Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1538479
MD5:	dc43c9288aea0674eedfbe45f76ce6cc
SHA1:	10bfb95432e5f7ae66ef733ff82f9754dbfdd058
SHA256:	96681940b7062345ddf56e494ee4f177098d5789c38eba3f6d751389a029d25a
Tags:	exeuser-Bitsight
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Found malware configuration

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Hides threads from debuggers

LummaC encrypted strings found

Machine Learning detection for sample

PE file contains section with special chars

Sample uses string decryption to hide its real strings

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Detected potential crypto function

Entry point lies outside standard sections

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://steamcommunity.com:443/profiles/76561199724331900

URL Reputation: Label: malware

Found malware configuration

Source: file.exe.4876.0.memstrmin

Malware Configuration Extractor: LummaC {"C2 url": ["eaglepawnoy.store", "spirittunek.store", "licendfilteo.site", "mobbipenju.store", "clearancek.site", "studennotediw.store", "bathdoomgaz.store", "dissapoiznw.store"], "Build id": "BYc--0"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.2215087321.0000000000B81000.00000040.00000001.01000000.00000003.sdmp	String decryptor: clearancek.site
Source: 00000000.00000002.2215087321.0000000000B81000.00000040.00000001.01000000.00000003.sdmp	String decryptor: licendfilteo.site
Source: 00000000.00000002.2215087321.0000000000B81000.00000040.00000001.01000000.00000003.sdmp	String decryptor: spirittunek.store
Source: 00000000.00000002.2215087321.0000000000B81000.00000040.00000001.01000000.00000003.sdmp	String decryptor: bathdoomgaz.store
Source: 00000000.00000002.2215087321.0000000000B81000.00000040.00000001.01000000.00000003.sdmp	String decryptor: studennotediw.store
Source: 00000000.00000002.2215087321.0000000000B81000.00000040.00000001.01000000.00000003.sdmp	String decryptor: dissapoiznw.store
Source: 00000000.00000002.2215087321.0000000000B81000.00000040.00000001.01000000.00000003.sdmp	String decryptor: eaglepawnoy.store
Source: 00000000.00000002.2215087321.0000000000B81000.00000040.00000001.01000000.00000003.sdmp	String decryptor: mobbipenju.store
Source: 00000000.00000002.2215087321.0000000000B81000.00000040.00000001.01000000.00000003.sdmp	String decryptor: clearancek.site
Source: 00000000.00000002.2215087321.0000000000B81000.00000040.00000001.01000000.00000003.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.2215087321.0000000000B81000.00000040.00000001.01000000.00000003.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.2215087321.0000000000B81000.00000040.00000001.01000000.00000003.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.2215087321.0000000000B81000.00000040.00000001.01000000.00000003.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.2215087321.0000000000B81000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.2215087321.0000000000B81000.00000040.00000001.01000000.00000003.sdmp	String decryptor: 4SD0y4--legendaryy

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:49711 version: TLS 1.2

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00BC50FA
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00B8D110
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00B8D110
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C274D4CAh	0_2_00BC63B8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00BC5700
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh	0_2_00BC99D0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 27BAF212h	0_2_00BC695B
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	0_2_00B8FCA0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	0_2_00B90EEC
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	0_2_00BC6094
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then dec ebx	0_2_00BBF030
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	0_2_00B96F91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, dword ptr [edx]	0_2_00B81000
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h	0_2_00BC4040
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	0_2_00BAD1E1
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	0_2_00B942FC
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], dx	0_2_00BA2260
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [esi], ax	0_2_00BA2260
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	0_2_00BB23E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	0_2_00BB23E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	0_2_00BB23E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_00BB23E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	0_2_00BB23E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+14h]	0_2_00BB23E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebp, eax	0_2_00B8A300
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C274D4CAh	0_2_00BC64B8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	0_2_00B9B410
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	0_2_00BAE40C
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	0_2_00BAC470
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00B9D457
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	0_2_00BC1440
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [ecx+esi+25h]	0_2_00B88590
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	0_2_00B96536
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 7789B0CBh	0_2_00BC7520
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00BA9510
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	0_2_00BAE66A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_00BBB650
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	0_2_00BAD7AF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	0_2_00BC67EF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, word ptr [edi+eax]	0_2_00BC7710
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], dx	0_2_00BA28E9
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	0_2_00B849A0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 62429966h	0_2_00BC3920
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	0_2_00B9D961
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_00B91ACD
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_00B91A3C
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	0_2_00B85A50
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h	0_2_00BC4A40
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_2_00BB0B80
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+40h]	0_2_00B91BEE
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	0_2_00B93BE2
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+000006B8h]	0_2_00B9DB6F
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F8FD61B8h	0_2_00B9DB6F
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh	0_2_00BC9B60
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_00BAAC91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [edx], ax	0_2_00BAAC91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00BC9CE0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 9ECF05EBh	0_2_00BC9CE0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], C85F7986h	0_2_00BACCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00BACCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C85F7986h	0_2_00BACCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], A70A987Fh	0_2_00BBFC20
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	0_2_00BA7C00
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [eax+esi+02h], 0000h	0_2_00BAEC48
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00BC8D8A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	0_2_00BADD29
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [esp+1Ch], 5E46585Eh	0_2_00BAFD10
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp byte ptr [ebx], 00000000h	0_2_00B96EBF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, word ptr [ebp+00h]	0_2_00B8BEB0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	0_2_00B86EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+40h]	0_2_00B91E93
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edi, ecx	0_2_00B94E2A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00BA5E70
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00BA7E60
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, word ptr [ecx]	0_2_00BAAE57
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	0_2_00B96F91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [edx], 0000h	0_2_00B9FFDF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	0_2_00B88FD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	0_2_00BC5FD6
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], F3285E74h	0_2_00BC7FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00BC7FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00BBFF70
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_00BA9F62

