9AA push ds; ret	0_3_012FB9AB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_012FB9AA push ds; ret	0_3_012FB9AB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_012FB9AA push ds; ret	0_3_012FB9AB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_012FDFA8 push eax; retf	0_3_012FDFA9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_012FDFA8 push eax; retf	0_3_012FDFA9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_012FDFA8 push eax; retf	0_3_012FDFA9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_012FDFA8 push eax; retf	0_3_012FDFA9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_012FDFA8 push eax; retf	0_3_012FDFA9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_012FDFA8 push eax; retf	0_3_012FDFA9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_012FDFA8 push eax; retf	0_3_012FDFA9

Source: file.exe

Static PE information: section name: entropy: 7.982552792221966

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Regmonclass	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\file.exe

System information queried: FirmwareTableInformation

Jump to behavior

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C93D4 second address: 6C93E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C93E0 second address: 6C9404 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F377CE47997h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e push esi 0x0000000f pushad 0x00000010 popad 0x00000011 pop esi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C9404 second address: 6C9409 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C9409 second address: 6C9426 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 je 00007F377CE47986h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jng 00007F377CE47986h 0x00000017 jnp 00007F377CE47986h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C9426 second address: 6C942A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C95A9 second address: 6C95AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C9997 second address: 6C99B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F377C5325FBh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6CC2CC second address: 6CC2D2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6CC2D2 second address: 6CC2D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6CC2D7 second address: 6CC31D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c jno 00007F377CE4799Fh 0x00000012 xor edi, 19400081h 0x00000018 push 00000000h 0x0000001a mov edx, dword ptr [ebp+122D3BE0h] 0x00000020 call 00007F377CE47989h 0x00000025 push esi 0x00000026 push ecx 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6CC31D second address: 6CC334 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop esi 0x00000006 push eax 0x00000007 pushad 0x00000008 jns 00007F377C5325ECh 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6CC334 second address: 6CC360 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a jmp 00007F377CE47990h 0x0000000f mov eax, dword ptr [eax] 0x00000011 pushad 0x00000012 jnl 00007F377CE4798Ch 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6CC360 second address: 6CC366 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6CC366 second address: 6CC374 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a push esi 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6CC374 second address: 6CC3D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F377C5325F7h 0x00000009 popad 0x0000000a pop esi 0x0000000b pop eax 0x0000000c xor dword ptr [ebp+122D1DFFh], ebx 0x00000012 push 00000003h 0x00000014 or dword ptr [ebp+122D3015h], eax 0x0000001a push 00000000h 0x0000001c cmc 0x0000001d push 00000003h 0x0000001f sub dword ptr [ebp+122D1D5Dh], eax 0x00000025 call 00007F377C5325E9h 0x0000002a jmp 00007F377C5325EBh 0x0000002f push eax 0x00000030 push eax 0x00000031 push edx 0x00000032 jmp 00007F377C5325F5h 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6CC3D7 second address: 6CC42F instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F377CE47994h 0x00000008 jmp 00007F377CE4798Eh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 pushad 0x00000014 je 00007F377CE47988h 0x0000001a pushad 0x0000001b popad 0x0000001c push eax 0x0000001d pushad 0x0000001e popad 0x0000001f pop eax 0x00000020 popad 0x00000021 mov eax, dword ptr [eax] 0x00000023 pushad 0x00000024 jmp 00007F377CE47997h 0x00000029 pushad 0x0000002a ja 00007F377CE47986h 0x00000030 push edi 0x00000031 pop edi 0x00000032 popad 0x00000033 popad 0x00000034 mov dword ptr [esp+04h], eax 0x00000038 push edx 0x00000039 push eax 0x0000003a push edx 0x0000003b push ecx 0x0000003c pop ecx 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6CC42F second address: 6CC45C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 sub dword ptr [ebp+122D1DF8h], eax 0x0000000e lea ebx, dword ptr [ebp+1246C1B5h] 0x00000014 clc 0x00000015 xchg eax, ebx 0x00000016 pushad 0x00000017 push edi 0x00000018 js 00007F377C5325E6h 0x0000001e pop edi 0x0000001f pushad 0x00000020 push eax 0x00000021 pop eax 0x00000022 push ebx 0x00000023 pop ebx 0x00000024 popad 0x00000025 popad 0x00000026 push eax 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6CC45C second address: 6CC460 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6CC460 second address: 6CC47D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377C5325F9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EC814 second address: 6EC868 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jnc 00007F377CE47986h 0x00000009 pop edx 0x0000000a push esi 0x0000000b pushad 0x0000000c popad 0x0000000d pop esi 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 jmp 00007F377CE47991h 0x00000016 pushad 0x00000017 push edi 0x00000018 pop edi 0x00000019 pushad 0x0000001a popad 0x0000001b jbe 00007F377CE47986h 0x00000021 jmp 00007F377CE47996h 0x00000026 popad 0x00000027 push esi 0x00000028 pushad 0x00000029 popad 0x0000002a pushad 0x0000002b popad 0x0000002c pop esi 0x0000002d push eax 0x0000002e push edx 0x0000002f jo 00007F377CE47986h 0x00000035 push eax 0x00000036 push edx 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EC868 second address: 6EC86C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B504E second address: 6B5053 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EA6AD second address: 6EA6B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EA6B3 second address: 6EA6E1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377CE4798Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F377CE47996h 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EA6E1 second address: 6EA6EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F377C5325E6h 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EA829 second address: 6EA843 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F377CE47995h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EA978 second address: 6EA982 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F377C5325E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EA982 second address: 6EA987 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EA987 second address: 6EA9AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F377C5325F9h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EA9AB second address: 6EA9AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EAC72 second address: 6EAC77 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EAC77 second address: 6EACA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F377CE47992h 0x00000009 jmp 00007F377CE47991h 0x0000000e popad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EACA2 second address: 6EACCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F377C5325E6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jnl 00007F377C5325F7h 0x00000016 pushad 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EAE4C second address: 6EAE50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EAE50 second address: 6EAE54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EAE54 second address: 6EAE5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EAE5A second address: 6EAE75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F377C5325F1h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EAFBB second address: 6EAFC5 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F377CE4798Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EB2A5 second address: 6EB2B2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jnc 00007F377C5325E6h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EB800 second address: 6EB80C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jc 00007F377CE47986h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EB80C second address: 6EB834 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377C5325F2h 0x00000007 jmp 00007F377C5325ECh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EB834 second address: 6EB838 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6E33DA second address: 6E33E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6E33E0 second address: 6E33EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C2B34 second address: 6C2B38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C2B38 second address: 6C2B40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EC25A second address: 6EC264 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F377C5325ECh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EC392 second address: 6EC3C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F377CE47992h 0x00000009 pop edi 0x0000000a pushad 0x0000000b jg 00007F377CE47986h 0x00000011 jmp 00007F377CE47990h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EC3C2 second address: 6EC3D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 jnc 00007F377C5325E6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EE750 second address: 6EE754 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EE754 second address: 6EE758 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EE758 second address: 6EE75E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EDD37 second address: 6EDD3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EDD3B second address: 6EDD41 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EEE06 second address: 6EEE0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B6C04 second address: 6B6C11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 ja 00007F377CE47986h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B6C11 second address: 6B6C15 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C1031 second address: 6C1040 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jnl 00007F377CE47986h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C1040 second address: 6C1044 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C1044 second address: 6C104A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6F6E77 second address: 6F6E7D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6F6E7D second address: 6F6E9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F377CE4798Bh 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 ja 00007F377CE47986h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6F727D second address: 6F72B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 jmp 00007F377C5325EAh 0x0000000e jmp 00007F377C5325F5h 0x00000013 pop esi 0x00000014 pushad 0x00000015 jmp 00007F377C5325EAh 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6F75AB second address: 6F75B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6F75B3 second address: 6F75BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F377C5325E6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6F75BF second address: 6F75C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6F75C3 second address: 6F75C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6F76ED second address: 6F76F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6F76F3 second address: 6F76F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6F76F7 second address: 6F7718 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F377CE47991h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jl 00007F377CE4798Eh 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6F7824 second address: 6F783D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377C5325ECh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a je 00007F377C5325E6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FAFB2 second address: 6FAFDD instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 js 00007F377CE47991h 0x0000000f jmp 00007F377CE4798Bh 0x00000014 mov eax, dword ptr [esp+04h] 0x00000018 push eax 0x00000019 push edx 0x0000001a push edx 0x0000001b pop edx 0x0000001c pop edx 0x0000001d pop eax 0x0000001e mov eax, dword ptr [eax] 0x00000020 pushad 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FAFDD second address: 6FAFF5 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F377C5325E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b push esi 0x0000000c pop esi 0x0000000d pop esi 0x0000000e popad 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FAFF5 second address: 6FAFF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FB4B4 second address: 6FB4B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FBB62 second address: 6FBB66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FBB66 second address: 6FBB6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FBB6C second address: 6FBB72 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FBB72 second address: 6FBB76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FBB76 second address: 6FBBC6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebx 0x0000000b push 00000000h 0x0000000d push edx 0x0000000e call 00007F377CE47988h 0x00000013 pop edx 0x00000014 mov dword ptr [esp+04h], edx 0x00000018 add dword ptr [esp+04h], 0000001Ch 0x00000020 inc edx 0x00000021 push edx 0x00000022 ret 0x00000023 pop edx 0x00000024 ret 0x00000025 push eax 0x00000026 or dword ptr [ebp+122D1D16h], edx 0x0000002c pop esi 0x0000002d nop 0x0000002e push eax 0x0000002f push edx 0x00000030 push eax 0x00000031 push edx 0x00000032 jmp 00007F377CE47994h 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FBBC6 second address: 6FBBD0 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F377C5325E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FBBD0 second address: 6FBBFF instructions: 0x00000000 rdtsc 0x00000002 jp 00007F377CE4798Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c jmp 00007F377CE47999h 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FBCFB second address: 6FBD00 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FC1D4 second address: 6FC1E4 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F377CE47986h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FC1E4 second address: 6FC1EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FC1EB second address: 6FC1F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FC1F1 second address: 6FC233 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F377C5325E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push esi 0x00000010 call 00007F377C5325E8h 0x00000015 pop esi 0x00000016 mov dword ptr [esp+04h], esi 0x0000001a add dword ptr [esp+04h], 0000001Bh 0x00000022 inc esi 0x00000023 push esi 0x00000024 ret 0x00000025 pop esi 0x00000026 ret 0x00000027 call 00007F377C5325EBh 0x0000002c pop esi 0x0000002d xchg eax, ebx 0x0000002e pushad 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FC233 second address: 6FC237 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FC237 second address: 6FC252 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377C5325F2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push edi 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FD10E second address: 6FD124 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F377CE47992h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FE266 second address: 6FE282 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F377C5325F3h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FD8AE second address: 6FD8B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FD8B4 second address: 6FD8B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 70015F second address: 700172 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b ja 00007F377CE47988h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 700172 second address: 7001AD instructions: 0x00000000 rdtsc 0x00000002 jns 00007F377C5325ECh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b jbe 00007F377C5325ECh 0x00000011 mov dword ptr [ebp+122D2FF9h], edx 0x00000017 push 00000000h 0x00000019 xor dword ptr [ebp+12489FC6h], eax 0x0000001f push 00000000h 0x00000021 mov esi, 3D9AEF4Ch 0x00000026 push eax 0x00000027 push ecx 0x00000028 pushad 0x00000029 jmp 00007F377C5325EAh 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FFEF9 second address: 6FFF04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F377CE47986h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FFF04 second address: 6FFF1B instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F377C5325ECh 0x00000008 jns 00007F377C5325E6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FFF1B second address: 6FFF25 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F377CE47986h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FFF25 second address: 6FFF2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F377C5325E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6BF595 second address: 6BF599 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6BF599 second address: 6BF5AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnc 00007F377C5325ECh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6BF5AD second address: 6BF5B8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push esi 0x00000004 pop esi 0x00000005 pushad 0x00000006 popad 0x00000007 pop ebx 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 705306 second address: 70530A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 706B01 second address: 706B06 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 706B06 second address: 706B83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a movsx ebx, ax 0x0000000d push dword ptr fs:[00000000h] 0x00000014 sub di, 0BC9h 0x00000019 mov dword ptr fs:[00000000h], esp 0x00000020 or dword ptr [ebp+122D2DB1h], eax 0x00000026 mov eax, dword ptr [ebp+122D1535h] 0x0000002c push 00000000h 0x0000002e push ecx 0x0000002f call 00007F377C5325E8h 0x00000034 pop ecx 0x00000035 mov dword ptr [esp+04h], ecx 0x00000039 add dword ptr [esp+04h], 00000017h 0x00000041 inc ecx 0x00000042 push ecx 0x00000043 ret 0x00000044 pop ecx 0x00000045 ret 0x00000046 js 00007F377C5325E9h 0x0000004c xor bl, 0000004Fh 0x0000004f push FFFFFFFFh 0x00000051 push 00000000h 0x00000053 push ecx 0x00000054 call 00007F377C5325E8h 0x00000059 pop ecx 0x0000005a mov dword ptr [esp+04h], ecx 0x0000005e add dword ptr [esp+04h], 00000014h 0x00000066 inc ecx 0x00000067 push ecx 0x00000068 ret 0x00000069 pop ecx 0x0000006a ret 0x0000006b push eax 0x0000006c push eax 0x0000006d push edx 0x0000006e push eax 0x0000006f push edx 0x00000070 jnl 00007F377C5325E6h 0x00000076 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 706B83 second address: 706B89 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 708945 second address: 70894B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 707AF6 second address: 707AFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 707AFC second address: 707B00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 708B0C second address: 708B2A instructions: 0x00000000 rdtsc 0x00000002 jc 00007F377CE47988h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F377CE4798Fh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 708BCD second address: 708BD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 708BD1 second address: 708BD5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 709BB1 second address: 709BB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 70BAF1 second address: 70BB0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F377CE47999h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 70CA3D second address: 70CA4D instructions: 0x00000000 rdtsc 0x00000002 ja 00007F377C5325E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 70CA4D second address: 70CA52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 70CB53 second address: 70CB5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F377C5325E6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 711A57 second address: 711A5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 712976 second address: 712980 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 70ED25 second address: 70ED36 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F377CE47988h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 70FA7C second address: 70FA80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 70FA80 second address: 70FA86 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 711BC8 second address: 711BDE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F377C5325EEh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 70FA86 second address: 70FB11 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jo 00007F377CE47986h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f pushad 0x00000010 call 00007F377CE4798Bh 0x00000015 pop ebx 0x00000016 mov dword ptr [ebp+1247E03Eh], ecx 0x0000001c popad 0x0000001d push dword ptr fs:[00000000h] 0x00000024 jo 00007F377CE4798Ch 0x0000002a mov dword ptr [ebp+1246C8C9h], eax 0x00000030 mov dword ptr [ebp+12495C4Bh], edx 0x00000036 mov dword ptr fs:[00000000h], esp 0x0000003d mov bl, 78h 0x0000003f mov eax, dword ptr [ebp+122D025Dh] 0x00000045 push 00000000h 0x00000047 push ebx 0x00000048 call 00007F377CE47988h 0x0000004d pop ebx 0x0000004e mov dword ptr [esp+04h], ebx 0x00000052 add dword ptr [esp+04h], 0000001Bh 0x0000005a inc ebx 0x0000005b push ebx 0x0000005c ret 0x0000005d pop ebx 0x0000005e ret 0x0000005f mov di, dx 0x00000062 add edi, dword ptr [ebp+122D31E1h] 0x00000068 push FFFFFFFFh 0x0000006a mov dword ptr [ebp+122D331Fh], ebx 0x00000070 mov edi, eax 0x00000072 push eax 0x00000073 pushad 0x00000074 push eax 0x00000075 push edx 0x00000076 jnl 00007F377CE47986h 0x0000007c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 71486F second address: 714873 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 716C64 second address: 716C6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7149A8 second address: 714A40 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F377C5325F4h 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e cld 0x0000000f push dword ptr fs:[00000000h] 0x00000016 jbe 00007F377C5325F1h 0x0000001c or dword ptr [ebp+1247532Ch], esi 0x00000022 mov dword ptr fs:[00000000h], esp 0x00000029 push 00000000h 0x0000002b push esi 0x0000002c call 00007F377C5325E8h 0x00000031 pop esi 0x00000032 mov dword ptr [esp+04h], esi 0x00000036 add dword ptr [esp+04h], 00000015h 0x0000003e inc esi 0x0000003f push esi 0x00000040 ret 0x00000041 pop esi 0x00000042 ret 0x00000043 mov eax, dword ptr [ebp+122D0F0Dh] 0x00000049 or dword ptr [ebp+122D3015h], ebx 0x0000004f push FFFFFFFFh 0x00000051 jmp 00007F377C5325F6h 0x00000056 nop 0x00000057 push eax 0x00000058 push edx 0x00000059 jmp 00007F377C5325F1h 0x0000005e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 716C6C second address: 716C70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6AE750 second address: 6AE754 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 71D142 second address: 71D152 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F377CE4798Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 71D152 second address: 71D156 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6ACC67 second address: 6ACC73 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 jng 00007F377CE47986h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 720015 second address: 720029 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377C5325EDh 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72027F second address: 7202B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F377CE47986h 0x0000000a jmp 00007F377CE4798Ah 0x0000000f jmp 00007F377CE47994h 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F377CE4798Dh 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7202B9 second address: 7202BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 724C59 second address: 724C6B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov eax, dword ptr [eax] 0x00000009 pushad 0x0000000a jl 00007F377CE4798Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 724C6B second address: 724C77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F377C5325ECh 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 724DE7 second address: 724E02 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377CE47997h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72A426 second address: 72A430 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F377C5325E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72A430 second address: 72A436 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72AE8E second address: 72AE94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72B1A8 second address: 72B1AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72B1AF second address: 72B1D5 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F377C5325E8h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pushad 0x0000000b jmp 00007F377C5325F9h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72B1D5 second address: 72B1DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72B32B second address: 72B346 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F377C5325F2h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72B346 second address: 72B34A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72B5B9 second address: 72B605 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007F377C5325E6h 0x00000009 push esi 0x0000000a pop esi 0x0000000b jmp 00007F377C5325F2h 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 push ebx 0x00000016 jmp 00007F377C5325F8h 0x0000001b push ecx 0x0000001c pop ecx 0x0000001d pop ebx 0x0000001e jnc 00007F377C5325EEh 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72B605 second address: 72B60D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72E0DC second address: 72E13F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F377C5325F2h 0x00000008 pop edx 0x00000009 jmp 00007F377C5325EAh 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push ecx 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007F377C5325EEh 0x00000019 pop ecx 0x0000001a jmp 00007F377C5325F9h 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F377C5325F1h 0x00000026 pushad 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72E13F second address: 72E143 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 734355 second address: 73435A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6F9A26 second address: 6E33DA instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push edx 0x0000000d call 00007F377CE47988h 0x00000012 pop edx 0x00000013 mov dword ptr [esp+04h], edx 0x00000017 add dword ptr [esp+04h], 0000001Bh 0x0000001f inc edx 0x00000020 push edx 0x00000021 ret 0x00000022 pop edx 0x00000023 ret 0x00000024 mov dword ptr [ebp+122D1D93h], ecx 0x0000002a lea eax, dword ptr [ebp+124997A0h] 0x00000030 mov dword ptr [ebp+122D1D6Dh], edi 0x00000036 push eax 0x00000037 jmp 00007F377CE47997h 0x0000003c mov dword ptr [esp], eax 0x0000003f mov dword ptr [ebp+122D1D93h], ecx 0x00000045 call dword ptr [ebp+122D307Eh] 0x0000004b pushad 0x0000004c jp 00007F377CE4798Ah 0x00000052 pushad 0x00000053 push eax 0x00000054 push edx 0x00000055 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6F9B0F second address: 6F9B15 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FA04A second address: 6FA064 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F377CE47991h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FA0E7 second address: 6FA0ED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FA0ED second address: 6FA145 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F377CE47994h 0x00000008 jne 00007F377CE47986h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 pushad 0x00000013 jmp 00007F377CE47992h 0x00000018 jmp 00007F377CE4798Eh 0x0000001d popad 0x0000001e xchg eax, esi 0x0000001f mov dword ptr [ebp+122D3319h], ecx 0x00000025 nop 0x00000026 pushad 0x00000027 push edi 0x00000028 jl 00007F377CE47986h 0x0000002e pop edi 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FA145 second address: 6FA149 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FA24F second address: 6FA285 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov eax, dword ptr [esp+04h] 0x00000008 jmp 00007F377CE4798Bh 0x0000000d mov eax, dword ptr [eax] 0x0000000f jl 00007F377CE479ABh 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F377CE47999h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FA285 second address: 6FA289 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FA4CA second address: 6FA4DC instructions: 0x00000000 rdtsc 0x00000002 jns 00007F377CE47986h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a je 00007F377CE4798Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FA93D second address: 6FA94A instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F377C5325E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FA94A second address: 6FA950 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FAB86 second address: 6FAC20 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jp 00007F377C5325E6h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f mov edx, 787D3DC0h 0x00000014 lea eax, dword ptr [ebp+124997E4h] 0x0000001a jmp 00007F377C5325F7h 0x0000001f mov ch, bl 0x00000021 nop 0x00000022 push ebx 0x00000023 jmp 00007F377C5325F9h 0x00000028 pop ebx 0x00000029 push eax 0x0000002a jnp 00007F377C5325EEh 0x00000030 nop 0x00000031 push edx 0x00000032 mov di, 157Fh 0x00000036 pop ecx 0x00000037 lea eax, dword ptr [ebp+124997A0h] 0x0000003d push 00000000h 0x0000003f push edi 0x00000040 call 00007F377C5325E8h 0x00000045 pop edi 0x00000046 mov dword ptr [esp+04h], edi 0x0000004a add dword ptr [esp+04h], 00000017h 0x00000052 inc edi 0x00000053 push edi 0x00000054 ret 0x00000055 pop edi 0x00000056 ret 0x00000057 mov edi, 7EB5B63Dh 0x0000005c nop 0x0000005d jng 00007F377C5325F4h 0x00000063 push eax 0x00000064 push edx 0x00000065 push ecx 0x00000066 pop ecx 0x00000067 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FAC20 second address: 6FAC31 instructions: 0x00000000 rdtsc 0x00000002 je 00007F377CE47986h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c pushad 0x0000000d push edi 0x0000000e pop edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FAC31 second address: 6E3E40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push ebp 0x0000000a call 00007F377C5325E8h 0x0000000f pop ebp 0x00000010 mov dword ptr [esp+04h], ebp 0x00000014 add dword ptr [esp+04h], 00000017h 0x0000001c inc ebp 0x0000001d push ebp 0x0000001e ret 0x0000001f pop ebp 0x00000020 ret 0x00000021 jmp 00007F377C5325F4h 0x00000026 call dword ptr [ebp+122D1CCCh] 0x0000002c pushad 0x0000002d jmp 00007F377C5325F4h 0x00000032 pushad 0x00000033 pushad 0x00000034 popad 0x00000035 pushad 0x00000036 popad 0x00000037 je 00007F377C5325E6h 0x0000003d push eax 0x0000003e push edx 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 734E0E second address: 734E13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 734E13 second address: 734E20 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 734E20 second address: 734E26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 734E26 second address: 734E2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 734F6B second address: 734F71 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 734F71 second address: 734F81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jns 00007F377C5325E6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 734F81 second address: 734F85 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 734F85 second address: 734F8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B87A0 second address: 6B87BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F377CE47996h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B87BC second address: 6B87D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F377C5325F0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73AED7 second address: 73AEDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73B083 second address: 73B089 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73B089 second address: 73B08D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73B206 second address: 73B20A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73B4C2 second address: 73B4DD instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jl 00007F377CE47986h 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f popad 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jns 00007F377CE47986h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73B4DD second address: 73B4E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73B4E1 second address: 73B4E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73B4E7 second address: 73B4ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73B4ED second address: 73B50E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377CE47997h 0x00000007 push eax 0x00000008 push edx 0x00000009 jnc 00007F377CE47986h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73B669 second address: 73B674 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F377C5325E6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73B674 second address: 73B67A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73B67A second address: 73B691 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F377C5325F3h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73B915 second address: 73B919 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7412BD second address: 7412C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73FCD9 second address: 73FCE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jp 00007F377CE47988h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73FCE7 second address: 73FCF4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 popad 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73FF93 second address: 73FF9B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7400E3 second address: 7400EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7400EF second address: 7400F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 740244 second address: 74026E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jng 00007F377C5325FFh 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 pop eax 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 74026E second address: 740298 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377CE47997h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jnc 00007F377CE47986h 0x00000010 jl 00007F377CE47986h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 740401 second address: 740406 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 740559 second address: 74055E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 74055E second address: 740564 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 740564 second address: 74058F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 jmp 00007F377CE47999h 0x0000000d push eax 0x0000000e push edx 0x0000000f jl 00007F377CE47986h 0x00000015 push eax 0x00000016 pop eax 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7407FC second address: 740824 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a jmp 00007F377C5325F8h 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 740824 second address: 740843 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F377CE47997h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 740843 second address: 74084B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7409B6 second address: 7409BC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7409BC second address: 7409CA instructions: 0x00000000 rdtsc 0x00000002 jg 00007F377C5325E8h 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7409CA second address: 7409D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 740B5B second address: 740B7D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 js 00007F377C5325E6h 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F377C5325F2h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 740B7D second address: 740B81 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 744316 second address: 744328 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 744328 second address: 744340 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377CE47994h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 744340 second address: 744346 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 743D36 second address: 743D54 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007F377CE4798Eh 0x0000000c pop eax 0x0000000d jl 00007F377CE4798Eh 0x00000013 push ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 74620B second address: 746226 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377C5325F7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 746226 second address: 746258 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F377CE4798Ah 0x00000008 jc 00007F377CE4798Ah 0x0000000e push edi 0x0000000f pop edi 0x00000010 pushad 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push ebx 0x00000017 jo 00007F377CE47986h 0x0000001d push esi 0x0000001e pop esi 0x0000001f pop ebx 0x00000020 pushad 0x00000021 jne 00007F377CE47986h 0x00000027 jne 00007F377CE47986h 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 746258 second address: 74625E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 74AEB6 second address: 74AEBA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 74AEBA second address: 74AEC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 74AEC6 second address: 74AEF4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F377CE4798Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jnl 00007F377CE4799Dh 0x00000011 jmp 00007F377CE47997h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 74B06F second address: 74B079 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F377C5325E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 74B079 second address: 74B087 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377CE4798Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 74B087 second address: 74B0A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jmp 00007F377C5325EDh 0x0000000c pop edi 0x0000000d pushad 0x0000000e jnl 00007F377C5325E8h 0x00000014 push eax 0x00000015 push edx 0x00000016 push edx 0x00000017 pop edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 74B397 second address: 74B39D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 750BA8 second address: 750BAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 750BAC second address: 750BC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F377CE47986h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jg 00007F377CE4798Eh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 750BC6 second address: 750BEE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377C5325F4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c jc 00007F377C5325E6h 0x00000012 je 00007F377C5325E6h 0x00000018 pop ecx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 74F903 second address: 74F912 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 jc 00007F377CE4799Bh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 74F912 second address: 74F925 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F377C5325EFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 74F925 second address: 74F92A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 74F92A second address: 74F958 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F377C5325F9h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F377C5325ECh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 74FADC second address: 74FAE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 74FD9A second address: 74FDAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F377C5325EFh 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7508C4 second address: 7508C9 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7508C9 second address: 7508D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7546B0 second address: 7546B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7546B4 second address: 7546E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F377C5325E6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jnc 00007F377C5325EEh 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F377C5325F1h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 754B76 second address: 754B7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 754B7A second address: 754B7E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 754B7E second address: 754B84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 754B84 second address: 754B8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 754B8D second address: 754B93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 754DFE second address: 754E04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75C0CE second address: 75C0E1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377CE4798Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75C0E1 second address: 75C108 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377C5325EAh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F377C5325F3h 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75C108 second address: 75C112 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F377CE47986h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75C112 second address: 75C116 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75A32C second address: 75A336 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F377CE47986h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75A336 second address: 75A368 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jmp 00007F377C5325ECh 0x0000000a jc 00007F377C5325E6h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F377C5325F8h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75A368 second address: 75A3A2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377CE47991h 0x00000007 jnc 00007F377CE47986h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 push edi 0x00000013 jmp 00007F377CE47999h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75B2C0 second address: 75B2CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F377C5325E6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75B2CB second address: 75B2F5 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F377CE479A0h 0x00000008 jg 00007F377CE47986h 0x0000000e jmp 00007F377CE47994h 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75B2F5 second address: 75B2FB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6BDA36 second address: 6BDA3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 766AC8 second address: 766AD4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F377C5325E6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 766AD4 second address: 766AD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 766AD8 second address: 766ADC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 766F23 second address: 766F29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76725D second address: 767289 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377C5325F6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jg 00007F377C5325F2h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 767516 second address: 76751A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76ECA4 second address: 76ECAE instructions: 0x00000000 rdtsc 0x00000002 je 00007F377C5325EEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76ECAE second address: 76ECB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76CDC6 second address: 76CDD7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F377C5325E8h 0x0000000c pushad 0x0000000d popad 0x0000000e push ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76D1A8 second address: 76D20F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F377CE47997h 0x00000009 jnc 00007F377CE47986h 0x0000000f popad 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 jmp 00007F377CE47998h 0x00000018 jmp 00007F377CE47990h 0x0000001d popad 0x0000001e popad 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F377CE47996h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76D344 second address: 76D34A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76D8BF second address: 76D8C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76D8C5 second address: 76D8CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76D8CB second address: 76D8D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76DC28 second address: 76DC35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76DC35 second address: 76DC39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76DC39 second address: 76DC3D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76EB44 second address: 76EB5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jo 00007F377CE4799Ah 0x0000000b push edi 0x0000000c ja 00007F377CE47986h 0x00000012 pushad 0x00000013 popad 0x00000014 pop edi 0x00000015 push edi 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76C92D second address: 76C94A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F377C5325F2h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76C94A second address: 76C950 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 775FF3 second address: 775FFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 775FFB second address: 776018 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007F377CE4798Fh 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 776018 second address: 77601C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77601C second address: 776020 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 776020 second address: 77602C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b pop edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B3583 second address: 6B35A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 jmp 00007F377CE47996h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78CDA9 second address: 78CDAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78CDAD second address: 78CDBB instructions: 0x00000000 rdtsc 0x00000002 jg 00007F377CE47986h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78CDBB second address: 78CDC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78CDC1 second address: 78CDC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78CDC5 second address: 78CDC9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78CDC9 second address: 78CDCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78CF02 second address: 78CF15 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F377C5325EFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7915AE second address: 7915B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79A4F0 second address: 79A4F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79A4F6 second address: 79A4FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A20D1 second address: 7A20D7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A20D7 second address: 7A20DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A20DE second address: 7A20E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A0C43 second address: 7A0C59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F377CE4798Dh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A0DCD second address: 7A0DD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A1084 second address: 7A10D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F377CE47991h 0x0000000f pop eax 0x00000010 jmp 00007F377CE4798Eh 0x00000015 pushad 0x00000016 jmp 00007F377CE4798Ah 0x0000001b push esi 0x0000001c pop esi 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F377CE47996h 0x00000025 push ecx 0x00000026 pop ecx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6BA371 second address: 6BA37D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F377C5325E6h 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C563B second address: 7C5641 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C5641 second address: 7C5650 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push eax 0x00000007 pop eax 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push esi 0x0000000b pop esi 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C5650 second address: 7C5656 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C5656 second address: 7C565A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C565A second address: 7C5678 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377CE47994h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C5678 second address: 7C567C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C567C second address: 7C568D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 jg 00007F377CE4798Eh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7DEEF3 second address: 7DEEF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7DEEF7 second address: 7DEF03 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7DEF03 second address: 7DEF07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7DEF07 second address: 7DEF0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7DEF0B second address: 7DEF17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F377C5325E6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7DEF17 second address: 7DEF24 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7DEF24 second address: 7DEF33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F377C5325EBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7DF1CF second address: 7DF1D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7DF1D3 second address: 7DF1F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377C5325F8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a push esi 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E2410 second address: 7E2416 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E52E8 second address: 7E52F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E52F3 second address: 7E531F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377CE47993h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F377CE47991h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E531F second address: 7E5324 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E5324 second address: 7E535D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jmp 00007F377CE47999h 0x00000013 jmp 00007F377CE47991h 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E666A second address: 7E6670 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E6670 second address: 7E6675 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E83CC second address: 7E83D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E83D1 second address: 7E83E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jmp 00007F377CE4798Eh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B0EC8 second address: 52B0ECE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B0ECE second address: 52B0ED2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B0ED2 second address: 52B0ED6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B0ED6 second address: 52B0F18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ecx, dword ptr [eax+00000FDCh] 0x0000000e jmp 00007F377CE47999h 0x00000013 test ecx, ecx 0x00000015 pushad 0x00000016 push esi 0x00000017 mov edi, 7B8B8C0Eh 0x0000001c pop edi 0x0000001d mov di, cx 0x00000020 popad 0x00000021 jns 00007F377CE479B7h 0x00000027 pushad 0x00000028 push eax 0x00000029 push edx 0x0000002a mov cx, 3F79h 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B0F18 second address: 52B0F73 instructions: 0x00000000 rdtsc 0x00000002 mov cl, 5Ah 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F377C5325EBh 0x0000000b popad 0x0000000c add eax, ecx 0x0000000e jmp 00007F377C5325F6h 0x00000013 mov eax, dword ptr [eax+00000860h] 0x00000019 jmp 00007F377C5325F0h 0x0000001e test eax, eax 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F377C5325F7h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B0F73 second address: 52B0F8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F377CE47994h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FDDF3 second address: 6FDDF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FE03C second address: 6FE040 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FE040 second address: 6FE046 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FE046 second address: 6FE04B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52D0385 second address: 52D038B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52D038B second address: 52D03B5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377CE4798Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edx, dword ptr [ebp+0Ch] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F377CE47997h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52D03B5 second address: 52D03CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F377C5325F4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52D03CD second address: 52D03D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52D03D1 second address: 52D03E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ecx, dword ptr [ebp+08h] 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52D040C second address: 52D041C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F377CE4798Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C0837 second address: 52C083B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C083B second address: 52C0841 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C0841 second address: 52C0891 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377C5325F2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov di, 9460h 0x00000011 pushfd 0x00000012 jmp 00007F377C5325F9h 0x00000017 xor si, A166h 0x0000001c jmp 00007F377C5325F1h 0x00000021 popfd 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C0891 second address: 52C096D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377CE47991h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F377CE47991h 0x0000000f xchg eax, ebp 0x00000010 jmp 00007F377CE4798Eh 0x00000015 mov ebp, esp 0x00000017 pushad 0x00000018 movzx esi, di 0x0000001b call 00007F377CE47993h 0x00000020 call 00007F377CE47998h 0x00000025 pop esi 0x00000026 pop ebx 0x00000027 popad 0x00000028 xchg eax, ecx 0x00000029 pushad 0x0000002a jmp 00007F377CE4798Ch 0x0000002f pushfd 0x00000030 jmp 