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2056471 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site) : 192.168.2.6:61633 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056475 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store) : 192.168.2.6:54440 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056483 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store) : 192.168.2.6:53030 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056479 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store) : 192.168.2.6:53312 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056481 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store) : 192.168.2.6:62675 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056477 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store) : 192.168.2.6:56684 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056485 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store) : 192.168.2.6:52867 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056473 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site) : 192.168.2.6:55726 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.6:49711 -> 104.102.49.254:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: eaglepawnoy.store
Source: Malware configuration extractor	URLs: spirittunek.store
Source: Malware configuration extractor	URLs: licendfilteo.site
Source: Malware configuration extractor	URLs: mobbipenju.store
Source: Malware configuration extractor	URLs: clearancek.site
Source: Malware configuration extractor	URLs: studennotediw.store
Source: Malware configuration extractor	URLs: bathdoomgaz.store
Source: Malware configuration extractor	URLs: dissapoiznw.store

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 104.102.49.254 104.102.49.254

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: AKAMAI-ASUS AKAMAI-ASUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

Source: file.exe, 00000000.00000002.2214944045.000000000059B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2195659404.000000000059B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://h equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000003.2195582269.0000000000583000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: YContent-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd883ccb3237fa39d2837163d0f38217b; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=b2ccaf742db2c221676d7547; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type25258Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveMon, 21 Oct 2024 09:37:10 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-ControlAF equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000003.2195582269.0000000000583000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: elp.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: clearancek.site
Source: global traffic	DNS traffic detected: DNS query: mobbipenju.store
Source: global traffic	DNS traffic detected: DNS query: eaglepawnoy.store
Source: global traffic	DNS traffic detected: DNS query: dissapoiznw.store
Source: global traffic	DNS traffic detected: DNS query: studennotediw.store
Source: global traffic	DNS traffic detected: DNS query: bathdoomgaz.store
Source: global traffic	DNS traffic detected: DNS query: spirittunek.store
Source: global traffic	DNS traffic detected: DNS query: licendfilteo.site
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com

Source: file.exe, 00000000.00000003.2195582269.0000000000583000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2195691419.0000000000561000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2214859085.0000000000561000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2195691419.0000000000561000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2214859085.0000000000561000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2195691419.0000000000561000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2214859085.0000000000561000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: file.exe, 00000000.00000003.2195582269.0000000000583000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: file.exe, 00000000.00000003.2195691419.000000000054E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2214859085.000000000054E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bathdoomgaz.store:443/apipg
Source: file.exe, 00000000.00000003.2195582269.0000000000583000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: file.exe, 00000000.00000003.2195582269.0000000000583000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/
Source: file.exe, 00000000.00000003.2195582269.0000000000583000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: file.exe, 00000000.00000002.2214899190.0000000000583000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2195582269.0000000000583000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clearancek.site/api7
Source: file.exe, 00000000.00000003.2195691419.000000000054E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2214859085.000000000054E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clearancek.site:443/api
Source: file.exe, 00000000.00000003.2195691419.000000000054E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2214859085.000000000054E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clearancek.site:443/apii
Source: file.exe, 00000000.00000003.2195582269.0000000000583000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2195582269.0000000000563000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/css/applications/community/main.css?v=DVae4t4RZiHA&l=en
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/css/globalv2.css?v=dQy8Omh4p9PH&l=english
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/css/skin_1/fatalerror.css?v=wctRWaBvNt2z&l=english
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/css/skin_1/header.css?v=pTvrRy1pm52p&l=english
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2195691419.0000000000561000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2214859085.0000000000561000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/javascript/applications/community/libraries~b28b7af69.js?v=
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2195691419.0000000000561000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2214859085.0000000000561000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/javascript/applications/community/main.js?v=4XouecKy8sZy&am
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2195582269.0000000000563000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/javascript/applications/community/manifest.js?v=r7a4-LYcQOj
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/javascript/global.js?v=7qlUmHSJhPRN&l=english
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL&l=
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/shared/css/buttons.css?v=-WV9f1LdxEjq&l=english
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/shared/css/motiva_sans.css?v=v7XTmVzbLV33&l=english
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/shared/css/shared_global.css?v=uF6G1wyNU-4c&l=english
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/shared/css/shared_responsive.css?v=kR9MtmbWSZEp&l=engli
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&l=engl
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/shared/javascript/shared_global.js?v=7glT1n_nkVCs&l=eng
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSvIAKtunf
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: file.exe, 00000000.00000003.2195691419.000000000054E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2214859085.000000000054E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eaglepawnoy.store:443/api
Source: file.exe, 00000000.00000003.2195582269.0000000000583000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: file.exe, 00000000.00000003.2195582269.0000000000583000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: file.exe, 00000000.00000003.2195582269.0000000000583000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: file.exe, 00000000.00000003.2195582269.0000000000583000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: file.exe, 00000000.00000003.2195582269.0000000000583000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: file.exe, 00000000.00000003.2195582269.0000000000583000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: file.exe, 00000000.00000003.2195582269.0000000000583000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: file.exe, 00000000.00000003.2195582269.0000000000583000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: file.exe, 00000000.00000003.2195582269.0000000000583000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: file.exe, 00000000.00000003.2195691419.000000000054E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2214859085.000000000054E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spirittunek.store:443/api
Source: file.exe, 00000000.00000003.2195582269.0000000000583000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: file.exe, 00000000.00000003.2195582269.0000000000583000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: file.exe, 00000000.00000003.2195582269.0000000000583000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: file.exe, 00000000.00000003.2195582269.0000000000583000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.c
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2195691419.0000000000561000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2214859085.0000000000561000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com
Source: file.exe, 00000000.00000003.2195582269.0000000000583000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: file.exe, 00000000.00000002.2214899190.0000000000565000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2195582269.0000000000563000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/(
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2195691419.0000000000561000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2214859085.0000000000561000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: file.exe, 00000000.00000002.2214899190.0000000000565000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2195582269.0000000000563000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: file.exe, 00000000.00000002.2214770282.0000000000545000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900&&
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: file.exe, 00000000.00000003.2195691419.000000000054E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2214859085.000000000054E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com:443/profiles/76561199724331900
Source: file.exe, 00000000.00000003.2195582269.0000000000583000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2214899190.0000000000583000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2195582269.0000000000583000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: file.exe, 00000000.00000002.2214899190.0000000000583000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2195582269.0000000000583000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd883ccb3237fa39
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2195691419.0000000000561000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2214859085.0000000000561000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: file.exe, 00000000.00000003.2195582269.0000000000583000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: file.exe, 00000000.00000003.2195582269.0000000000583000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: file.exe, 00000000.00000003.2195582269.0000000000583000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: file.exe, 00000000.00000003.2195582269.0000000000583000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2195582269.0000000000563000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: file.exe, 00000000.00000003.2195582269.0000000000583000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: file.exe, 00000000.00000003.2195582269.0000000000583000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443

Source: unknown

HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:49711 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B90228	0_2_00B90228
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BCA0D0	0_2_00BCA0D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B92030	0_2_00B92030
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B81000	0_2_00B81000
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BC4040	0_2_00BC4040
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D4D02A	0_2_00D4D02A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B8E1A0	0_2_00B8E1A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B871F0	0_2_00B871F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D4811A	0_2_00D4811A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B85160	0_2_00B85160
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B812F7	0_2_00B812F7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB82D0	0_2_00BB82D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB12D0	0_2_00BB12D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D572AB	0_2_00D572AB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B8B3A0	0_2_00B8B3A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B813A3	0_2_00B813A3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB23E0	0_2_00BB23E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B8A300	0_2_00B8A300
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D5C32D	0_2_00D5C32D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B9049B	0_2_00B9049B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B94487	0_2_00B94487
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB64F0	0_2_00BB64F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BAC470	0_2_00BAC470
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B835B0	0_2_00B835B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B88590	0_2_00B88590
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B9C5F0	0_2_00B9C5F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BC86F0	0_2_00BC86F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BBF620	0_2_00BBF620
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D4666E	0_2_00D4666E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D2E60D	0_2_00D2E60D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BC8652	0_2_00BC8652
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B8164F	0_2_00B8164F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D5A7BD	0_2_00D5A7BD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BBE8A0	0_2_00BBE8A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D5F8C8	0_2_00D5F8C8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BBB8C0	0_2_00BBB8C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB1860	0_2_00BB1860
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B8A850	0_2_00B8A850
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BC89A0	0_2_00BC89A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BA098B	0_2_00BA098B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D50AD6	0_2_00D50AD6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BC7AB0	0_2_00BC7AB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CACAC5	0_2_00CACAC5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BC8A80	0_2_00BC8A80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BC4A40	0_2_00BC4A40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B87BF0	0_2_00B87BF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D49B59	0_2_00D49B59
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B9DB6F	0_2_00B9DB6F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BF9B5B	0_2_00BF9B5B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BC6CBF	0_2_00BC6CBF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BACCD0	0_2_00BACCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BC8C02	0_2_00BC8C02
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C09C16	0_2_00C09C16
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D53C0F	0_2_00D53C0F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CB9DD0	0_2_00CB9DD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C29D52	0_2_00C29D52
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BADD29	0_2_00BADD29
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BAFD10	0_2_00BAFD10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BA8D62	0_2_00BA8D62
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D58D3B	0_2_00D58D3B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B96EBF	0_2_00B96EBF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B8BEB0	0_2_00B8BEB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B94E2A	0_2_00B94E2A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BC8E70	0_2_00BC8E70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BAAE57	0_2_00BAAE57
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D11FC5	0_2_00D11FC5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E06F86	0_2_00E06F86
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B88FD0	0_2_00B88FD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BC7FC0	0_2_00BC7FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B8AF10	0_2_00B8AF10

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00B8CAA0 appears 48 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00B9D300 appears 152 times

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe

Static PE information: Section: ZLIB complexity 0.9996132425742574

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@9/1

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BB8220 CoCreateInstance,

0_2_00BB8220

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior

Source: file.exe

Static file information: File size 2986496 > 1048576

Source: file.exe

Static PE information: Raw size of ugbetnis is bigger than: 0x100000 < 0x2afa00

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.b80000.0.unpack :EW;.rsrc :W;.idata :W;ugbetnis:EW;nmfuvorh:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W;ugbetnis:EW;nmfuvorh:EW;.taggant:EW;

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

PE file contains an invalid checksum

Source: file.exe

Static PE information: real checksum: 0x2dab13 should be: 0x2e0b37

PE file contains sections with non-standard names

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name: ugbetnis
Source: file.exe	Static PE information: section name: nmfuvorh
Source: file.exe	Static PE information: section name: .taggant