00007F377CE47992h 0x00000035 xor cl, 00000058h 0x00000038 jmp 00007F377CE4798Bh 0x0000003d popfd 0x0000003e popad 0x0000003f push eax 0x00000040 jmp 00007F377CE47999h 0x00000045 xchg eax, ecx 0x00000046 jmp 00007F377CE4798Eh 0x0000004b xchg eax, esi 0x0000004c jmp 00007F377CE47990h 0x00000051 push eax 0x00000052 push eax 0x00000053 push edx 0x00000054 push eax 0x00000055 push edx 0x00000056 push eax 0x00000057 push edx 0x00000058 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C096D second address: 52C0971 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C0971 second address: 52C0975 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C0975 second address: 52C097B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C097B second address: 52C09AD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377CE4798Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a jmp 00007F377CE47996h 0x0000000f lea eax, dword ptr [ebp-04h] 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C09AD second address: 52C09C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 call 00007F377C5325F3h 0x00000009 pop eax 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C09C6 second address: 52C09FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, 2A61BDABh 0x00000008 pushfd 0x00000009 jmp 00007F377CE47990h 0x0000000e or esi, 45FC8738h 0x00000014 jmp 00007F377CE4798Bh 0x00000019 popfd 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d nop 0x0000001e pushad 0x0000001f pushad 0x00000020 mov cx, A281h 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C09FD second address: 52C0A81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov al, 03h 0x00000007 popad 0x00000008 push eax 0x00000009 pushad 0x0000000a mov esi, 1082CF7Bh 0x0000000f pushfd 0x00000010 jmp 00007F377C5325F0h 0x00000015 add ax, 00C8h 0x0000001a jmp 00007F377C5325EBh 0x0000001f popfd 0x00000020 popad 0x00000021 nop 0x00000022 jmp 00007F377C5325F6h 0x00000027 push dword ptr [ebp+08h] 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d pushfd 0x0000002e jmp 00007F377C5325EDh 0x00000033 and cl, FFFFFF96h 0x00000036 jmp 00007F377C5325F1h 0x0000003b popfd 0x0000003c call 00007F377C5325F0h 0x00000041 pop ecx 0x00000042 popad 0x00000043 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C0B22 second address: 52C0B26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C0B26 second address: 52C0B2C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C0B2C second address: 52C0B31 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C0199 second address: 52C01C8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F377C5325F7h 0x00000008 pop esi 0x00000009 movsx edi, si 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 pushad 0x00000011 mov dh, DBh 0x00000013 mov ah, E6h 0x00000015 popad 0x00000016 xchg eax, ebp 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C01C8 second address: 52C01CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C01CC second address: 52C01D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C01D0 second address: 52C01D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C01D6 second address: 52C01FB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377C5325F9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C01FB second address: 52C01FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C01FF second address: 52C0212 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377C5325EFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C0212 second address: 52C02F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, si 0x00000006 call 00007F377CE47990h 0x0000000b pop esi 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push FFFFFFFEh 0x00000011 jmp 00007F377CE47991h 0x00000016 push 50755C89h 0x0000001b jmp 00007F377CE47997h 0x00000020 xor dword ptr [esp], 25B3C2C1h 0x00000027 pushad 0x00000028 pushfd 0x00000029 jmp 00007F377CE47994h 0x0000002e adc ax, 1538h 0x00000033 jmp 00007F377CE4798Bh 0x00000038 popfd 0x00000039 mov ch, CFh 0x0000003b popad 0x0000003c push 703ED616h 0x00000041 jmp 00007F377CE47990h 0x00000046 add dword ptr [esp], 0582555Ah 0x0000004d jmp 00007F377CE47990h 0x00000052 mov eax, dword ptr fs:[00000000h] 0x00000058 pushad 0x00000059 call 00007F377CE4798Eh 0x0000005e pushfd 0x0000005f jmp 00007F377CE47992h 0x00000064 sub ax, 9128h 0x00000069 jmp 00007F377CE4798Bh 0x0000006e popfd 0x0000006f pop ecx 0x00000070 push eax 0x00000071 push edx 0x00000072 mov edi, 6EF58FCAh 0x00000077 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C02F9 second address: 52C033F instructions: 0x00000000 rdtsc 0x00000002 mov di, DE96h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push ecx 0x0000000a jmp 00007F377C5325EAh 0x0000000f mov dword ptr [esp], eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 mov al, dl 0x00000017 pushfd 0x00000018 jmp 00007F377C5325F6h 0x0000001d or ecx, 4158A5E8h 0x00000023 jmp 00007F377C5325EBh 0x00000028 popfd 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C0436 second address: 52C043A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C043A second address: 52C0455 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377C5325F7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C0455 second address: 52C045B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C045B second address: 52C045F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C045F second address: 52C0477 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377CE4798Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C0477 second address: 52C047B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C047B second address: 52C048D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377CE4798Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C048D second address: 52C04A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377C5325EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C04A3 second address: 52C04A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C04A7 second address: 52C04AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C04AD second address: 52C04E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377CE4798Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F377CE4798Eh 0x00000011 xor cl, FFFFFFD8h 0x00000014 jmp 00007F377CE4798Bh 0x00000019 popfd 0x0000001a movzx eax, dx 0x0000001d popad 0x0000001e push eax 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 mov ah, bl 0x00000024 pushad 0x00000025 popad 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C04E8 second address: 52C0521 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, edi 0x00000005 mov dx, D2E4h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xchg eax, edi 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007F377C5325F4h 0x00000016 sub si, B598h 0x0000001b jmp 00007F377C5325EBh 0x00000020 popfd 0x00000021 mov ah, 4Fh 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C0521 second address: 52C0527 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C0527 second address: 52C052B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C052B second address: 52C052F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C052F second address: 52C055E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [75C74538h] 0x0000000d jmp 00007F377C5325F8h 0x00000012 xor dword ptr [ebp-08h], eax 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 mov cx, 6EC3h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C055E second address: 52C05A9 instructions: 0x00000000 rdtsc 0x00000002 mov ah, 34h 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov bl, BAh 0x00000008 popad 0x00000009 xor eax, ebp 0x0000000b jmp 00007F377CE4798Dh 0x00000010 nop 0x00000011 jmp 00007F377CE4798Eh 0x00000016 push eax 0x00000017 jmp 00007F377CE4798Bh 0x0000001c nop 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F377CE47995h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C05A9 second address: 52C05EE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377C5325F1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea eax, dword ptr [ebp-10h] 0x0000000c jmp 00007F377C5325EEh 0x00000011 mov dword ptr fs:[00000000h], eax 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F377C5325F7h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C05EE second address: 52C0606 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F377CE47994h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C0606 second address: 52C060A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C060A second address: 52C061B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [ebp-18h], esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C061B second address: 52C061F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C061F second address: 52C0623 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C0623 second address: 52C0629 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C0629 second address: 52C067E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377CE4798Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr fs:[00000018h] 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007F377CE4798Bh 0x00000018 xor si, BBFEh 0x0000001d jmp 00007F377CE47999h 0x00000022 popfd 0x00000023 call 00007F377CE47990h 0x00000028 pop ecx 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C067E second address: 52C06A0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, 1A9F3C0Dh 0x00000008 call 00007F377C5325EAh 0x0000000d pop eax 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov ecx, dword ptr [eax+00000FDCh] 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C06A0 second address: 52C06BA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377CE47996h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C06BA second address: 52C06CC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edx 0x00000006 pop eax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a test ecx, ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C06CC second address: 52C06DE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377CE4798Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C06DE second address: 52C0747 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F377C5325F1h 0x00000009 jmp 00007F377C5325EBh 0x0000000e popfd 0x0000000f pushfd 0x00000010 jmp 00007F377C5325F8h 0x00000015 sbb ah, 00000078h 0x00000018 jmp 00007F377C5325EBh 0x0000001d popfd 0x0000001e popad 0x0000001f pop edx 0x00000020 pop eax 0x00000021 jns 00007F377C53263Ch 0x00000027 pushad 0x00000028 call 00007F377C5325EBh 0x0000002d pushad 0x0000002e popad 0x0000002f pop eax 0x00000030 popad 0x00000031 add eax, ecx 0x00000033 push eax 0x00000034 push edx 0x00000035 pushad 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C0747 second address: 52C074E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C074E second address: 52C0791 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, 241Ch 0x00000007 pushfd 0x00000008 jmp 00007F377C5325F5h 0x0000000d adc esi, 7E01A676h 0x00000013 jmp 00007F377C5325F1h 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c mov ecx, dword ptr [ebp+08h] 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 mov esi, edi 0x00000024 pushad 0x00000025 popad 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B01E9 second address: 52B01F7 instructions: 0x00000000 rdtsc 0x00000002 mov ah, E9h 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B01F7 second address: 52B01FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B01FB second address: 52B01FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B01FF second address: 52B0205 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B0205 second address: 52B020B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B020B second address: 52B020F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B020F second address: 52B02AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a mov cx, 3331h 0x0000000e pushfd 0x0000000f jmp 00007F377CE4798Eh 0x00000014 or cx, E308h 0x00000019 jmp 00007F377CE4798Bh 0x0000001e popfd 0x0000001f popad 0x00000020 mov ebp, esp 0x00000022 jmp 00007F377CE47996h 0x00000027 sub esp, 2Ch 0x0000002a pushad 0x0000002b movzx esi, di 0x0000002e mov si, bx 0x00000031 popad 0x00000032 push eax 0x00000033 pushad 0x00000034 pushfd 0x00000035 jmp 00007F377CE47990h 0x0000003a jmp 00007F377CE47995h 0x0000003f popfd 0x00000040 mov eax, 69842137h 0x00000045 popad 0x00000046 mov dword ptr [esp], ebx 0x00000049 push eax 0x0000004a push edx 0x0000004b jmp 00007F377CE47999h 0x00000050 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B02AE second address: 52B02BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F377C5325ECh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B02BE second address: 52B02DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F377CE47993h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B038B second address: 52B03C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop esi 0x00000005 jmp 00007F377C5325EDh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d sub edi, edi 0x0000000f jmp 00007F377C5325F7h 0x00000014 inc ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B03C0 second address: 52B03C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B03C4 second address: 52B03C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B03C8 second address: 52B03CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B03CE second address: 52B03EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, 621Fh 0x00000007 mov edi, esi 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c test al, al 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F377C5325EDh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B03EB second address: 52B044A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dl, BFh 0x00000005 mov ax, 5BFFh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c je 00007F377CE47C35h 0x00000012 pushad 0x00000013 mov esi, 263FCBF7h 0x00000018 mov eax, 709B3093h 0x0000001d popad 0x0000001e lea ecx, dword ptr [ebp-14h] 0x00000021 pushad 0x00000022 pushfd 0x00000023 jmp 00007F377CE47994h 0x00000028 sbb ax, 7518h 0x0000002d jmp 00007F377CE4798Bh 0x00000032 popfd 0x00000033 mov di, si 0x00000036 popad 0x00000037 mov dword ptr [ebp-14h], edi 0x0000003a push eax 0x0000003b push edx 0x0000003c push eax 0x0000003d push edx 0x0000003e jmp 00007F377CE4798Ch 0x00000043 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B044A second address: 52B0450 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B0450 second address: 52B0456 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B0456 second address: 52B045A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B04C6 second address: 52B04CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B04CC second address: 52B04D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B0549 second address: 52B054F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B054F second address: 52B055F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test eax, eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B055F second address: 52B0565 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B0565 second address: 52B05CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F377C5325F1h 0x00000009 adc al, 00000006h 0x0000000c jmp 00007F377C5325F1h 0x00000011 popfd 0x00000012 pushfd 0x00000013 jmp 00007F377C5325F0h 0x00000018 jmp 00007F377C5325F5h 0x0000001d popfd 0x0000001e popad 0x0000001f pop edx 0x00000020 pop eax 0x00000021 jg 00007F37ECEA04B9h 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007F377C5325EDh 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B05CE second address: 52B05F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377CE47991h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 js 00007F377CE47A49h 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F377CE4798Dh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B05F8 second address: 52B0608 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F377C5325ECh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B0608 second address: 52B064B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377CE4798Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b cmp dword ptr [ebp-14h], edi 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 pushfd 0x00000014 jmp 00007F377CE47991h 0x00000019 sub si, 9F36h 0x0000001e jmp 00007F377CE47991h 0x00000023 popfd 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B064B second address: 52B0650 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B0650 second address: 52B0689 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F377CE4798Dh 0x0000000a adc eax, 4C3BF096h 0x00000010 jmp 00007F377CE47991h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 jne 00007F37ED7B57A4h 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B0689 second address: 52B068F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B068F second address: 52B06A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F377CE47991h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B06A4 second address: 52B06F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebx, dword ptr [ebp+08h] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F377C5325F6h 0x00000014 or cl, 00000048h 0x00000017 jmp 00007F377C5325EBh 0x0000001c popfd 0x0000001d call 00007F377C5325F8h 0x00000022 pop ecx 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B06F2 second address: 52B0719 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377CE47990h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea eax, dword ptr [ebp-2Ch] 0x0000000c pushad 0x0000000d mov esi, 5E38ED6Dh 0x00000012 mov edi, esi 0x00000014 popad 0x00000015 xchg eax, esi 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B0719 second address: 52B071D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B071D second address: 52B072E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377CE4798Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B072E second address: 52B073E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F377C5325ECh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B073E second address: 52B0742 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B0742 second address: 52B075A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F377C5325EDh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B075A second address: 52B077F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377CE47991h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F377CE4798Dh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B077F second address: 52B07C6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377C5325F1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a pushad 0x0000000b mov ecx, 5EBF19C3h 0x00000010 mov di, si 0x00000013 popad 0x00000014 push eax 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 pushfd 0x00000019 jmp 00007F377C5325EEh 0x0000001e sbb si, D888h 0x00000023 jmp 00007F377C5325EBh 0x00000028 popfd 0x00000029 push ecx 0x0000002a pop ebx 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B07C6 second address: 52B0887 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377CE47995h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a pushad 0x0000000b pushad 0x0000000c mov edi, esi 0x0000000e pushfd 0x0000000f jmp 00007F377CE47996h 0x00000014 add ax, 4D48h 0x00000019 jmp 00007F377CE4798Bh 0x0000001e popfd 0x0000001f popad 0x00000020 popad 0x00000021 xchg eax, ebx 0x00000022 pushad 0x00000023 pushfd 0x00000024 jmp 00007F377CE47990h 0x00000029 jmp 00007F377CE47995h 0x0000002e popfd 0x0000002f pushfd 0x00000030 jmp 00007F377CE47990h 0x00000035 add eax, 0A398208h 0x0000003b jmp 00007F377CE4798Bh 0x00000040 popfd 0x00000041 popad 0x00000042 push eax 0x00000043 push eax 0x00000044 push edx 0x00000045 pushad 0x00000046 pushfd 0x00000047 jmp 00007F377CE47992h 0x0000004c add si, A468h 0x00000051 jmp 00007F377CE4798Bh 0x00000056 popfd 0x00000057 mov bx, si 0x0000005a popad 0x0000005b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B0887 second address: 52B089B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F377C5325F0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B089B second address: 52B08BF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov bl, al 0x0000000e jmp 00007F377CE47995h 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B0902 second address: 52B0908 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B0908 second address: 52B0959 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F377CE47990h 0x00000009 xor si, C118h 0x0000000e jmp 00007F377CE4798Bh 0x00000013 popfd 0x00000014 call 00007F377CE47998h 0x00000019 pop esi 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d mov esi, eax 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F377CE4798Ch 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B0959 second address: 52B002F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377C5325EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test esi, esi 0x0000000b pushad 0x0000000c push ecx 0x0000000d mov ax, dx 0x00000010 pop edi 0x00000011 mov di, ax 0x00000014 popad 0x00000015 je 00007F37ECEA02C7h 0x0000001b xor eax, eax 0x0000001d jmp 00007F377C50BD1Ah 0x00000022 pop esi 0x00000023 pop edi 0x00000024 pop ebx 0x00000025 leave 0x00000026 retn 0004h 0x00000029 nop 0x0000002a mov edi, eax 0x0000002c cmp edi, 00000000h 0x0000002f setne al 0x00000032 xor ebx, ebx 0x00000034 test al, 01h 0x00000036 jne 00007F377C5325E7h 0x00000038 jmp 00007F377C5326D9h 0x0000003d call 00007F37812D9D60h 0x00000042 mov edi, edi 0x00000044 pushad 0x00000045 pushfd 0x00000046 jmp 00007F377C5325EAh 0x0000004b or cl, FFFFFF98h 0x0000004e jmp 00007F377C5325EBh 0x00000053 popfd 0x00000054 popad 0x00000055 push esi 0x00000056 push eax 0x00000057 push edx 0x00000058 push eax 0x00000059 push edx 0x0000005a jmp 00007F377C5325ECh 0x0000005f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B002F second address: 52B0035 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B0035 second address: 52B013D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377C5325EEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c pushad 0x0000000d pushad 0x0000000e mov dx, cx 0x00000011 push eax 0x00000012 pop edx 0x00000013 popad 0x00000014 movzx esi, di 0x00000017 popad 0x00000018 mov ebp, esp 0x0000001a jmp 00007F377C5325F7h 0x0000001f xchg eax, ecx 0x00000020 pushad 0x00000021 pushfd 0x00000022 jmp 00007F377C5325F4h 0x00000027 jmp 00007F377C5325F5h 0x0000002c popfd 0x0000002d push eax 0x0000002e pushfd 0x0000002f jmp 00007F377C5325F7h 0x00000034 jmp 00007F377C5325F3h 0x00000039 popfd 0x0000003a pop esi 0x0000003b popad 0x0000003c push eax 0x0000003d pushad 0x0000003e pushfd 0x0000003f jmp 00007F377C5325F4h 0x00000044 add si, 40D8h 0x00000049 jmp 00007F377C5325EBh 0x0000004e popfd 0x0000004f mov ebx, ecx 0x00000051 popad 0x00000052 xchg eax, ecx 0x00000053 push eax 0x00000054 push edx 0x00000055 pushad 0x00000056 jmp 00007F377C5325F7h 0x0000005b pushfd 0x0000005c jmp 00007F377C5325F8h 0x00000061 and esi, 3E488598h 0x00000067 jmp 00007F377C5325EBh 0x0000006c popfd 0x0000006d popad 0x0000006e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B013D second address: 52B0155 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F377CE47994h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B0155 second address: 52B0184 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377C5325EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [ebp-04h], 55534552h 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F377C5325F5h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B0184 second address: 52B018A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B018A second address: 52B018E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B018E second address: 52B0192 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B0DBE second address: 52B0DCE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F377C5325ECh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B0DCE second address: 52B0E1A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377CE4798Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007F377CE47996h 0x00000011 push eax 0x00000012 jmp 00007F377CE4798Bh 0x00000017 xchg eax, ebp 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F377CE47995h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B0E1A second address: 52B0E20 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B0E20 second address: 52B0E24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B0E24 second address: 52B0E42 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F377C5325F2h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B0E42 second address: 52B0E9B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377CE4798Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp dword ptr [75C7459Ch], 05h 0x00000010 pushad 0x00000011 mov edi, 78EF4966h 0x00000016 popad 0x00000017 je 00007F37ED7A5526h 0x0000001d pushad 0x0000001e mov ch, dl 0x00000020 pushfd 0x00000021 jmp 00007F377CE47994h 0x00000026 or si, 2108h 0x0000002b jmp 00007F377CE4798Bh 0x00000030 popfd 0x00000031 popad 0x00000032 pop ebp 0x00000033 pushad 0x00000034 mov ecx, 7A8DF09Bh 0x00000039 push eax 0x0000003a push edx 0x0000003b movzx esi, di 0x0000003e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C00F9 second address: 52C00FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C00FF second address: 52C0103 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C0C9F second address: 52C0CE8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377C5325F6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, 2A1BE641h 0x0000000e popad 0x0000000f xchg eax, esi 0x00000010 jmp 00007F377C5325ECh 0x00000015 push eax 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 call 00007F377C5325F7h 0x0000001e pop eax 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C0E0E second address: 52C0E46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 mov ebx, 4A362D6Eh 0x0000000c pop edi 0x0000000d popad 0x0000000e cmp dword ptr [75C7459Ch], 05h 0x00000015 pushad 0x00000016 movzx esi, bx 0x00000019 pushad 0x0000001a movsx ebx, ax 0x0000001d mov ax, 241Bh 0x00000021 popad 0x00000022 popad 0x00000023 je 00007F37ED7ACFECh 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007F377CE4798Dh 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C0E46 second address: 52C0E71 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377C5325F1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a jmp 00007F377C5325EEh 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C0E71 second address: 52C0E75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C0E75 second address: 52C0E7B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C0E7B second address: 52C0E81 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C0E81 second address: 52C0E85 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C0EEC second address: 52C0EF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C0EF0 second address: 52C0F0C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377C5325F8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C0F0C second address: 52C0F12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 6ED84C instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 6ED4DE instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 533E43 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 6F9B71 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 77E989 instructions caused by: Self-modifying code