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E7F06B push 472D0FD6h; mov dword ptr [esp], edi	0_2_00E7F108
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E7F06B push 59D9D71Bh; mov dword ptr [esp], ebp	0_2_00E7F135
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C4306D push edi; mov dword ptr [esp], 5A37E455h	0_2_00C43106
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C4306D push 383EA6A1h; mov dword ptr [esp], ebx	0_2_00C43150
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C4306D push eax; mov dword ptr [esp], ebx	0_2_00C43178
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D8703F push 6FEABE20h; mov dword ptr [esp], edx	0_2_00D87072
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D4D02A push esi; mov dword ptr [esp], ebp	0_2_00D4D039
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D4D02A push edi; mov dword ptr [esp], 7EDA5782h	0_2_00D4D07C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D4D02A push 4777AC65h; mov dword ptr [esp], eax	0_2_00D4D0D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D4D02A push edi; mov dword ptr [esp], ebx	0_2_00D4D0F4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D4D02A push 36BFE9E0h; mov dword ptr [esp], edi	0_2_00D4D107
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D4D02A push 5FD9CD7Ch; mov dword ptr [esp], esi	0_2_00D4D144
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D4D02A push ebp; mov dword ptr [esp], 777F2C84h	0_2_00D4D169
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D4D02A push 058F03BCh; mov dword ptr [esp], eax	0_2_00D4D1CB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D4D02A push edx; mov dword ptr [esp], 735A606Bh	0_2_00D4D1D9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D4D02A push edi; mov dword ptr [esp], 567E7BD1h	0_2_00D4D224
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D4D02A push ecx; mov dword ptr [esp], ebx	0_2_00D4D2E6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D4D02A push 325E1001h; mov dword ptr [esp], edx	0_2_00D4D344
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D4D02A push ecx; mov dword ptr [esp], ebp	0_2_00D4D35E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D4D02A push esi; mov dword ptr [esp], 1FAB12A0h	0_2_00D4D38E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D4D02A push esi; mov dword ptr [esp], edi	0_2_00D4D3D3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D4D02A push 76F5C44Bh; mov dword ptr [esp], ebp	0_2_00D4D3F2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D4D02A push 5FD7482Dh; mov dword ptr [esp], esi	0_2_00D4D442
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D4D02A push 78029952h; mov dword ptr [esp], ebx	0_2_00D4D47B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D4D02A push edx; mov dword ptr [esp], ebp	0_2_00D4D49A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D4D02A push 7F4E2BCEh; mov dword ptr [esp], eax	0_2_00D4D4F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D4D02A push ebp; mov dword ptr [esp], edx	0_2_00D4D4FB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D4D02A push ebx; mov dword ptr [esp], eax	0_2_00D4D53C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D4D02A push 35AE3E43h; mov dword ptr [esp], ebx	0_2_00D4D581
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D4D02A push edx; mov dword ptr [esp], 6D406487h	0_2_00D4D5DC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D4D02A push 4189E539h; mov dword ptr [esp], ecx	0_2_00D4D603

Source: file.exe

Static PE information: section name: entropy: 7.988947159062327

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE3D49 second address: BE3D53 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F5FAD07F446h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D6556F second address: D65593 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jg 00007F5FACC61D06h 0x0000000c popad 0x0000000d jmp 00007F5FACC61D0Fh 0x00000012 popad 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 push esi 0x00000019 pop esi 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4B0FE second address: D4B102 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D6458C second address: D645A2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F5FACC61D0Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D645A2 second address: D645AF instructions: 0x00000000 rdtsc 0x00000002 jg 00007F5FAD07F446h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D648BC second address: D648CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push ecx 0x00000008 push esi 0x00000009 pop esi 0x0000000a push edi 0x0000000b pop edi 0x0000000c pop ecx 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D648CC second address: D648DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jnp 00007F5FAD07F44Eh 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D648DE second address: D648E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D648E2 second address: D648E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D67714 second address: D6778E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F5FACC61D0Dh 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e jns 00007F5FACC61D0Eh 0x00000014 jc 00007F5FACC61D08h 0x0000001a nop 0x0000001b mov dx, 7BF4h 0x0000001f push 00000000h 0x00000021 or dword ptr [ebp+122D3A78h], edx 0x00000027 xor dword ptr [ebp+122D1CCFh], ebx 0x0000002d push 9DDBF869h 0x00000032 pushad 0x00000033 push edx 0x00000034 pushad 0x00000035 popad 0x00000036 pop edx 0x00000037 push ecx 0x00000038 jnc 00007F5FACC61D06h 0x0000003e pop ecx 0x0000003f popad 0x00000040 add dword ptr [esp], 62240817h 0x00000047 push 00000003h 0x00000049 movzx edx, dx 0x0000004c movsx edx, dx 0x0000004f push 00000000h 0x00000051 or edi, 50580213h 0x00000057 push 00000003h 0x00000059 push ecx 0x0000005a sub dword ptr [ebp+122D3640h], esi 0x00000060 pop edi 0x00000061 push AF458B63h 0x00000066 push eax 0x00000067 push edx 0x00000068 jc 00007F5FACC61D0Ch 0x0000006e push eax 0x0000006f push edx 0x00000070 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D6778E second address: D67792 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D67792 second address: D677E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FACC61D14h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 6F458B63h 0x00000010 push 00000000h 0x00000012 push eax 0x00000013 call 00007F5FACC61D08h 0x00000018 pop eax 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d add dword ptr [esp+04h], 00000018h 0x00000025 inc eax 0x00000026 push eax 0x00000027 ret 0x00000028 pop eax 0x00000029 ret 0x0000002a cmc 0x0000002b mov dl, bh 0x0000002d lea ebx, dword ptr [ebp+124575CDh] 0x00000033 sub ecx, dword ptr [ebp+122D39AEh] 0x00000039 push eax 0x0000003a push eax 0x0000003b push edx 0x0000003c push edx 0x0000003d pushad 0x0000003e popad 0x0000003f pop edx 0x00000040 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D677E7 second address: D677EC instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D6793D second address: D67992 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FACC61D17h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push eax 0x0000000f call 00007F5FACC61D08h 0x00000014 pop eax 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 add dword ptr [esp+04h], 00000015h 0x00000021 inc eax 0x00000022 push eax 0x00000023 ret 0x00000024 pop eax 0x00000025 ret 0x00000026 mov edx, 6FA7CC7Ah 0x0000002b push 00000000h 0x0000002d mov edi, dword ptr [ebp+122D2D73h] 0x00000033 call 00007F5FACC61D09h 0x00000038 push esi 0x00000039 push ebx 0x0000003a push eax 0x0000003b push edx 0x0000003c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D67992 second address: D679A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop esi 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a je 00007F5FAD07F446h 0x00000010 pop eax 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D679A3 second address: D679D9 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F5FACC61D08h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e jng 00007F5FACC61D1Ah 0x00000014 pushad 0x00000015 jmp 00007F5FACC61D0Ch 0x0000001a jne 00007F5FACC61D06h 0x00000020 popad 0x00000021 mov eax, dword ptr [eax] 0x00000023 jng 00007F5FACC61D10h 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c pop eax 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D679D9 second address: D679E8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D679E8 second address: D679EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4CB36 second address: D4CB3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4CB3A second address: D4CB76 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F5FACC61D06h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e pushad 0x0000000f jmp 00007F5FACC61D0Ch 0x00000014 jg 00007F5FACC61D06h 0x0000001a jmp 00007F5FACC61D17h 0x0000001f popad 0x00000020 pushad 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D85A4B second address: D85A65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5FAD07F452h 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D85EDF second address: D85EEB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F5FACC61D06h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D86042 second address: D8608E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FAD07F44Ch 0x00000007 jng 00007F5FAD07F446h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007F5FAD07F451h 0x00000014 pop esi 0x00000015 pushad 0x00000016 jmp 00007F5FAD07F44Fh 0x0000001b jmp 00007F5FAD07F44Ah 0x00000020 push esi 0x00000021 push eax 0x00000022 pop eax 0x00000023 pushad 0x00000024 popad 0x00000025 pop esi 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8608E second address: D86092 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D86317 second address: D86336 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F5FAD07F446h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F5FAD07F450h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D86336 second address: D8633A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8633A second address: D86344 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F5FAD07F446h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D86344 second address: D8635B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F5FACC61D0Fh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8635B second address: D8635F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D865CC second address: D865F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5FACC61D13h 0x00000009 pop eax 0x0000000a jmp 00007F5FACC61D0Ch 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D865F3 second address: D865F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D865F9 second address: D865FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D865FF second address: D86605 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D86605 second address: D86614 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jnp 00007F5FACC61D06h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D86A58 second address: D86A82 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FAD07F453h 0x00000007 je 00007F5FAD07F446h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jnp 00007F5FAD07F44Ah 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 push eax 0x00000018 pop eax 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D86A82 second address: D86A8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D86BFD second address: D86C35 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F5FAD07F454h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F5FAD07F44Fh 0x00000015 jmp 00007F5FAD07F44Ah 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D86C35 second address: D86C39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D86C39 second address: D86C3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D86C3F second address: D86C45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D7D09A second address: D7D0A4 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F5FAD07F446h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D7D0A4 second address: D7D0BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5FACC61D14h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8736C second address: D87375 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D87375 second address: D87388 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5FACC61D0Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D87514 