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\file.exe TID: 7556	Thread sleep time: -180000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7568	Thread sleep time: -30000s >= -30000s			Jump to behavior

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\file.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: file.exe, 00000000.00000002.1851706509.00000000006D1000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, file.exe, 00000000.00000003.1690697919.000000000128B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700772120.000000000128B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1852469176.000000000128A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1850629516.000000000128A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1852411307.000000000120E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000002.1851706509.00000000006D1000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: file.exe, 00000000.00000003.1690697919.0000000001271000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1850629516.0000000001271000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1852469176.0000000001271000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700659896.0000000001271000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW$

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\file.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks for debuggers (devices)

Source: C:\Users\user\Desktop\file.exe	File opened: NTICE
Source: C:\Users\user\Desktop\file.exe	File opened: SICE
Source: C:\Users\user\Desktop\file.exe	File opened: SIWVID

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: file.exe, 00000000.00000002.1851513309.00000000004D1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: clearancek.site
Source: file.exe, 00000000.00000002.1851513309.00000000004D1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: licendfilteo.site
Source: file.exe, 00000000.00000002.1851513309.00000000004D1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: spirittunek.stor
Source: file.exe, 00000000.00000002.1851513309.00000000004D1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: bathdoomgaz.stor
Source: file.exe, 00000000.00000002.1851513309.00000000004D1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: studennotediw.stor
Source: file.exe, 00000000.00000002.1851513309.00000000004D1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: dissapoiznw.stor
Source: file.exe, 00000000.00000002.1851513309.00000000004D1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: eaglepawnoy.stor
Source: file.exe, 00000000.00000002.1851513309.00000000004D1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: mobbipenju.stor

Source: file.exe, 00000000.00000002.1851840993.0000000000715000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: rProgram Manager

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\file.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: file.exe, 00000000.00000002.1853114151.00000000012EE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1857713084.0000000005BD5000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1851374834.0000000005BD1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1851390062.0000000005BD4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1788509424.00000000012E9000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\Desktop\file.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: file.exe PID: 7436, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Found many strings related to Crypto-Wallets (likely being stolen)

Source: file.exe	String found in binary or memory: Wallets/Electrum
Source: file.exe	String found in binary or memory: Wallets/ElectronCash
Source: file.exe	String found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
Source: file.exe	String found in binary or memory: window-state.json
Source: file.exe	String found in binary or memory: ExodusWeb3
Source: file.exe	String found in binary or memory: Wallets/Ethereum
Source: file.exe	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: file.exe	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Searches for user specific document files

Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\HTAGVDFUIE	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\SQRKHNBNYN	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\WKXEWIOTXI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\XZXHAVGRAG	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\HTAGVDFUIE	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\JSDNGYCOWY	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\SQRKHNBNYN	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\XZXHAVGRAG	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\HTAGVDFUIE	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\JSDNGYCOWY	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\SQRKHNBNYN	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\WKXEWIOTXI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\XZXHAVGRAG	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\HTAGVDFUIE	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\JSDNGYCOWY	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\SQRKHNBNYN	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\HTAGVDFUIE	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\JSDNGYCOWY	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\SQRKHNBNYN	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\HTAGVDFUIE	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\JSDNGYCOWY	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\XZXHAVGRAG	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\HTAGVDFUIE	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\JSDNGYCOWY	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\SQRKHNBNYN	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\WKXEWIOTXI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\XZXHAVGRAG	Jump to behavior

Yara detected Credential Stealer

Source: Yara match

File source: Process Memory Space: file.exe PID: 7436, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: file.exe PID: 7436, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.53.8	sergei-esenin.com	United States		13335	CLOUDFLARENETUS	true
104.102.49.254	steamcommunity.com	United States		16625	AKAMAI-ASUS	true

Contacted Domains

Name	IP	Active
steamcommunity.com	104.102.49.254	true
sergei-esenin.com	104.21.53.8	true
eaglepawnoy.store	unknown	unknown
bathdoomgaz.store	unknown	unknown
spirittunek.store	unknown	unknown
licendfilteo.site	unknown	unknown
studennotediw.store	unknown	unknown
mobbipenju.store	unknown	unknown
clearancek.site	unknown	unknown
dissapoiznw.store	unknown	unknown

Contacted URLs

Name	Malicious	Reputation
studennotediw.store	true	unknown
dissapoiznw.store	true	unknown
https://steamcommunity.com/profiles/76561199724331900	true	unknown
eaglepawnoy.store	true	unknown
bathdoomgaz.store	true	unknown

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://steamcommunity.com:443/profiles/76561199724331900

URL Reputation: Label: malware

Found malware configuration

Source: file.exe.7436.0.memstrmin

Multi AV Scanner detection for domain / URL

Source: sergei-esenin.com	Virustotal: Detection: 19%	Perma Link
Source: bathdoomgaz.store	Virustotal: Detection: 21%	Perma Link
Source: spirittunek.store	Virustotal: Detection: 21%	Perma Link

Multi AV Scanner detection for submitted file

Source: file.exe

Virustotal: Detection: 43%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.1851513309.00000000004D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: clearancek.site
Source: 00000000.00000002.1851513309.00000000004D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: licendfilteo.site
Source: 00000000.00000002.1851513309.00000000004D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: spirittunek.store
Source: 00000000.00000002.1851513309.00000000004D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: bathdoomgaz.store
Source: 00000000.00000002.1851513309.00000000004D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: studennotediw.store
Source: 00000000.00000002.1851513309.00000000004D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: dissapoiznw.store
Source: 00000000.00000002.1851513309.00000000004D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: eaglepawnoy.store
Source: 00000000.00000002.1851513309.00000000004D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: mobbipenju.store
Source: 00000000.00000002.1851513309.00000000004D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: clearancek.site
Source: 00000000.00000002.1851513309.00000000004D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.1851513309.00000000004D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.1851513309.00000000004D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.1851513309.00000000004D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.1851513309.00000000004D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.1851513309.00000000004D1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: 4SD0y4--legendaryy

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:49739 version: TLS 1.2

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2056483 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store) : 192.168.2.4:55049 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056477 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store) : 192.168.2.4:49241 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056481 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store) : 192.168.2.4:59702 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056479 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store) : 192.168.2.4:51355 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056475 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store) : 192.168.2.4:64120 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056473 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site) : 192.168.2.4:62543 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056485 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store) : 192.168.2.4:63670 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056471 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site) : 192.168.2.4:59915 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49731 -> 104.21.53.8:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49731 -> 104.21.53.8:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49732 -> 104.21.53.8:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49732 -> 104.21.53.8:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49734 -> 104.21.53.8:443
Source: Network traffic	Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.4:49730 -> 104.102.49.254:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49739 -> 104.21.53.8:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: clearancek.site
Source: Malware configuration extractor	URLs: mobbipenju.store
Source: Malware configuration extractor	URLs: dissapoiznw.store
Source: Malware configuration extractor	URLs: bathdoomgaz.store
Source: Malware configuration extractor	URLs: studennotediw.store
Source: Malware configuration extractor	URLs: eaglepawnoy.store
Source: Malware configuration extractor	URLs: licendfilteo.site
Source: Malware configuration extractor	URLs: spirittunek.store

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 104.21.53.8 104.21.53.8
Source: Joe Sandbox View	IP Address: 104.102.49.254 104.102.49.254

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: AKAMAI-ASUS AKAMAI-ASUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sergei-esenin.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=bKmBZVeXetEUsJEvqQWppTmgKdLdaxlDFkrWihgCGmQ-1729406342-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 52Host: sergei-esenin.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1Cookie: __cf_mw_byp=bKmBZVeXetEUsJEvqQWppTmgKdLdaxlDFkrWihgCGmQ-1729406342-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18168Host: sergei-esenin.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1Cookie: __cf_mw_byp=bKmBZVeXetEUsJEvqQWppTmgKdLdaxlDFkrWihgCGmQ-1729406342-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8789Host: sergei-esenin.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1Cookie: __cf_mw_byp=bKmBZVeXetEUsJEvqQWppTmgKdLdaxlDFkrWihgCGmQ-1729406342-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20442Host: sergei-esenin.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1Cookie: __cf_mw_byp=bKmBZVeXetEUsJEvqQWppTmgKdLdaxlDFkrWihgCGmQ-1729406342-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1245Host: sergei-esenin.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1Cookie: __cf_mw_byp=bKmBZVeXetEUsJEvqQWppTmgKdLdaxlDFkrWihgCGmQ-1729406342-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 586556Host: sergei-esenin.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=bKmBZVeXetEUsJEvqQWppTmgKdLdaxlDFkrWihgCGmQ-1729406342-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 87Host: sergei-esenin.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

Source: file.exe, 00000000.00000002.1852469176.0000000001281000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1850629516.0000000001271000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700772120.0000000001283000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ' https://cosergei-esenin.comsergei-esenin.comty/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcasQ7B equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000003.1690568055.000000000129E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000003.1690697919.000000000128B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C0e3d185a3e106e73b244decdec33a0ea; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=af6637e6d5cd8f076664704a; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type34508Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveSun, 20 Oct 2024 06:39:01 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000003.1690697919.000000000128B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000003.1690793016.0000000001295000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: t.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000003.1690793016.0000000001295000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: t.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C0e3d185a3e106e73b244decdec33a0ea; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=af6637e6d5cd8f076664704a; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type34508Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveSun, 20 Oct 2024 06:39:01 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000002.1852469176.0000000001281000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1850629516.0000000001271000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700772120.0000000001283000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ty/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcas equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: clearancek.site
Source: global traffic	DNS traffic detected: DNS query: mobbipenju.store
Source: global traffic	DNS traffic detected: DNS query: eaglepawnoy.store
Source: global traffic	DNS traffic detected: DNS query: dissapoiznw.store
Source: global traffic	DNS traffic detected: DNS query: studennotediw.store
Source: global traffic	DNS traffic detected: DNS query: bathdoomgaz.store
Source: global traffic	DNS traffic detected: DNS query: spirittunek.store
Source: global traffic	DNS traffic detected: DNS query: licendfilteo.site
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: sergei-esenin.com