second address: D8751A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8751A second address: D87520 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8783F second address: D8784F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F5FAD07F446h 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8A9D5 second address: D8A9DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F5FACC61D06h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8A9DF second address: D8AA0F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FAD07F450h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F5FAD07F457h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8AC28 second address: D8AC2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D91BB4 second address: D91BD6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FAD07F456h 0x00000007 push eax 0x00000008 push edx 0x00000009 ja 00007F5FAD07F446h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D91D36 second address: D91D3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D91D3C second address: D91D41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D920F2 second address: D92112 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jng 00007F5FACC61D10h 0x0000000e jmp 00007F5FACC61D0Ah 0x00000013 push eax 0x00000014 push edx 0x00000015 jp 00007F5FACC61D06h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D92112 second address: D92129 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FAD07F451h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D923CD second address: D923D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D923D1 second address: D923D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D923D9 second address: D923E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D93F58 second address: D93F5E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D93F5E second address: D93F96 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FACC61D19h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007F5FACC61D15h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D93F96 second address: D93F9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D93F9B second address: D93FD1 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F5FACC61D15h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e jl 00007F5FACC61D0Eh 0x00000014 jne 00007F5FACC61D08h 0x0000001a mov eax, dword ptr [eax] 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f jns 00007F5FACC61D06h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D93FD1 second address: D93FD5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D94319 second address: D9431D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9431D second address: D94323 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D94CDD second address: D94D35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5FACC61D12h 0x00000009 popad 0x0000000a push eax 0x0000000b push ecx 0x0000000c jc 00007F5FACC61D08h 0x00000012 pushad 0x00000013 popad 0x00000014 pop ecx 0x00000015 xchg eax, ebx 0x00000016 push 00000000h 0x00000018 push ecx 0x00000019 call 00007F5FACC61D08h 0x0000001e pop ecx 0x0000001f mov dword ptr [esp+04h], ecx 0x00000023 add dword ptr [esp+04h], 00000015h 0x0000002b inc ecx 0x0000002c push ecx 0x0000002d ret 0x0000002e pop ecx 0x0000002f ret 0x00000030 jo 00007F5FACC61D0Ch 0x00000036 sub edi, dword ptr [ebp+122D1D3Ch] 0x0000003c mov dword ptr [ebp+122D396Bh], edx 0x00000042 push eax 0x00000043 push eax 0x00000044 push edx 0x00000045 pushad 0x00000046 push eax 0x00000047 push edx 0x00000048 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D94D35 second address: D94D3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D94D3B second address: D94D40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D95027 second address: D95045 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FAD07F456h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D95045 second address: D95049 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D97A5F second address: D97A65 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9B423 second address: D9B42D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F5FACC61D06h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9B42D second address: D9B43B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9B43B second address: D9B442 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9B442 second address: D9B44C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F5FAD07F446h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9C047 second address: D9C051 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F5FACC61D06h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9C051 second address: D9C055 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA0178 second address: DA017C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA017C second address: DA018F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FAD07F44Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9C976 second address: D9C97A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9C97A second address: D9C97E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA0360 second address: DA0364 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA1111 second address: DA111B instructions: 0x00000000 rdtsc 0x00000002 jc 00007F5FAD07F44Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA0364 second address: DA036E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA111B second address: DA118B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 mov edi, 7889AA80h 0x0000000e push 00000000h 0x00000010 push 00000000h 0x00000012 push eax 0x00000013 call 00007F5FAD07F448h 0x00000018 pop eax 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d add dword ptr [esp+04h], 00000019h 0x00000025 inc eax 0x00000026 push eax 0x00000027 ret 0x00000028 pop eax 0x00000029 ret 0x0000002a mov bx, 57D4h 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push edx 0x00000033 call 00007F5FAD07F448h 0x00000038 pop edx 0x00000039 mov dword ptr [esp+04h], edx 0x0000003d add dword ptr [esp+04h], 00000018h 0x00000045 inc edx 0x00000046 push edx 0x00000047 ret 0x00000048 pop edx 0x00000049 ret 0x0000004a mov edi, dword ptr [ebp+122D2D7Bh] 0x00000050 push eax 0x00000051 push edx 0x00000052 pushad 0x00000053 jmp 00007F5FAD07F44Eh 0x00000058 push eax 0x00000059 push edx 0x0000005a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA20FC second address: DA2101 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA319D second address: DA31AC instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jg 00007F5FAD07F446h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA41DD second address: DA4263 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F5FACC61D06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F5FACC61D0Ah 0x0000000f popad 0x00000010 nop 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push ecx 0x00000016 call 00007F5FACC61D08h 0x0000001b pop ecx 0x0000001c mov dword ptr [esp+04h], ecx 0x00000020 add dword ptr [esp+04h], 00000014h 0x00000028 inc ecx 0x00000029 push ecx 0x0000002a ret 0x0000002b pop ecx 0x0000002c ret 0x0000002d jmp 00007F5FACC61D0Ah 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push ebx 0x00000037 call 00007F5FACC61D08h 0x0000003c pop ebx 0x0000003d mov dword ptr [esp+04h], ebx 0x00000041 add dword ptr [esp+04h], 0000001Ch 0x00000049 inc ebx 0x0000004a push ebx 0x0000004b ret 0x0000004c pop ebx 0x0000004d ret 0x0000004e sub dword ptr [ebp+122D3880h], esi 0x00000054 push edx 0x00000055 cld 0x00000056 pop ebx 0x00000057 xchg eax, esi 0x00000058 pushad 0x00000059 push eax 0x0000005a push edx 0x0000005b jmp 00007F5FACC61D15h 0x00000060 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA51FF second address: DA5203 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA5203 second address: DA5207 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA5207 second address: DA520D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA520D second address: DA526C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007F5FACC61D06h 0x00000009 jmp 00007F5FACC61D13h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov dword ptr [esp], eax 0x00000014 jnc 00007F5FACC61D0Ch 0x0000001a and ebx, dword ptr [ebp+122DB877h] 0x00000020 push 00000000h 0x00000022 push 00000000h 0x00000024 push edx 0x00000025 call 00007F5FACC61D08h 0x0000002a pop edx 0x0000002b mov dword ptr [esp+04h], edx 0x0000002f add dword ptr [esp+04h], 0000001Ch 0x00000037 inc edx 0x00000038 push edx 0x00000039 ret 0x0000003a pop edx 0x0000003b ret 0x0000003c movzx edi, bx 0x0000003f push 00000000h 0x00000041 cmc 0x00000042 push eax 0x00000043 push edi 0x00000044 push edi 0x00000045 push eax 0x00000046 push edx 0x00000047 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA61AF second address: DA61B9 instructions: 0x00000000 rdtsc 0x00000002 je 00007F5FAD07F44Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA54B4 second address: DA54B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA7178 second address: DA7195 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FAD07F459h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA63FE second address: DA6408 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F5FACC61D0Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA7339 second address: DA7343 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F5FAD07F446h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA9049 second address: DA905C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5FACC61D0Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DAB0C6 second address: DAB0CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DAB0CA second address: DAB14F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F5FACC61D0Fh 0x0000000e pop edx 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push ecx 0x00000013 call 00007F5FACC61D08h 0x00000018 pop ecx 0x00000019 mov dword ptr [esp+04h], ecx 0x0000001d add dword ptr [esp+04h], 00000017h 0x00000025 inc ecx 0x00000026 push ecx 0x00000027 ret 0x00000028 pop ecx 0x00000029 ret 0x0000002a add di, 56D2h 0x0000002f push 00000000h 0x00000031 push 00000000h 0x00000033 push eax 0x00000034 call 00007F5FACC61D08h 0x00000039 pop eax 0x0000003a mov dword ptr [esp+04h], eax 0x0000003e add dword ptr [esp+04h], 00000019h 0x00000046 inc eax 0x00000047 push eax 0x00000048 ret 0x00000049 pop eax 0x0000004a ret 0x0000004b jmp 00007F5FACC61D15h 0x00000050 push 00000000h 0x00000052 mov dword ptr [ebp+122D35B8h], edx 0x00000058 xchg eax, esi 0x00000059 push eax 0x0000005a push edx 0x0000005b push esi 0x0000005c pushad 0x0000005d popad 0x0000005e pop esi 0x0000005f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DACD32 second address: DACD39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DADD09 second address: DADD0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DADD0E second address: DADDB5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FAD07F44Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push ebx 0x0000000d call 00007F5FAD07F448h 0x00000012 pop ebx 0x00000013 mov dword ptr [esp+04h], ebx 0x00000017 add dword ptr [esp+04h], 00000014h 0x0000001f inc ebx 0x00000020 push ebx 0x00000021 ret 0x00000022 pop ebx 0x00000023 ret 0x00000024 jmp 00007F5FAD07F44Eh 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push edx 0x0000002e call 00007F5FAD07F448h 0x00000033 pop edx 0x00000034 mov dword ptr [esp+04h], edx 0x00000038 add dword ptr [esp+04h], 00000018h 0x00000040 inc edx 0x00000041 push edx 0x00000042 ret 0x00000043 pop edx 0x00000044 ret 0x00000045 push 00000000h 0x00000047 push 00000000h 0x00000049 push edi 0x0000004a call 00007F5FAD07F448h 0x0000004f pop edi 0x00000050 mov dword ptr [esp+04h], edi 0x00000054 add dword ptr [esp+04h], 0000001Dh 0x0000005c inc edi 0x0000005d push edi 0x0000005e ret 0x0000005f pop edi 0x00000060 ret 0x00000061 xchg eax, esi 0x00000062 je 00007F5FAD07F452h 0x00000068 jg 00007F5FAD07F44Ch 0x0000006e push eax 0x0000006f jbe 00007F5FAD07F458h 0x00000075 push eax 0x00000076 push edx 0x00000077 jp 00007F5FAD07F446h 0x0000007d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DACFA1 second address: DACFA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DACFA5 second address: DACFA9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DADF1D second address: DADF22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DAEF99 second address: DAEFA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 je 00007F5FAD07F446h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D56DCD second address: D56DD1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DB7FC0 second address: DB7FC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DB7FC6 second address: DB7FCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DB7FCA second address: DB7FCE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DB7FCE second address: DB7FD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DB7FD6 second address: DB7FE0 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F5FAD07F452h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DB8372 second address: DB8380 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F5FACC61D06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DB8380 second address: DB838A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DB838A second address: DB838E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DB838E second address: DB8392 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DBB965 second address: DBB969 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DBB9F2 second address: DBB9F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DBBAFE second address: DBBB08 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F5FACC61D0Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DBBB08 second address: DBBB36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jns 00007F5FAD07F44Eh 0x0000000d jnl 00007F5FAD07F448h 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 mov eax, dword ptr [esp+04h] 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F5FAD07F453h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DBBB36 second address: DBBB6F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FACC61D15h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b push esi 0x0000000c jmp 00007F5FACC61D12h 0x00000011 pop esi 0x00000012 mov dword ptr [esp+04h], eax 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push ebx 0x0000001a pop ebx 0x0000001b pop eax 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC191A second address: DC191E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC1E54 second address: DC1E59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC229F second address: DC22A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC248F second address: DC2493 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC2493 second address: DC2497 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC2497 second address: DC24A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ecx 0x00000009 push eax 0x0000000a pushad 0x0000000b push esi 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9D795 second address: D9D7A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 jl 00007F5FAD07F44Eh 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9DB26 second address: D9DB70 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, esi 0x00000009 call 00007F5FACC61D13h 0x0000000e mov dword ptr [ebp+122D3606h], edi 0x00000014 pop edx 0x00000015 nop 0x00000016 pushad 0x00000017 push ecx 0x00000018 jnc 00007F5FACC61D06h 0x0000001e pop ecx 0x0000001f jnl 00007F5FACC61D16h 0x00000025 popad 0x00000026 push eax 0x00000027 pushad 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9DB70 second address: D9DB74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9DB74 second address: D9DB78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9DC76 second address: D9DCAE instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F5FAD07F446h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e push eax 0x0000000f pop eax 0x00000010 jnl 00007F5FAD07F446h 0x00000016 popad 0x00000017 jmp 00007F5FAD07F457h 0x0000001c popad 0x0000001d mov eax, dword ptr [esp+04h] 0x00000021 push ebx 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9DCAE second address: D9DCC1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov eax, dword ptr [eax] 0x00000009 js 00007F5FACC61D14h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 pop eax 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9DCC1 second address: D9DCC5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9DD7E second address: D9DD83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9DE9F second address: D9DEA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9DEA3 second address: D9DEE4 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jc 00007F5FACC61D06h 0x0000000d jmp 00007F5FACC61D0Bh 0x00000012 popad 0x00000013 popad 0x00000014 mov dword ptr [esp], eax 0x00000017 jnc 00007F5FACC61D08h 0x0000001d or di, A504h 0x00000022 push 00000004h 0x00000024 mov edx, dword ptr [ebp+1245EE53h] 0x0000002a nop 0x0000002b pushad 0x0000002c jns 00007F5FACC61D08h 0x00000032 pushad 0x00000033 popad 0x00000034 pushad 0x00000035 pushad 0x00000036 popad 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9DEE4 second address: D9DF02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F5FAD07F455h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9E26F second address: D9E275 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9E275 second address: D9E2C1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 0000001Eh 0x0000000d push 00000000h 0x0000000f push ebx 0x00000010 call 00007F5FAD07F448h 0x00000015 pop ebx 0x00000016 mov dword ptr [esp+04h], ebx 0x0000001a add dword ptr [esp+04h], 00000014h 0x00000022 inc ebx 0x00000023 push ebx 0x00000024 ret 0x00000025 pop ebx 0x00000026 ret 0x00000027 mov dword ptr [ebp+122D34D9h], ebx 0x0000002d mov dword