Source: unknown

Source: global traffic

Source: file.exe, 00000000.00000003.1690793016.0000000001295000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: file.exe, 00000000.00000003.1752865199.0000000005CDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: file.exe, 00000000.00000003.1752865199.0000000005CDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: file.exe, 00000000.00000003.1752865199.0000000005CDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: file.exe, 00000000.00000003.1752865199.0000000005CDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: file.exe, 00000000.00000003.1752865199.0000000005CDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: file.exe, 00000000.00000003.1752865199.0000000005CDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: file.exe, 00000000.00000003.1752865199.0000000005CDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: file.exe, 00000000.00000003.1752865199.0000000005CDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: file.exe, 00000000.00000003.1752865199.0000000005CDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: file.exe, 00000000.00000003.1752865199.0000000005CDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: file.exe, 00000000.00000003.1752865199.0000000005CDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: file.exe, 00000000.00000003.1719446245.0000000005BF7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1719628135.0000000005BF9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1719330275.0000000005C0F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: file.exe, 00000000.00000003.1700772120.0000000001283000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a61
Source: file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: file.exe, 00000000.00000002.1852469176.000000000124F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1850629516.000000000124F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690568055.000000000124F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700659896.000000000124F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bathdoomgaz.store:443/apibcryptPrimitives.dll(
Source: file.exe, 00000000.00000003.1690793016.0000000001295000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: file.exe, 00000000.00000003.1719446245.0000000005BF7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1719628135.0000000005BF9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1719330275.0000000005C0F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000000.00000003.1690697919.000000000128B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/
Source: file.exe, 00000000.00000003.1719446245.0000000005BF7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1719628135.0000000005BF9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1719330275.0000000005C0F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000003.1719446245.0000000005BF7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1719628135.0000000005BF9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1719330275.0000000005C0F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: file.exe, 00000000.00000003.1700772120.0000000001283000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: file.exe, file.exe, 00000000.00000003.1690568055.0000000001263000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1852469176.0000000001263000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1850629516.0000000001263000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700772120.0000000001265000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690697919.0000000001265000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700659896.0000000001263000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clearancek.site/api
Source: file.exe, 00000000.00000003.1690568055.000000000124F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700659896.000000000124F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clearancek.site:443/api
Source: file.exe, 00000000.00000003.1700772120.0000000001283000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/
Source: file.exe, 00000000.00000003.1690568055.0000000001248000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/css/applications/community/main.css?v=DVae4t4RZiHA&l=en
Source: file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/css/globalv2.css?v=dQy8Omh4p9PH&l=english
Source: file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/css/promo/summer2017/stickers.css?v=P8gOPraCSjV6&l=engl
Source: file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/css/skin_1/header.css?v=pTvrRy1pm52p&l=english
Source: file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1
Source: file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/css/skin_1/profilev2.css?v=t9xiI4DlPpEB&l=english
Source: file.exe, 00000000.00000003.1690568055.0000000001248000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: file.exe, 00000000.00000003.1690568055.0000000001248000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/javascript/applications/community/libraries~b28b7af69.js?v=
Source: file.exe, 00000000.00000003.1690568055.0000000001248000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/javascript/applications/community/main.js?v=4XouecKy8sZy&am
Source: file.exe, 00000000.00000003.1690568055.0000000001248000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/javascript/applications/community/manifest.js?v=r7a4-LYcQOj
Source: file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/javascript/global.js?v=7qlUmHSJhPRN&l=english
Source: file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/javascript/modalContent.js?v=XpCpvP7feUoO&l=english
Source: file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/javascript/profile.js?v=bbs9uq0gqJ-H&l=english
Source: file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/javascript/promo/stickers.js?v=W8NP8aTVqtms&l=english
Source: file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=english
Source: file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL&l=
Source: file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/javascript/webui/clientcom.js?v=jq1jQyX1843y&l=english
Source: file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/shared/css/buttons.css?v=-WV9f1LdxEjq&l=english
Source: file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/shared/css/motiva_sans.css?v=v7XTmVzbLV33&l=english
Source: file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/shared/css/shared_global.css?v=uF6G1wyNU-4c&l=english
Source: file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/shared/css/shared_responsive.css?v=kR9MtmbWSZEp&l=engli
Source: file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&l=engl
Source: file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/shared/javascript/shared_global.js?v=7glT1n_nkVCs&l=eng
Source: file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSvIAKtunf
Source: file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: file.exe, 00000000.00000002.1852469176.0000000001281000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1850629516.0000000001271000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700772120.0000000001283000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cosergei-esenin.comsergei-esenin.comty/public/assets/
Source: file.exe, 00000000.00000002.1852469176.000000000124F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1850629516.000000000124F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690568055.000000000124F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700659896.000000000124F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dissapoiznw.store:443/api
Source: file.exe, 00000000.00000003.1719446245.0000000005BF7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1719330275.0000000005C0F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000000.00000003.1719446245.0000000005BF7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1719330275.0000000005C0F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: file.exe, 00000000.00000003.1719446245.0000000005BF7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1719330275.0000000005C0F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: file.exe, 00000000.00000003.1700772120.0000000001283000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: file.exe, 00000000.00000003.1690568055.000000000124F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700659896.000000000124F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://licendfilteo.site:443/api
Source: file.exe, 00000000.00000003.1700772120.0000000001283000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: file.exe, 00000000.00000003.1690793016.0000000001295000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: file.exe, 00000000.00000003.1690793016.0000000001295000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: file.exe, 00000000.00000003.1690568055.000000000124F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700659896.000000000124F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mobbipenju.store:443/api
Source: file.exe, 00000000.00000003.1690793016.0000000001295000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: file.exe, 00000000.00000003.1700772120.0000000001283000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: file.exe, 00000000.00000003.1690793016.0000000001295000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: file.exe, 00000000.00000003.1700772120.0000000001283000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: file.exe, file.exe, 00000000.00000003.1850629516.00000000012DF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700772120.000000000128B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1851091044.00000000012DF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1853087164.00000000012DF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700849717.0000000001295000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com/
Source: file.exe, 00000000.00000003.1850629516.00000000012DF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1851091044.00000000012DF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1853087164.00000000012DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com/BK
Source: file.exe, 00000000.00000003.1700849717.0000000001295000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com/api
Source: file.exe, 00000000.00000002.1857604053.0000000005BD2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1851374834.0000000005BD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com/api(
Source: file.exe, 00000000.00000003.1700659896.0000000001248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com/apiHv$
Source: file.exe, 00000000.00000003.1851345687.0000000005BDD000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1858209085.0000000005BDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com/apieP
Source: file.exe, 00000000.00000003.1851345687.0000000005BDD000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1858209085.0000000005BDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com/apiwz
Source: file.exe, 00000000.00000003.1850629516.00000000012DF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1851091044.00000000012DF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1853087164.00000000012DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com/k
Source: file.exe, 00000000.00000003.1700772120.000000000128B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700849717.0000000001295000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com/za%
Source: file.exe, 00000000.00000002.1852469176.000000000124F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1850629516.000000000124F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com:443/api
Source: file.exe, 00000000.00000002.1852469176.000000000124F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1850629516.000000000124F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com:443/api4p.default-release/key4.dbPK
Source: file.exe, 00000000.00000002.1852469176.000000000124F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1850629516.000000000124F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com:443/api6
Source: file.exe, 00000000.00000002.1852469176.000000000124F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1850629516.000000000124F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com:443/apiK
Source: file.exe, 00000000.00000003.1700659896.000000000124F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com:443/apih
Source: file.exe, 00000000.00000003.1690793016.0000000001295000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: file.exe, 00000000.00000003.1700772120.0000000001283000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: file.exe, 00000000.00000003.1690793016.0000000001295000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: file.exe, 00000000.00000003.1690697919.000000000128B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: file.exe, 00000000.00000003.1690793016.0000000001295000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: file.exe, 00000000.00000003.1700772120.0000000001283000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: file.exe, 00000000.00000003.1690568055.000000000124F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/U
Source: file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/p
Source: file.exe, 00000000.00000003.1690568055.0000000001263000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690568055.000000000124F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690697919.0000000001265000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: file.exe, 00000000.00000003.1690568055.000000000124F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900&
Source: file.exe, 00000000.00000003.1690568055.0000000001248000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: file.exe, 00000000.00000002.1852469176.000000000124F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1850629516.000000000124F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690568055.000000000124F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700659896.000000000124F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com:443/profiles/76561199724331900
Source: file.exe, 00000000.00000003.1700772120.0000000001283000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: file.exe, 00000000.00000003.1690568055.000000000129E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690697919.000000000128B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690793016.0000000001295000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: file.exe, 00000000.00000003.1690697919.000000000128B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690793016.0000000001295000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C0e3d185a3e106e7
Source: file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: file.exe, 00000000.00000003.1718877156.0000000005C3E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.microsof
Source: file.exe, 00000000.00000003.1754118021.0000000005EF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: file.exe, 00000000.00000003.1754118021.0000000005EF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: file.exe, 00000000.00000003.1718877156.0000000005C3C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: file.exe, 00000000.00000003.1718877156.0000000005C3C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: file.exe, 00000000.00000003.1700772120.000000000128B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: file.exe, 00000000.00000003.1700849717.0000000001295000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/learning/access-
Source: file.exe, 00000000.00000003.1700628151.00000000012D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/
Source: file.exe, 00000000.00000003.1719446245.0000000005BF7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1719628135.0000000005BF9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1719330275.0000000005C0F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: file.exe, 00000000.00000003.1690793016.0000000001295000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: file.exe, 00000000.00000003.1719446245.0000000005BF7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1719330275.0000000005C0F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: file.exe, 00000000.00000003.1700772120.0000000001283000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: file.exe, 00000000.00000003.1700772120.0000000001283000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: file.exe, 00000000.00000003.1700772120.0000000001283000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: file.exe, 00000000.00000003.1754118021.0000000005EF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: file.exe, 00000000.00000003.1754118021.0000000005EF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: file.exe, 00000000.00000003.1754118021.0000000005EF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: file.exe, 00000000.00000003.1754118021.0000000005EF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: file.exe, 00000000.00000003.1754118021.0000000005EF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: file.exe, 00000000.00000003.1700607333.00000000012DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1690548980.00000000012D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700628151.00000000012DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: file.exe, 00000000.00000003.1690793016.0000000001295000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: file.exe, 00000000.00000003.1700772120.0000000001283000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.4:49739 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe

Static PE information: Section: ZLIB complexity 0.9995487830033003

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/0@10/2

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe, 00000000.00000003.1719103299.0000000005C14000.00000004.00000800.00020000.00000000.sdmp

Source: file.exe

Virustotal: Detection: 43%

Source: file.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: file.exe	String found in binary or memory: RtlAllocateHeap3Cannot find '%s'. Please, re-install this applicationThunRTMain__vbaVarTstNe

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: file.exe

Static file information: File size 3058688 > 1048576

Source: file.exe

Static PE information: Raw size of teechqve is bigger than: 0x100000 < 0x2c1600

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.4d0000.0.unpack :EW;.rsrc :W;.idata :W;teechqve:EW;nqocidhr:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W;teechqve:EW;nqocidhr:EW;.taggant:EW;

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

PE file contains an invalid checksum

Source: file.exe

Static PE information: real checksum: 0x2f67a0 should be: 0x2f4a1f

PE file contains sections with non-standard names

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name: teechqve
Source: file.exe	Static PE information: section name: nqocidhr
Source: file.exe	Static PE information: section name: .taggant

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_012F9C2C push 234F6F6Ch; ret	0_3_012F9C31
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_012F9C2C push 234F6F6Ch; ret	0_3_012F9C31
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_012F9C2C push 234F6F6Ch; ret	0_3_012F9C31
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_012F9C2C push 234F6F6Ch; ret	0_3_012F9C31
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_012F9C2C push 234F6F6Ch; ret	0_3_012F9C31
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_012FB71A push ecx; ret	0_3_012FB743
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_012FB71A push ecx; ret	0_3_012FB743
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_012FB71A push ecx; ret	0_3_012FB743
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_012FB71A push ecx; ret	0_3_012FB743
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_012FB71A push ecx; ret	0_3_012FB743
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_012FB71A push ecx; ret	0_3_012FB743
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_012FB71A push ecx; ret	0_3_012FB743
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_012F9F6A push ecx; ret	0_3_012F9FA1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_012F9F6A push ecx; ret	0_3_012F9FA1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_012F9F6A push ecx; ret	0_3_012F9FA1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_012F9F6A push ecx; ret	0_3_012F9FA1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_012F9F6A push ecx; ret	0_3_012F9FA1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_012FB9AA push ds; ret	0_3_012FB9AB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_012FB9AA push ds; ret	0_3_012FB9AB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_012FB9AA push ds; ret	0_3_012FB9AB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_012FB9AA push ds; ret	0_3_012FB9AB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_012FB9AA push ds; ret	0_3_012FB9AB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_012FB9AA push ds; ret	0_3_012FB9AB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_012FB9AA push ds; ret	0_3_012FB9AB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_012FDFA8 push eax; retf	0_3_012FDFA9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_012FDFA8 push eax; retf	0_3_012FDFA9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_012FDFA8 push eax; retf	0_3_012FDFA9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_012FDFA8 push eax; retf	0_3_012FDFA9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_012FDFA8 push eax; retf	0_3_012FDFA9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_012FDFA8 push eax; retf	0_3_012FDFA9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_012FDFA8 push eax; retf	0_3_012FDFA9

Source: file.exe

Static PE information: section name: entropy: 7.982552792221966

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Regmonclass	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\file.exe

System information queried: FirmwareTableInformation

Jump to behavior

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C93D4 second address: 6C93E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C93E0 second address: 6C9404 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F377CE47997h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e push esi 0x0000000f pushad 0x00000010 popad 0x00000011 pop esi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C9404 second address: 6C9409 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C9409 second address: 6C9426 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 je 00007F377CE47986h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jng 00007F377CE47986h 0x00000017 jnp 00007F377CE47986h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C9426 second address: 6C942A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C95A9 second address: 6C95AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C9997 second address: 6C99B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F377C5325FBh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6CC2CC second address: 6CC2D2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6CC2D2 second address: 6CC2D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6CC2D7 second address: 6CC31D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c jno 00007F377CE4799Fh 0x00000012 xor edi, 19400081h 0x00000018 push 00000000h 0x0000001a mov edx, dword ptr [ebp+122D3BE0h] 0x00000020 call 00007F377CE47989h 0x00000025 push esi 0x00000026 push ecx 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6CC31D second address: 6CC334 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop esi 0x00000006 push eax 0x00000007 pushad 0x00000008 jns 00007F377C5325ECh 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6CC334 second address: 6CC360 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a jmp 00007F377CE47990h 0x0000000f mov eax, dword ptr [eax] 0x00000011 pushad 0x00000012 jnl 00007F377CE4798Ch 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6CC360 second address: 6CC366 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6CC366 second address: 6CC374 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a push esi 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6CC374 second address: 6CC3D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F377C5325F7h 0x00000009 popad 0x0000000a pop esi 0x0000000b pop eax 0x0000000c xor dword ptr [ebp+122D1DFFh], ebx 0x00000012 push 00000003h 0x00000014 or dword ptr [ebp+122D3015h], eax 0x0000001a push 00000000h 0x0000001c cmc 0x0000001d push 00000003h 0x0000001f sub dword ptr [ebp+122D1D5Dh], eax 0x00000025 call 00007F377C5325E9h 0x0000002a jmp 00007F377C5325EBh 0x0000002f push eax 0x00000030 push eax 0x00000031 push edx 0x00000032 jmp 00007F377C5325F5h 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6CC3D7 second address: 6CC42F instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F377CE47994h 0x00000008 jmp 00007F377CE4798Eh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 pushad 0x00000014 je 00007F377CE47988h 0x0000001a pushad 0x0000001b popad 0x0000001c push eax 0x0000001d pushad 0x0000001e popad 0x0000001f pop eax 0x00000020 popad 0x00000021 mov eax, dword ptr [eax] 0x00000023 pushad 0x00000024 jmp 00007F377CE47997h 0x00000029 pushad 0x0000002a ja 00007F377CE47986h 0x00000030 push edi 0x00000031 pop edi 0x00000032 popad 0x00000033 popad 0x00000034 mov dword ptr [esp+04h], eax 0x00000038 push edx 0x00000039 push eax 0x0000003a push edx 0x0000003b push ecx 0x0000003c pop ecx 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6CC42F second address: 6CC45C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 sub dword ptr [ebp+122D1DF8h], eax 0x0000000e lea ebx, dword ptr [ebp+1246C1B5h] 0x00000014 clc 0x00000015 xchg eax, ebx 0x00000016 pushad 0x00000017 push edi 0x00000018 js 00007F377C5325E6h 0x0000001e pop edi 0x0000001f pushad 0x00000020 push eax 0x00000021 pop eax 0x00000022 push ebx 0x00000023 pop ebx 0x00000024 popad 0x00000025 popad 0x00000026 push eax 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6CC45C second address: 6CC460 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6CC460 second address: 6CC47D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377C5325F9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EC814 second address: 6EC868 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jnc 00007F377CE47986h 0x00000009 pop edx 0x0000000a push esi 0x0000000b pushad 0x0000000c popad 0x0000000d pop esi 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 jmp 00007F377CE47991h 0x00000016 pushad 0x00000017 push edi 0x00000018 pop edi 0x00000019 pushad 0x0000001a popad 0x0000001b jbe 00007F377CE47986h 0x00000021 jmp 00007F377CE47996h 0x00000026 popad 0x00000027 push esi 0x00000028 pushad 0x00000029 popad 0x0000002a pushad 0x0000002b popad 0x0000002c pop esi 0x0000002d push eax 0x0000002e push edx 0x0000002f jo 00007F377CE47986h 0x00000035 push eax 0x00000036 push edx 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EC868 second address: 6EC86C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B504E second address: 6B5053 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EA6AD second address: 6EA6B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EA6B3 second address: 6EA6E1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377CE4798Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F377CE47996h 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EA6E1 second address: 6EA6EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F377C5325E6h 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EA829 second address: 6EA843 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F377CE47995h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EA978 second address: 6EA982 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F377C5325E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EA982 second address: 6EA987 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EA987 second address: 6EA9AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F377C5325F9h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EA9AB second address: 6EA9AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EAC72 second address: 6EAC77 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EAC77 second address: 6EACA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F377CE47992h 0x00000009 jmp 00007F377CE47991h 0x0000000e popad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EACA2 second address: 6EACCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F377C5325E6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jnl 00007F377C5325F7h 0x00000016 pushad 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EAE4C second address: 6EAE50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EAE50 second address: 6EAE54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EAE54 second address: 6EAE5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EAE5A second address: 6EAE75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F377C5325F1h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EAFBB second address: 6EAFC5 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F377CE4798Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EB2A5 second address: 6EB2B2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jnc 00007F377C5325E6h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EB800 second address: 6EB80C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jc 00007F377CE47986h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EB80C second address: 6EB834 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377C5325F2h 0x00000007 jmp 00007F377C5325ECh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EB834 second address: 6EB838 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6E33DA second address: 6E33E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6E33E0 second address: 6E33EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C2B34 second address: 6C2B38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C2B38 second address: 6C2B40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EC25A second address: 6EC264 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F377C5325ECh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EC392 second address: 6EC3C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F377CE47992h 0x00000009 pop edi 0x0000000a pushad 0x0000000b jg 00007F377CE47986h 0x00000011 jmp 00007F377CE47990h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EC3C2 second address: 6EC3D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 jnc 00007F377C5325E6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EE750 second address: 6EE754 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EE754 second address: 6EE758 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EE758 second address: 6EE75E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EDD37 second address: 6EDD3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EDD3B second address: 6EDD41 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6EEE06 second address: 6EEE0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B6C04 second address: 6B6C11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 ja 00007F377CE47986h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B6C11 second address: 6B6C15 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C1031 second address: 6C1040 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jnl 00007F377CE47986h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C1040 second address: 6C1044 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6C1044 second address: 6C104A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6F6E77 second address: 6F6E7D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6F6E7D second address: 6F6E9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F377CE4798Bh 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 ja 00007F377CE47986h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6F727D second address: 6F72B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 jmp 00007F377C5325EAh 0x0000000e jmp 00007F377C5325F5h 0x00000013 pop esi 0x00000014 pushad 0x00000015 jmp 00007F377C5325EAh 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6F75AB second address: 6F75B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6F75B3 second address: 6F75BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F377C5325E6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6F75BF second address: 6F75C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6F75C3 second address: 6F75C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6F76ED second address: 6F76F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6F76F3 second address: 6F76F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6F76F7 second address: 6F7718 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F377CE47991h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jl 00007F377CE4798Eh 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6F7824 second address: 6F783D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377C5325ECh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a je 00007F377C5325E6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FAFB2 second address: 6FAFDD instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 js 00007F377CE47991h 0x0000000f jmp 00007F377CE4798Bh 0x00000014 mov eax, dword ptr [esp+04h] 0x00000018 push eax 0x00000019 push edx 0x0000001a push edx 0x0000001b pop edx 0x0000001c pop edx 0x0000001d pop eax 0x0000001e mov eax, dword ptr [eax] 0x00000020 pushad 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FAFDD second address: 6FAFF5 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F377C5325E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b push esi 0x0000000c pop esi 0x0000000d pop esi 0x0000000e popad 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FAFF5 second address: 6FAFF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FB4B4 second address: 6FB4B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FBB62 second address: 6FBB66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FBB66 second address: 6FBB6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FBB6C second address: 6FBB72 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FBB72 second address: 6FBB76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FBB76 second address: 6FBBC6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebx 0x0000000b push 00000000h 0x0000000d push edx 0x0000000e call 00007F377CE47988h 0x00000013 pop edx 0x00000014 mov dword ptr [esp+04h], edx 0x00000018 add dword ptr [esp+04h], 0000001Ch 0x00000020 inc edx 0x00000021 push edx 0x00000022 ret 0x00000023 pop edx 0x00000024 ret 0x00000025 push eax 0x00000026 or dword ptr [ebp+122D1D16h], edx 0x0000002c pop esi 0x0000002d nop 0x0000002e push eax 0x0000002f push edx 0x00000030 push eax 0x00000031 push edx 0x00000032 jmp 00007F377CE47994h 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FBBC6 second address: 6FBBD0 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F377C5325E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FBBD0 second address: 6FBBFF instructions: 0x00000000 rdtsc 0x00000002 jp 00007F377CE4798Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c jmp 00007F377CE47999h 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FBCFB second address: 6FBD00 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FC1D4 second address: 6FC1E4 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F377CE47986h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FC1E4 second address: 6FC1EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FC1EB second address: 6FC1F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FC1F1 second address: 6FC233 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F377C5325E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push esi 0x00000010 call 00007F377C5325E8h 0x00000015 pop esi 0x00000016 mov dword ptr [esp+04h], esi 0x0000001a add dword ptr [esp+04h], 0000001Bh 0x00000022 inc esi 0x00000023 push esi 0x00000024 ret 0x00000025 pop esi 0x00000026 ret 0x00000027 call 00007F377C5325EBh 0x0000002c pop esi 0x0000002d xchg eax, ebx 0x0000002e pushad 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FC233 second address: 6FC237 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FC237 second address: 6FC252 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377C5325F2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push edi 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FD10E second address: 6FD124 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F377CE47992h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FE266 second address: 6FE282 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F377C5325F3h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FD8AE second address: 6FD8B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FD8B4 second address: 6FD8B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 70015F second address: 700172 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b ja 00007F377CE47988h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 700172 second address: 7001AD instructions: 0x00000000 rdtsc 0x00000002 jns 00007F377C5325ECh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b jbe 00007F377C5325ECh 0x00000011 mov dword ptr [ebp+122D2FF9h], edx 0x00000017 push 00000000h 0x00000019 xor dword ptr [ebp+12489FC6h], eax 0x0000001f push 00000000h 0x00000021 mov esi, 3D9AEF4Ch 0x00000026 push eax 0x00000027 push ecx 0x00000028 pushad 0x00000029 jmp 00007F377C5325EAh 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FFEF9 second address: 6FFF04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F377CE47986h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FFF04 second address: 6FFF1B instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F377C5325ECh 0x00000008 jns 00007F377C5325E6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FFF1B second address: 6FFF25 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F377CE47986h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FFF25 second address: 6FFF2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F377C5325E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6BF595 second address: 6BF599 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6BF599 second address: 6BF5AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnc 00007F377C5325ECh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6BF5AD second address: 6BF5B8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push esi 0x00000004 pop esi 0x00000005 pushad 0x00000006 popad 0x00000007 pop ebx 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 705306 second address: 70530A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 706B01 second address: 706B06 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 706B06 second address: 706B83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a movsx ebx, ax 0x0000000d push dword ptr fs:[00000000h] 0x00000014 sub di, 0BC9h 0x00000019 mov dword ptr fs:[00000000h], esp 0x00000020 or dword ptr [ebp+122D2DB1h], eax 0x00000026 mov eax, dword ptr [ebp+122D1535h] 0x0000002c push 00000000h 0x0000002e push ecx 0x0000002f call 00007F377C5325E8h 0x00000034 pop ecx 0x00000035 mov dword ptr [esp+04h], ecx 0x00000039 add dword ptr [esp+04h], 00000017h 0x00000041 inc ecx 0x00000042 push ecx 0x00000043 ret 0x00000044 pop ecx 0x00000045 ret 0x00000046 js 00007F377C5325E9h 0x0000004c xor bl, 0000004Fh 0x0000004f push FFFFFFFFh 0x00000051 push 00000000h 0x00000053 push ecx 0x00000054 call 00007F377C5325E8h 0x00000059 pop ecx 0x0000005a mov dword ptr [esp+04h], ecx 0x0000005e add dword ptr [esp+04h], 00000014h 0x00000066 inc ecx 0x00000067 push ecx 0x00000068 ret 0x00000069 pop ecx 0x0000006a ret 0x0000006b push eax 0x0000006c push eax 0x0000006d push edx 0x0000006e push eax 0x0000006f push edx 0x00000070 jnl 00007F377C5325E6h 0x00000076 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 706B83 second address: 706B89 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 708945 second address: 70894B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 707AF6 second address: 707AFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 707AFC second address: 707B00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 708B0C second address: 708B2A instructions: 0x00000000 rdtsc 0x00000002 jc 00007F377CE47988h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F377CE4798Fh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 708BCD second address: 708BD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 708BD1 second address: 708BD5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 709BB1 second address: 709BB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 70BAF1 second address: 70BB0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F377CE47999h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 70CA3D second address: 70CA4D instructions: 0x00000000 rdtsc 0x00000002 ja 00007F377C5325E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 70CA4D second address: 70CA52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 70CB53 second address: 70CB5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F377C5325E6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 711A57 second address: 711A5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 712976 second address: 712980 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 70ED25 second address: 70ED36 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F377CE47988h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 70FA7C second address: 70FA80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 70FA80 second address: 70FA86 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 711BC8 second address: 711BDE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F377C5325EEh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 70FA86 second address: 70FB11 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jo 00007F377CE47986h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f pushad 0x00000010 call 00007F377CE4798Bh 0x00000015 pop ebx 0x00000016 mov dword ptr [ebp+1247E03Eh], ecx 0x0000001c popad 0x0000001d push dword ptr fs:[00000000h] 0x00000024 jo 00007F377CE4798Ch 0x0000002a mov dword ptr [ebp+1246C8C9h], eax 0x00000030 mov dword ptr [ebp+12495C4Bh], edx 0x00000036 mov dword ptr fs:[00000000h], esp 0x0000003d mov bl, 78h 0x0000003f mov eax, dword ptr [ebp+122D025Dh] 0x00000045 push 00000000h 0x00000047 push ebx 0x00000048 call 00007F377CE47988h 0x0000004d pop ebx 0x0000004e mov dword ptr [esp+04h], ebx 0x00000052 add dword ptr [esp+04h], 0000001Bh 0x0000005a inc ebx 0x0000005b push ebx 0x0000005c ret 0x0000005d pop ebx 0x0000005e ret 0x0000005f mov di, dx 0x00000062 add edi, dword ptr [ebp+122D31E1h] 0x00000068 push FFFFFFFFh 0x0000006a mov dword ptr [ebp+122D331Fh], ebx 0x00000070 mov edi, eax 0x00000072 push eax 0x00000073 pushad 0x00000074 push eax 0x00000075 push edx 0x00000076 jnl 00007F377CE47986h 0x0000007c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 71486F second address: 714873 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 716C64 second address: 716C6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7149A8 second address: 714A40 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F377C5325F4h 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e cld 0x0000000f push dword ptr fs:[00000000h] 0x00000016 jbe 00007F377C5325F1h 0x0000001c or dword ptr [ebp+1247532Ch], esi 0x00000022 mov dword ptr fs:[00000000h], esp 0x00000029 push 00000000h 0x0000002b push esi 0x0000002c call 00007F377C5325E8h 0x00000031 pop esi 0x00000032 mov dword ptr [esp+04h], esi 0x00000036 add dword ptr [esp+04h], 00000015h 0x0000003e inc esi 0x0000003f push esi 0x00000040 ret 0x00000041 pop esi 0x00000042 ret 0x00000043 mov eax, dword ptr [ebp+122D0F0Dh] 0x00000049 or dword ptr [ebp+122D3015h], ebx 0x0000004f push FFFFFFFFh 0x00000051 jmp 00007F377C5325F6h 0x00000056 nop 0x00000057 push eax 0x00000058 push edx 0x00000059 jmp 00007F377C5325F1h 0x0000005e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 716C6C second address: 716C70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6AE750 second address: 6AE754 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 71D142 second address: 71D152 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F377CE4798Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 71D152 second address: 71D156 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6ACC67 second address: 6ACC73 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 jng 00007F377CE47986h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 720015 second address: 720029 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377C5325EDh 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72027F second address: 7202B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F377CE47986h 0x0000000a jmp 00007F377CE4798Ah 0x0000000f jmp 00007F377CE47994h 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F377CE4798Dh 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7202B9 second address: 7202BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 724C59 second address: 724C6B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov eax, dword ptr [eax] 0x00000009 pushad 0x0000000a jl 00007F377CE4798Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 724C6B second address: 724C77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F377C5325ECh 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 724DE7 second address: 724E02 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377CE47997h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72A426 second address: 72A430 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F377C5325E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72A430 second address: 72A436 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72AE8E second address: 72AE94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72B1A8 second address: 72B1AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72B1AF second address: 72B1D5 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F377C5325E8h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pushad 0x0000000b jmp 00007F377C5325F9h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72B1D5 second address: 72B1DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72B32B second address: 72B346 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F377C5325F2h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72B346 second address: 72B34A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72B5B9 second address: 72B605 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007F377C5325E6h 0x00000009 push esi 0x0000000a pop esi 0x0000000b jmp 00007F377C5325F2h 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 push ebx 0x00000016 jmp 00007F377C5325F8h 0x0000001b push ecx 0x0000001c pop ecx 0x0000001d pop ebx 0x0000001e jnc 00007F377C5325EEh 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72B605 second address: 72B60D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72E0DC second address: 72E13F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F377C5325F2h 0x00000008 pop edx 0x00000009 jmp 00007F377C5325EAh 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push ecx 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007F377C5325EEh 0x00000019 pop ecx 0x0000001a jmp 00007F377C5325F9h 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F377C5325F1h 0x00000026 pushad 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 72E13F second address: 72E143 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 734355 second address: 73435A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6F9A26 second address: 6E33DA instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push edx 0x0000000d call 00007F377CE47988h 0x00000012 pop edx 0x00000013 mov dword ptr [esp+04h], edx 0x00000017 add dword ptr [esp+04h], 0000001Bh 0x0000001f inc edx 0x00000020 push edx 0x00000021 ret 0x00000022 pop edx 0x00000023 ret 0x00000024 mov dword ptr [ebp+122D1D93h], ecx 0x0000002a lea eax, dword ptr [ebp+124997A0h] 0x00000030 mov dword ptr [ebp+122D1D6Dh], edi 0x00000036 push eax 0x00000037 jmp 00007F377CE47997h 0x0000003c mov dword ptr [esp], eax 0x0000003f mov dword ptr [ebp+122D1D93h], ecx 0x00000045 call dword ptr [ebp+122D307Eh] 0x0000004b pushad 0x0000004c jp 00007F377CE4798Ah 0x00000052 pushad 0x00000053 push eax 0x00000054 push edx 0x00000055 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6F9B0F second address: 6F9B15 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FA04A second address: 6FA064 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F377CE47991h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FA0E7 second address: 6FA0ED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FA0ED second address: 6FA145 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F377CE47994h 0x00000008 jne 00007F377CE47986h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 pushad 0x00000013 jmp 00007F377CE47992h 0x00000018 jmp 00007F377CE4798Eh 0x0000001d popad 0x0000001e xchg eax, esi 0x0000001f mov dword ptr [ebp+122D3319h], ecx 0x00000025 nop 0x00000026 pushad 0x00000027 push edi 0x00000028 jl 00007F377CE47986h 0x0000002e pop edi 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FA145 second address: 6FA149 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FA24F second address: 6FA285 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov eax, dword ptr [esp+04h] 0x00000008 jmp 00007F377CE4798Bh 0x0000000d mov eax, dword ptr [eax] 0x0000000f jl 00007F377CE479ABh 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F377CE47999h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FA285 second address: 6FA289 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FA4CA second address: 6FA4DC instructions: 0x00000000 rdtsc 0x00000002 jns 00007F377CE47986h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a je 00007F377CE4798Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FA93D second address: 6FA94A instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F377C5325E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FA94A second address: 6FA950 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FAB86 second address: 6FAC20 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jp 00007F377C5325E6h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f mov edx, 787D3DC0h 0x00000014 lea eax, dword ptr [ebp+124997E4h] 0x0000001a jmp 00007F377C5325F7h 0x0000001f mov ch, bl 0x00000021 nop 0x00000022 push ebx 0x00000023 jmp 00007F377C5325F9h 0x00000028 pop ebx 0x00000029 push eax 0x0000002a jnp 00007F377C5325EEh 0x00000030 nop 0x00000031 push edx 0x00000032 mov di, 157Fh 0x00000036 pop ecx 0x00000037 lea eax, dword ptr [ebp+124997A0h] 0x0000003d push 00000000h 0x0000003f push edi 0x00000040 call 00007F377C5325E8h 0x00000045 pop edi 0x00000046 mov dword ptr [esp+04h], edi 0x0000004a add dword ptr [esp+04h], 00000017h 0x00000052 inc edi 0x00000053 push edi 0x00000054 ret 0x00000055 pop edi 0x00000056 ret 0x00000057 mov edi, 7EB5B63Dh 0x0000005c nop 0x0000005d jng 00007F377C5325F4h 0x00000063 push eax 0x00000064 push edx 0x00000065 push ecx 0x00000066 pop ecx 0x00000067 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FAC20 second address: 6FAC31 instructions: 0x00000000 rdtsc 0x00000002 je 00007F377CE47986h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c pushad 0x0000000d push edi 0x0000000e pop edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FAC31 second address: 6E3E40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push ebp 0x0000000a call 00007F377C5325E8h 0x0000000f pop ebp 0x00000010 mov dword ptr [esp+04h], ebp 0x00000014 add dword ptr [esp+04h], 00000017h 0x0000001c inc ebp 0x0000001d push ebp 0x0000001e ret 0x0000001f pop ebp 0x00000020 ret 0x00000021 jmp 00007F377C5325F4h 0x00000026 call dword ptr [ebp+122D1CCCh] 0x0000002c pushad 0x0000002d jmp 00007F377C5325F4h 0x00000032 pushad 0x00000033 pushad 0x00000034 popad 0x00000035 pushad 0x00000036 popad 0x00000037 je 00007F377C5325E6h 0x0000003d push eax 0x0000003e push edx 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 734E0E second address: 734E13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 734E13 second address: 734E20 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 734E20 second address: 734E26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 734E26 second address: 734E2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 734F6B second address: 734F71 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 734F71 second address: 734F81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jns 00007F377C5325E6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 734F81 second address: 734F85 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 734F85 second address: 734F8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B87A0 second address: 6B87BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F377CE47996h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B87BC second address: 6B87D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F377C5325F0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73AED7 second address: 73AEDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73B083 second address: 73B089 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73B089 second address: 73B08D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73B206 second address: 73B20A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73B4C2 second address: 73B4DD instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jl 00007F377CE47986h 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f popad 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jns 00007F377CE47986h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73B4DD second address: 73B4E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73B4E1 second address: 73B4E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73B4E7 second address: 73B4ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73B4ED second address: 73B50E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377CE47997h 0x00000007 push eax 0x00000008 push edx 0x00000009 jnc 00007F377CE47986h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73B669 second address: 73B674 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F377C5325E6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73B674 second address: 73B67A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73B67A second address: 73B691 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F377C5325F3h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73B915 second address: 73B919 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7412BD second address: 7412C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73FCD9 second address: 73FCE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jp 00007F377CE47988h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73FCE7 second address: 73FCF4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 popad 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73FF93 second address: 73FF9B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7400E3 second address: 7400EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7400EF second address: 7400F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 740244 second address: 74026E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jng 00007F377C5325FFh 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 pop eax 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 74026E second address: 740298 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377CE47997h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jnc 00007F377CE47986h 0x00000010 jl 00007F377CE47986h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 740401 second address: 740406 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 740559 second address: 74055E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 74055E second address: 740564 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 740564 second address: 74058F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 jmp 00007F377CE47999h 0x0000000d push eax 0x0000000e push edx 0x0000000f jl 00007F377CE47986h 0x00000015 push eax 0x00000016 pop eax 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7407FC second address: 740824 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a jmp 00007F377C5325F8h 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 740824 second address: 740843 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F377CE47997h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 740843 second address: 74084B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7409B6 second address: 7409BC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7409BC second address: 7409CA instructions: 0x00000000 rdtsc 0x00000002 jg 00007F377C5325E8h 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7409CA second address: 7409D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 740B5B second address: 740B7D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 js 00007F377C5325E6h 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F377C5325F2h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 740B7D second address: 740B81 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 744316 second address: 744328 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 744328 second address: 744340 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377CE47994h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 744340 second address: 744346 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 743D36 second address: 743D54 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007F377CE4798Eh 0x0000000c pop eax 0x0000000d jl 00007F377CE4798Eh 0x00000013 push ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 74620B second address: 746226 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377C5325F7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 746226 second address: 746258 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F377CE4798Ah 0x00000008 jc 00007F377CE4798Ah 0x0000000e push edi 0x0000000f pop edi 0x00000010 pushad 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push ebx 0x00000017 jo 00007F377CE47986h 0x0000001d push esi 0x0000001e pop esi 0x0000001f pop ebx 0x00000020 pushad 0x00000021 jne 00007F377CE47986h 0x00000027 jne 00007F377CE47986h 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 746258 second address: 74625E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 74AEB6 second address: 74AEBA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 74AEBA second address: 74AEC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 74AEC6 second address: 74AEF4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F377CE4798Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jnl 00007F377CE4799Dh 0x00000011 jmp 00007F377CE47997h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 74B06F second address: 74B079 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F377C5325E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 74B079 second address: 74B087 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377CE4798Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 74B087 second address: 74B0A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jmp 00007F377C5325EDh 0x0000000c pop edi 0x0000000d pushad 0x0000000e jnl 00007F377C5325E8h 0x00000014 push eax 0x00000015 push edx 0x00000016 push edx 0x00000017 pop edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 74B397 second address: 74B39D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 750BA8 second address: 750BAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 750BAC second address: 750BC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F377CE47986h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jg 00007F377CE4798Eh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 750BC6 second address: 750BEE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377C5325F4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c jc 00007F377C5325E6h 0x00000012 je 00007F377C5325E6h 0x00000018 pop ecx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 74F903 second address: 74F912 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 jc 00007F377CE4799Bh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 74F912 second address: 74F925 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F377C5325EFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 74F925 second address: 74F92A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 74F92A second address: 74F958 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F377C5325F9h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F377C5325ECh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 74FADC second address: 74FAE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 74FD9A second address: 74FDAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F377C5325EFh 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7508C4 second address: 7508C9 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7508C9 second address: 7508D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7546B0 second address: 7546B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7546B4 second address: 7546E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F377C5325E6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jnc 00007F377C5325EEh 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F377C5325F1h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 754B76 second address: 754B7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 754B7A second address: 754B7E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 754B7E second address: 754B84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 754B84 second address: 754B8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 754B8D second address: 754B93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 754DFE second address: 754E04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75C0CE second address: 75C0E1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377CE4798Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75C0E1 second address: 75C108 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377C5325EAh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F377C5325F3h 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75C108 second address: 75C112 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F377CE47986h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75C112 second address: 75C116 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75A32C second address: 75A336 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F377CE47986h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75A336 second address: 75A368 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jmp 00007F377C5325ECh 0x0000000a jc 00007F377C5325E6h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F377C5325F8h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75A368 second address: 75A3A2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377CE47991h 0x00000007 jnc 00007F377CE47986h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 push edi 0x00000013 jmp 00007F377CE47999h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75B2C0 second address: 75B2CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F377C5325E6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75B2CB second address: 75B2F5 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F377CE479A0h 0x00000008 jg 00007F377CE47986h 0x0000000e jmp 00007F377CE47994h 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75B2F5 second address: 75B2FB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6BDA36 second address: 6BDA3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 766AC8 second address: 766AD4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F377C5325E6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 766AD4 second address: 766AD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 766AD8 second address: 766ADC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 766F23 second address: 766F29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76725D second address: 767289 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377C5325F6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jg 00007F377C5325F2h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 767516 second address: 76751A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76ECA4 second address: 76ECAE instructions: 0x00000000 rdtsc 0x00000002 je 00007F377C5325EEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76ECAE second address: 76ECB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76CDC6 second address: 76CDD7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F377C5325E8h 0x0000000c pushad 0x0000000d popad 0x0000000e push ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76D1A8 second address: 76D20F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F377CE47997h 0x00000009 jnc 00007F377CE47986h 0x0000000f popad 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 jmp 00007F377CE47998h 0x00000018 jmp 00007F377CE47990h 0x0000001d popad 0x0000001e popad 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F377CE47996h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76D344 second address: 76D34A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76D8BF second address: 76D8C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76D8C5 second address: 76D8CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76D8CB second address: 76D8D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76DC28 second address: 76DC35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76DC35 second address: 76DC39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76DC39 second address: 76DC3D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76EB44 second address: 76EB5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jo 00007F377CE4799Ah 0x0000000b push edi 0x0000000c ja 00007F377CE47986h 0x00000012 pushad 0x00000013 popad 0x00000014 pop edi 0x00000015 push edi 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76C92D second address: 76C94A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F377C5325F2h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76C94A second address: 76C950 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 775FF3 second address: 775FFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 775FFB second address: 776018 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007F377CE4798Fh 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 776018 second address: 77601C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77601C second address: 776020 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 776020 second address: 77602C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b pop edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6B3583 second address: 6B35A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 jmp 00007F377CE47996h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78CDA9 second address: 78CDAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78CDAD second address: 78CDBB instructions: 0x00000000 rdtsc 0x00000002 jg 00007F377CE47986h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78CDBB second address: 78CDC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78CDC1 second address: 78CDC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78CDC5 second address: 78CDC9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78CDC9 second address: 78CDCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78CF02 second address: 78CF15 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F377C5325EFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7915AE second address: 7915B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79A4F0 second address: 79A4F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79A4F6 second address: 79A4FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A20D1 second address: 7A20D7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A20D7 second address: 7A20DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A20DE second address: 7A20E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A0C43 second address: 7A0C59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F377CE4798Dh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A0DCD second address: 7A0DD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A1084 second address: 7A10D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F377CE47991h 0x0000000f pop eax 0x00000010 jmp 00007F377CE4798Eh 0x00000015 pushad 0x00000016 jmp 00007F377CE4798Ah 0x0000001b push esi 0x0000001c pop esi 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F377CE47996h 0x00000025 push ecx 0x00000026 pop ecx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6BA371 second address: 6BA37D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F377C5325E6h 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C563B second address: 7C5641 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C5641 second address: 7C5650 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push eax 0x00000007 pop eax 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push esi 0x0000000b pop esi 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C5650 second address: 7C5656 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C5656 second address: 7C565A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C565A second address: 7C5678 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377CE47994h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C5678 second address: 7C567C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C567C second address: 7C568D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 jg 00007F377CE4798Eh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7DEEF3 second address: 7DEEF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7DEEF7 second address: 7DEF03 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7DEF03 second address: 7DEF07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7DEF07 second address: 7DEF0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7DEF0B second address: 7DEF17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F377C5325E6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7DEF17 second address: 7DEF24 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7DEF24 second address: 7DEF33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F377C5325EBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7DF1CF second address: 7DF1D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7DF1D3 second address: 7DF1F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377C5325F8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a push esi 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E2410 second address: 7E2416 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E52E8 second address: 7E52F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E52F3 second address: 7E531F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377CE47993h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F377CE47991h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E531F second address: 7E5324 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E5324 second address: 7E535D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jmp 00007F377CE47999h 0x00000013 jmp 00007F377CE47991h 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E666A second address: 7E6670 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E6670 second address: 7E6675 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E83CC second address: 7E83D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E83D1 second address: 7E83E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jmp 00007F377CE4798Eh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B0EC8 second address: 52B0ECE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B0ECE second address: 52B0ED2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B0ED2 second address: 52B0ED6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B0ED6 second address: 52B0F18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ecx, dword ptr [eax+00000FDCh] 0x0000000e jmp 00007F377CE47999h 0x00000013 test ecx, ecx 0x00000015 pushad 0x00000016 push esi 0x00000017 mov edi, 7B8B8C0Eh 0x0000001c pop edi 0x0000001d mov di, cx 0x00000020 popad 0x00000021 jns 00007F377CE479B7h 0x00000027 pushad 0x00000028 push eax 0x00000029 push edx 0x0000002a mov cx, 3F79h 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B0F18 second address: 52B0F73 instructions: 0x00000000 rdtsc 0x00000002 mov cl, 5Ah 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F377C5325EBh 0x0000000b popad 0x0000000c add eax, ecx 0x0000000e jmp 00007F377C5325F6h 0x00000013 mov eax, dword ptr [eax+00000860h] 0x00000019 jmp 00007F377C5325F0h 0x0000001e test eax, eax 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F377C5325F7h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B0F73 second address: 52B0F8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F377CE47994h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FDDF3 second address: 6FDDF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FE03C second address: 6FE040 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FE040 second address: 6FE046 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6FE046 second address: 6FE04B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52D0385 second address: 52D038B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52D038B second address: 52D03B5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377CE4798Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edx, dword ptr [ebp+0Ch] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F377CE47997h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52D03B5 second address: 52D03CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F377C5325F4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52D03CD second address: 52D03D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52D03D1 second address: 52D03E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ecx, dword ptr [ebp+08h] 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52D040C second address: 52D041C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F377CE4798Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C0837 second address: 52C083B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C083B second address: 52C0841 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C0841 second address: 52C0891 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377C5325F2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov di, 9460h 0x00000011 pushfd 0x00000012 jmp 00007F377C5325F9h 0x00000017 xor si, A166h 0x0000001c jmp 00007F377C5325F1h 0x00000021 popfd 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C0891 second address: 52C096D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377CE47991h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F377CE47991h 0x0000000f xchg eax, ebp 0x00000010 jmp 00007F377CE4798Eh 0x00000015 mov ebp, esp 0x00000017 pushad 0x00000018 movzx esi, di 0x0000001b call 00007F377CE47993h 0x00000020 call 00007F377CE47998h 0x00000025 pop esi 0x00000026 pop ebx 0x00000027 popad 0x00000028 xchg eax, ecx 0x00000029 pushad 0x0000002a jmp 00007F377CE4798Ch 0x0000002f pushfd 0x00000030 jmp 00007F377CE47992h 0x00000035 xor cl, 00000058h 0x00000038 jmp 00007F377CE4798Bh 0x0000003d popfd 0x0000003e popad 0x0000003f push eax 0x00000040 jmp 00007F377CE47999h 0x00000045 xchg eax, ecx 0x00000046 jmp 00007F377CE4798Eh 0x0000004b xchg eax, esi 0x0000004c jmp 00007F377CE47990h 0x00000051 push eax 0x00000052 push eax 0x00000053 push edx 0x00000054 push eax 0x00000055 push edx 0x00000056 push eax 0x00000057 push edx 0x00000058 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C096D second address: 52C0971 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C0971 second address: 52C0975 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C0975 second address: 52C097B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C097B second address: 52C09AD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377CE4798Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a jmp 00007F377CE47996h 0x0000000f lea eax, dword ptr [ebp-04h] 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C09AD second address: 52C09C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 call 00007F377C5325F3h 0x00000009 pop eax 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C09C6 second address: 52C09FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, 2A61BDABh 0x00000008 pushfd 0x00000009 jmp 00007F377CE47990h 0x0000000e or esi, 45FC8738h 0x00000014 jmp 00007F377CE4798Bh 0x00000019 popfd 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d nop 0x0000001e pushad 0x0000001f pushad 0x00000020 mov cx, A281h 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C09FD second address: 52C0A81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov al, 03h 0x00000007 popad 0x00000008 push eax 0x00000009 pushad 0x0000000a mov esi, 1082CF7Bh 0x0000000f pushfd 0x00000010 jmp 00007F377C5325F0h 0x00000015 add ax, 00C8h 0x0000001a jmp 00007F377C5325EBh 0x0000001f popfd 0x00000020 popad 0x00000021 nop 0x00000022 jmp 00007F377C5325F6h 0x00000027 push dword ptr [ebp+08h] 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d pushfd 0x0000002e jmp 00007F377C5325EDh 0x00000033 and cl, FFFFFF96h 0x00000036 jmp 00007F377C5325F1h 0x0000003b popfd 0x0000003c call 00007F377C5325F0h 0x00000041 pop ecx 0x00000042 popad 0x00000043 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C0B22 second address: 52C0B26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C0B26 second address: 52C0B2C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C0B2C second address: 52C0B31 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C0199 second address: 52C01C8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F377C5325F7h 0x00000008 pop esi 0x00000009 movsx edi, si 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 pushad 0x00000011 mov dh, DBh 0x00000013 mov ah, E6h 0x00000015 popad 0x00000016 xchg eax, ebp 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C01C8 second address: 52C01CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C01CC second address: 52C01D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C01D0 second address: 52C01D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C01D6 second address: 52C01FB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377C5325F9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C01FB second address: 52C01FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C01FF second address: 52C0212 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377C5325EFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C0212 second address: 52C02F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, si 0x00000006 call 00007F377CE47990h 0x0000000b pop esi 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push FFFFFFFEh 0x00000011 jmp 00007F377CE47991h 0x00000016 push 50755C89h 0x0000001b jmp 00007F377CE47997h 0x00000020 xor dword ptr [esp], 25B3C2C1h 0x00000027 pushad 0x00000028 pushfd 0x00000029 jmp 00007F377CE47994h 0x0000002e adc ax, 1538h 0x00000033 jmp 00007F377CE4798Bh 0x00000038 popfd 0x00000039 mov ch, CFh 0x0000003b popad 0x0000003c push 703ED616h 0x00000041 jmp 00007F377CE47990h 0x00000046 add dword ptr [esp], 0582555Ah 0x0000004d jmp 00007F377CE47990h 0x00000052 mov eax, dword ptr fs:[00000000h] 0x00000058 pushad 0x00000059 call 00007F377CE4798Eh 0x0000005e pushfd 0x0000005f jmp 00007F377CE47992h 0x00000064 sub ax, 9128h 0x00000069 jmp 00007F377CE4798Bh 0x0000006e popfd 0x0000006f pop ecx 0x00000070 push eax 0x00000071 push edx 0x00000072 mov edi, 6EF58FCAh 0x00000077 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C02F9 second address: 52C033F instructions: 0x00000000 rdtsc 0x00000002 mov di, DE96h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push ecx 0x0000000a jmp 00007F377C5325EAh 0x0000000f mov dword ptr [esp], eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 mov al, dl 0x00000017 pushfd 0x00000018 jmp 00007F377C5325F6h 0x0000001d or ecx, 4158A5E8h 0x00000023 jmp 00007F377C5325EBh 0x00000028 popfd 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C0436 second address: 52C043A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C043A second address: 52C0455 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377C5325F7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C0455 second address: 52C045B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C045B second address: 52C045F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C045F second address: 52C0477 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377CE4798Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C0477 second address: 52C047B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C047B second address: 52C048D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377CE4798Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C048D second address: 52C04A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377C5325EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C04A3 second address: 52C04A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C04A7 second address: 52C04AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C04AD second address: 52C04E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377CE4798Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F377CE4798Eh 0x00000011 xor cl, FFFFFFD8h 0x00000014 jmp 00007F377CE4798Bh 0x00000019 popfd 0x0000001a movzx eax, dx 0x0000001d popad 0x0000001e push eax 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 mov ah, bl 0x00000024 pushad 0x00000025 popad 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C04E8 second address: 52C0521 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, edi 0x00000005 mov dx, D2E4h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xchg eax, edi 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007F377C5325F4h 0x00000016 sub si, B598h 0x0000001b jmp 00007F377C5325EBh 0x00000020 popfd 0x00000021 mov ah, 4Fh 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C0521 second address: 52C0527 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C0527 second address: 52C052B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C052B second address: 52C052F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C052F second address: 52C055E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [75C74538h] 0x0000000d jmp 00007F377C5325F8h 0x00000012 xor dword ptr [ebp-08h], eax 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 mov cx, 6EC3h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C055E second address: 52C05A9 instructions: 0x00000000 rdtsc 0x00000002 mov ah, 34h 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov bl, BAh 0x00000008 popad 0x00000009 xor eax, ebp 0x0000000b jmp 00007F377CE4798Dh 0x00000010 nop 0x00000011 jmp 00007F377CE4798Eh 0x00000016 push eax 0x00000017 jmp 00007F377CE4798Bh 0x0000001c nop 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F377CE47995h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C05A9 second address: 52C05EE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377C5325F1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea eax, dword ptr [ebp-10h] 0x0000000c jmp 00007F377C5325EEh 0x00000011 mov dword ptr fs:[00000000h], eax 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F377C5325F7h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C05EE second address: 52C0606 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F377CE47994h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C0606 second address: 52C060A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C060A second address: 52C061B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [ebp-18h], esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C061B second address: 52C061F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C061F second address: 52C0623 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C0623 second address: 52C0629 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C0629 second address: 52C067E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377CE4798Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr fs:[00000018h] 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007F377CE4798Bh 0x00000018 xor si, BBFEh 0x0000001d jmp 00007F377CE47999h 0x00000022 popfd 0x00000023 call 00007F377CE47990h 0x00000028 pop ecx 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C067E second address: 52C06A0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, 1A9F3C0Dh 0x00000008 call 00007F377C5325EAh 0x0000000d pop eax 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov ecx, dword ptr [eax+00000FDCh] 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C06A0 second address: 52C06BA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377CE47996h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C06BA second address: 52C06CC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edx 0x00000006 pop eax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a test ecx, ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C06CC second address: 52C06DE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377CE4798Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C06DE second address: 52C0747 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F377C5325F1h 0x00000009 jmp 00007F377C5325EBh 0x0000000e popfd 0x0000000f pushfd 0x00000010 jmp 00007F377C5325F8h 0x00000015 sbb ah, 00000078h 0x00000018 jmp 00007F377C5325EBh 0x0000001d popfd 0x0000001e popad 0x0000001f pop edx 0x00000020 pop eax 0x00000021 jns 00007F377C53263Ch 0x00000027 pushad 0x00000028 call 00007F377C5325EBh 0x0000002d pushad 0x0000002e popad 0x0000002f pop eax 0x00000030 popad 0x00000031 add eax, ecx 0x00000033 push eax 0x00000034 push edx 0x00000035 pushad 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C0747 second address: 52C074E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C074E second address: 52C0791 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, 241Ch 0x00000007 pushfd 0x00000008 jmp 00007F377C5325F5h 0x0000000d adc esi, 7E01A676h 0x00000013 jmp 00007F377C5325F1h 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c mov ecx, dword ptr [ebp+08h] 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 mov esi, edi 0x00000024 pushad 0x00000025 popad 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B01E9 second address: 52B01F7 instructions: 0x00000000 rdtsc 0x00000002 mov ah, E9h 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B01F7 second address: 52B01FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B01FB second address: 52B01FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B01FF second address: 52B0205 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B0205 second address: 52B020B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B020B second address: 52B020F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B020F second address: 52B02AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a mov cx, 3331h 0x0000000e pushfd 0x0000000f jmp 00007F377CE4798Eh 0x00000014 or cx, E308h 0x00000019 jmp 00007F377CE4798Bh 0x0000001e popfd 0x0000001f popad 0x00000020 mov ebp, esp 0x00000022 jmp 00007F377CE47996h 0x00000027 sub esp, 2Ch 0x0000002a pushad 0x0000002b movzx esi, di 0x0000002e mov si, bx 0x00000031 popad 0x00000032 push eax 0x00000033 pushad 0x00000034 pushfd 0x00000035 jmp 00007F377CE47990h 0x0000003a jmp 00007F377CE47995h 0x0000003f popfd 0x00000040 mov eax, 69842137h 0x00000045 popad 0x00000046 mov dword ptr [esp], ebx 0x00000049 push eax 0x0000004a push edx 0x0000004b jmp 00007F377CE47999h 0x00000050 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B02AE second address: 52B02BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F377C5325ECh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B02BE second address: 52B02DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F377CE47993h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B038B second address: 52B03C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop esi 0x00000005 jmp 00007F377C5325EDh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d sub edi, edi 0x0000000f jmp 00007F377C5325F7h 0x00000014 inc ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B03C0 second address: 52B03C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B03C4 second address: 52B03C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B03C8 second address: 52B03CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B03CE second address: 52B03EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, 621Fh 0x00000007 mov edi, esi 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c test al, al 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F377C5325EDh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B03EB second address: 52B044A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dl, BFh 0x00000005 mov ax, 5BFFh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c je 00007F377CE47C35h 0x00000012 pushad 0x00000013 mov esi, 263FCBF7h 0x00000018 mov eax, 709B3093h 0x0000001d popad 0x0000001e lea ecx, dword ptr [ebp-14h] 0x00000021 pushad 0x00000022 pushfd 0x00000023 jmp 00007F377CE47994h 0x00000028 sbb ax, 7518h 0x0000002d jmp 00007F377CE4798Bh 0x00000032 popfd 0x00000033 mov di, si 0x00000036 popad 0x00000037 mov dword ptr [ebp-14h], edi 0x0000003a push eax 0x0000003b push edx 0x0000003c push eax 0x0000003d push edx 0x0000003e jmp 00007F377CE4798Ch 0x00000043 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B044A second address: 52B0450 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B0450 second address: 52B0456 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B0456 second address: 52B045A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B04C6 second address: 52B04CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B04CC second address: 52B04D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B0549 second address: 52B054F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B054F second address: 52B055F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test eax, eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B055F second address: 52B0565 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B0565 second address: 52B05CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F377C5325F1h 0x00000009 adc al, 00000006h 0x0000000c jmp 00007F377C5325F1h 0x00000011 popfd 0x00000012 pushfd 0x00000013 jmp 00007F377C5325F0h 0x00000018 jmp 00007F377C5325F5h 0x0000001d popfd 0x0000001e popad 0x0000001f pop edx 0x00000020 pop eax 0x00000021 jg 00007F37ECEA04B9h 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007F377C5325EDh 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B05CE second address: 52B05F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377CE47991h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 js 00007F377CE47A49h 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F377CE4798Dh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B05F8 second address: 52B0608 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F377C5325ECh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B0608 second address: 52B064B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377CE4798Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b cmp dword ptr [ebp-14h], edi 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 pushfd 0x00000014 jmp 00007F377CE47991h 0x00000019 sub si, 9F36h 0x0000001e jmp 00007F377CE47991h 0x00000023 popfd 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B064B second address: 52B0650 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B0650 second address: 52B0689 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F377CE4798Dh 0x0000000a adc eax, 4C3BF096h 0x00000010 jmp 00007F377CE47991h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 jne 00007F37ED7B57A4h 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B0689 second address: 52B068F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B068F second address: 52B06A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F377CE47991h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B06A4 second address: 52B06F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebx, dword ptr [ebp+08h] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F377C5325F6h 0x00000014 or cl, 00000048h 0x00000017 jmp 00007F377C5325EBh 0x0000001c popfd 0x0000001d call 00007F377C5325F8h 0x00000022 pop ecx 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B06F2 second address: 52B0719 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377CE47990h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea eax, dword ptr [ebp-2Ch] 0x0000000c pushad 0x0000000d mov esi, 5E38ED6Dh 0x00000012 mov edi, esi 0x00000014 popad 0x00000015 xchg eax, esi 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B0719 second address: 52B071D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B071D second address: 52B072E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377CE4798Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B072E second address: 52B073E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F377C5325ECh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B073E second address: 52B0742 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B0742 second address: 52B075A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F377C5325EDh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B075A second address: 52B077F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377CE47991h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F377CE4798Dh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B077F second address: 52B07C6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377C5325F1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a pushad 0x0000000b mov ecx, 5EBF19C3h 0x00000010 mov di, si 0x00000013 popad 0x00000014 push eax 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 pushfd 0x00000019 jmp 00007F377C5325EEh 0x0000001e sbb si, D888h 0x00000023 jmp 00007F377C5325EBh 0x00000028 popfd 0x00000029 push ecx 0x0000002a pop ebx 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B07C6 second address: 52B0887 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377CE47995h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a pushad 0x0000000b pushad 0x0000000c mov edi, esi 0x0000000e pushfd 0x0000000f jmp 00007F377CE47996h 0x00000014 add ax, 4D48h 0x00000019 jmp 00007F377CE4798Bh 0x0000001e popfd 0x0000001f popad 0x00000020 popad 0x00000021 xchg eax, ebx 0x00000022 pushad 0x00000023 pushfd 0x00000024 jmp 00007F377CE47990h 0x00000029 jmp 00007F377CE47995h 0x0000002e popfd 0x0000002f pushfd 0x00000030 jmp 00007F377CE47990h 0x00000035 add eax, 0A398208h 0x0000003b jmp 00007F377CE4798Bh 0x00000040 popfd 0x00000041 popad 0x00000042 push eax 0x00000043 push eax 0x00000044 push edx 0x00000045 pushad 0x00000046 pushfd 0x00000047 jmp 00007F377CE47992h 0x0000004c add si, A468h 0x00000051 jmp 00007F377CE4798Bh 0x00000056 popfd 0x00000057 mov bx, si 0x0000005a popad 0x0000005b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B0887 second address: 52B089B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F377C5325F0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B089B second address: 52B08BF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov bl, al 0x0000000e jmp 00007F377CE47995h 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B0902 second address: 52B0908 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B0908 second address: 52B0959 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F377CE47990h 0x00000009 xor si, C118h 0x0000000e jmp 00007F377CE4798Bh 0x00000013 popfd 0x00000014 call 00007F377CE47998h 0x00000019 pop esi 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d mov esi, eax 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F377CE4798Ch 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B0959 second address: 52B002F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377C5325EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test esi, esi 0x0000000b pushad 0x0000000c push ecx 0x0000000d mov ax, dx 0x00000010 pop edi 0x00000011 mov di, ax 0x00000014 popad 0x00000015 je 00007F37ECEA02C7h 0x0000001b xor eax, eax 0x0000001d jmp 00007F377C50BD1Ah 0x00000022 pop esi 0x00000023 pop edi 0x00000024 pop ebx 0x00000025 leave 0x00000026 retn 0004h 0x00000029 nop 0x0000002a mov edi, eax 0x0000002c cmp edi, 00000000h 0x0000002f setne al 0x00000032 xor ebx, ebx 0x00000034 test al, 01h 0x00000036 jne 00007F377C5325E7h 0x00000038 jmp 00007F377C5326D9h 0x0000003d call 00007F37812D9D60h 0x00000042 mov edi, edi 0x00000044 pushad 0x00000045 pushfd 0x00000046 jmp 00007F377C5325EAh 0x0000004b or cl, FFFFFF98h 0x0000004e jmp 00007F377C5325EBh 0x00000053 popfd 0x00000054 popad 0x00000055 push esi 0x00000056 push eax 0x00000057 push edx 0x00000058 push eax 0x00000059 push edx 0x0000005a jmp 00007F377C5325ECh 0x0000005f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B002F second address: 52B0035 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B0035 second address: 52B013D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377C5325EEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c pushad 0x0000000d pushad 0x0000000e mov dx, cx 0x00000011 push eax 0x00000012 pop edx 0x00000013 popad 0x00000014 movzx esi, di 0x00000017 popad 0x00000018 mov ebp, esp 0x0000001a jmp 00007F377C5325F7h 0x0000001f xchg eax, ecx 0x00000020 pushad 0x00000021 pushfd 0x00000022 jmp 00007F377C5325F4h 0x00000027 jmp 00007F377C5325F5h 0x0000002c popfd 0x0000002d push eax 0x0000002e pushfd 0x0000002f jmp 00007F377C5325F7h 0x00000034 jmp 00007F377C5325F3h 0x00000039 popfd 0x0000003a pop esi 0x0000003b popad 0x0000003c push eax 0x0000003d pushad 0x0000003e pushfd 0x0000003f jmp 00007F377C5325F4h 0x00000044 add si, 40D8h 0x00000049 jmp 00007F377C5325EBh 0x0000004e popfd 0x0000004f mov ebx, ecx 0x00000051 popad 0x00000052 xchg eax, ecx 0x00000053 push eax 0x00000054 push edx 0x00000055 pushad 0x00000056 jmp 00007F377C5325F7h 0x0000005b pushfd 0x0000005c jmp 00007F377C5325F8h 0x00000061 and esi, 3E488598h 0x00000067 jmp 00007F377C5325EBh 0x0000006c popfd 0x0000006d popad 0x0000006e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B013D second address: 52B0155 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F377CE47994h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B0155 second address: 52B0184 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377C5325EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [ebp-04h], 55534552h 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F377C5325F5h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B0184 second address: 52B018A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B018A second address: 52B018E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B018E second address: 52B0192 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B0DBE second address: 52B0DCE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F377C5325ECh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B0DCE second address: 52B0E1A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377CE4798Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007F377CE47996h 0x00000011 push eax 0x00000012 jmp 00007F377CE4798Bh 0x00000017 xchg eax, ebp 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F377CE47995h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B0E1A second address: 52B0E20 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B0E20 second address: 52B0E24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B0E24 second address: 52B0E42 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F377C5325F2h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52B0E42 second address: 52B0E9B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377CE4798Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp dword ptr [75C7459Ch], 05h 0x00000010 pushad 0x00000011 mov edi, 78EF4966h 0x00000016 popad 0x00000017 je 00007F37ED7A5526h 0x0000001d pushad 0x0000001e mov ch, dl 0x00000020 pushfd 0x00000021 jmp 00007F377CE47994h 0x00000026 or si, 2108h 0x0000002b jmp 00007F377CE4798Bh 0x00000030 popfd 0x00000031 popad 0x00000032 pop ebp 0x00000033 pushad 0x00000034 mov ecx, 7A8DF09Bh 0x00000039 push eax 0x0000003a push edx 0x0000003b movzx esi, di 0x0000003e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C00F9 second address: 52C00FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C00FF second address: 52C0103 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C0C9F second address: 52C0CE8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377C5325F6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, 2A1BE641h 0x0000000e popad 0x0000000f xchg eax, esi 0x00000010 jmp 00007F377C5325ECh 0x00000015 push eax 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 call 00007F377C5325F7h 0x0000001e pop eax 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C0E0E second address: 52C0E46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 mov ebx, 4A362D6Eh 0x0000000c pop edi 0x0000000d popad 0x0000000e cmp dword ptr [75C7459Ch], 05h 0x00000015 pushad 0x00000016 movzx esi, bx 0x00000019 pushad 0x0000001a movsx ebx, ax 0x0000001d mov ax, 241Bh 0x00000021 popad 0x00000022 popad 0x00000023 je 00007F37ED7ACFECh 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007F377CE4798Dh 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C0E46 second address: 52C0E71 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377C5325F1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a jmp 00007F377C5325EEh 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C0E71 second address: 52C0E75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C0E75 second address: 52C0E7B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C0E7B second address: 52C0E81 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C0E81 second address: 52C0E85 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C0EEC second address: 52C0EF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C0EF0 second address: 52C0F0C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F377C5325F8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52C0F0C second address: 52C0F12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 6ED84C instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 6ED4DE instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 533E43 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 6F9B71 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 77E989 instructions caused by: Self-modifying code

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\file.exe TID: 7556	Thread sleep time: -180000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7568	Thread sleep time: -30000s >= -30000s			Jump to behavior

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\file.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: file.exe, 00000000.00000002.1851706509.00000000006D1000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, file.exe, 00000000.00000003.1690697919.000000000128B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700772120.000000000128B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1852469176.000000000128A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1850629516.000000000128A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1852411307.000000000120E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000002.1851706509.00000000006D1000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: file.exe, 00000000.00000003.1690697919.0000000001271000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1850629516.0000000001271000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1852469176.0000000001271000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1700659896.0000000001271000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW$

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\file.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks for debuggers (devices)

Source: C:\Users\user\Desktop\file.exe	File opened: NTICE
Source: C:\Users\user\Desktop\file.exe	File opened: SICE
Source: C:\Users\user\Desktop\file.exe	File opened: SIWVID

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: file.exe, 00000000.00000002.1851513309.00000000004D1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: clearancek.site
Source: file.exe, 00000000.00000002.1851513309.00000000004D1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: licendfilteo.site
Source: file.exe, 00000000.00000002.1851513309.00000000004D1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: spirittunek.stor
Source: file.exe, 00000000.00000002.1851513309.00000000004D1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: bathdoomgaz.stor
Source: file.exe, 00000000.00000002.1851513309.00000000004D1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: studennotediw.stor
Source: file.exe, 00000000.00000002.1851513309.00000000004D1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: dissapoiznw.stor
Source: file.exe, 00000000.00000002.1851513309.00000000004D1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: eaglepawnoy.stor
Source: file.exe, 00000000.00000002.1851513309.00000000004D1000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: mobbipenju.stor

Source: file.exe, 00000000.00000002.1851840993.0000000000715000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: rProgram Manager

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\file.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\Desktop\file.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: file.exe PID: 7436, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Found many strings related to Crypto-Wallets (likely being stolen)

Source: file.exe	String found in binary or memory: Wallets/Electrum
Source: file.exe	String found in binary or memory: Wallets/ElectronCash
Source: file.exe	String found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
Source: file.exe	String found in binary or memory: window-state.json
Source: file.exe	String found in binary or memory: ExodusWeb3
Source: file.exe	String found in binary or memory: Wallets/Ethereum
Source: file.exe	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: file.exe	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Searches for user specific document files

Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\HTAGVDFUIE	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\SQRKHNBNYN	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\WKXEWIOTXI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\XZXHAVGRAG	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\HTAGVDFUIE	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\JSDNGYCOWY	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\SQRKHNBNYN	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\XZXHAVGRAG	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\HTAGVDFUIE	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\JSDNGYCOWY	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\SQRKHNBNYN	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\WKXEWIOTXI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\XZXHAVGRAG	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\HTAGVDFUIE	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\JSDNGYCOWY	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\SQRKHNBNYN	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\HTAGVDFUIE	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\JSDNGYCOWY	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\SQRKHNBNYN	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\HTAGVDFUIE	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\JSDNGYCOWY	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\XZXHAVGRAG	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\HTAGVDFUIE	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\JSDNGYCOWY	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\NEBFQQYWPS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\SQRKHNBNYN	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\WKXEWIOTXI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\XZXHAVGRAG	Jump to behavior

Yara detected Credential Stealer

Source: Yara match

File source: Process Memory Space: file.exe PID: 7436, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: file.exe PID: 7436, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

ID:	1538068
Product:	CloudBasic
Start time:	08:38:08
Start date:	20.10.2024
Sample:	file.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	ae7fda647df94fb9207204a517856151
SHA1:	57e738f83c355c72b9d48e0b120a27c40889c38e
SHA256:	7da052a541128f2cdacb400d37b765039cac8b4e293fc53a88ac721c144950c9
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Windows Analysis Report
file.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
file.exe

Malware Threat Intel
Provided by