ptr [ebp+122D3AE5h], ecx 0x00000033 nop 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007F5FAD07F454h 0x0000003b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9E2C1 second address: D9E2C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9E2C7 second address: D9E2CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9E2CB second address: D9E2CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9E642 second address: D9E646 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9E646 second address: D9E64C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9E64C second address: D9E652 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9E652 second address: D9E6AE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push esi 0x0000000c call 00007F5FACC61D08h 0x00000011 pop esi 0x00000012 mov dword ptr [esp+04h], esi 0x00000016 add dword ptr [esp+04h], 00000015h 0x0000001e inc esi 0x0000001f push esi 0x00000020 ret 0x00000021 pop esi 0x00000022 ret 0x00000023 jng 00007F5FACC61D0Ch 0x00000029 mov dword ptr [ebp+122D1DCCh], esi 0x0000002f lea eax, dword ptr [ebp+1248D0C4h] 0x00000035 pushad 0x00000036 xor si, F0D5h 0x0000003b mov edx, dword ptr [ebp+12455764h] 0x00000041 popad 0x00000042 nop 0x00000043 pushad 0x00000044 push edi 0x00000045 jmp 00007F5FACC61D10h 0x0000004a pop edi 0x0000004b pushad 0x0000004c push eax 0x0000004d push edx 0x0000004e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9E6AE second address: D9E6C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F5FAD07F446h 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jp 00007F5FAD07F44Ch 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9E6C9 second address: D9E704 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 mov cx, 2C21h 0x0000000d lea eax, dword ptr [ebp+1248D080h] 0x00000013 add ecx, 4A162F87h 0x00000019 nop 0x0000001a jo 00007F5FACC61D1Ch 0x00000020 push eax 0x00000021 push edx 0x00000022 push ebx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC6D4F second address: DC6D54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC6D54 second address: DC6D5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jne 00007F5FACC61D06h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC6EC3 second address: DC6EC9 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC704E second address: DC7056 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC7056 second address: DC7060 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F5FAD07F446h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC7060 second address: DC706F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC7485 second address: DC748B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC748B second address: DC7495 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F5FACC61D06h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D588BD second address: D588C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D588C1 second address: D588DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F5FACC61D0Fh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DCCCDA second address: DCCCE6 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F5FAD07F44Eh 0x00000008 push esi 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DCCE77 second address: DCCE89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5FACC61D0Dh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DCCE89 second address: DCCEAF instructions: 0x00000000 rdtsc 0x00000002 js 00007F5FAD07F448h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jng 00007F5FAD07F446h 0x00000012 jmp 00007F5FAD07F454h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DCC89C second address: DCC8B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jp 00007F5FACC61D06h 0x0000000d jno 00007F5FACC61D06h 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DCC8B6 second address: DCC8BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DCD5EF second address: DCD5F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DCD7B3 second address: DCD7C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FAD07F44Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DCD7C3 second address: DCD7E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F5FACC61D06h 0x0000000a jmp 00007F5FACC61D18h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DCD7E5 second address: DCD7F9 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F5FAD07F446h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jnc 00007F5FAD07F446h 0x00000012 push edx 0x00000013 pop edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DCD989 second address: DCD991 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DCDC5D second address: DCDC61 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DCDC61 second address: DCDC67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD114B second address: DD1152 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD1152 second address: DD1170 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5FACC61D18h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD53AD second address: DD53B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD53B1 second address: DD53BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD53BB second address: DD53BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD59B5 second address: DD59C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5FACC61D0Ch 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD59C6 second address: DD59ED instructions: 0x00000000 rdtsc 0x00000002 jc 00007F5FAD07F448h 0x00000008 pushad 0x00000009 popad 0x0000000a push esi 0x0000000b push edi 0x0000000c pop edi 0x0000000d push eax 0x0000000e pop eax 0x0000000f pop esi 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F5FAD07F453h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD5B52 second address: DD5B57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD5B57 second address: DD5B66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop eax 0x00000007 js 00007F5FAD07F44Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD5B66 second address: DD5B8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 jnc 00007F5FACC61D06h 0x0000000f jmp 00007F5FACC61D14h 0x00000014 pop edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD5E77 second address: DD5E84 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 jne 00007F5FAD07F446h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD6052 second address: DD6056 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD6056 second address: DD6093 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F5FAD07F446h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jbe 00007F5FAD07F44Ch 0x00000012 je 00007F5FAD07F446h 0x00000018 push edi 0x00000019 pushad 0x0000001a popad 0x0000001b pushad 0x0000001c popad 0x0000001d pop edi 0x0000001e popad 0x0000001f je 00007F5FAD07F46Eh 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007F5FAD07F454h 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD6093 second address: DD6097 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD6097 second address: DD609D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD61DC second address: DD61E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD61E2 second address: DD61E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD61E6 second address: DD621B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F5FACC61D14h 0x0000000e jmp 00007F5FACC61D15h 0x00000013 push esi 0x00000014 pop esi 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD621B second address: DD6227 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F5FAD07F446h 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD6227 second address: DD622B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD64CA second address: DD64D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD690D second address: DD6913 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD6913 second address: DD6917 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD6917 second address: DD695F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jne 00007F5FACC61D06h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jns 00007F5FACC61D1Ah 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 jbe 00007F5FACC61D06h 0x0000001d jmp 00007F5FACC61D12h 0x00000022 popad 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD695F second address: DD6965 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD6965 second address: DD696B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD696B second address: DD6971 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD6971 second address: DD6975 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD9A10 second address: DD9A16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5BEC7 second address: D5BEDF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push esi 0x0000000a pop esi 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d jg 00007F5FACC61D06h 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 push edi 0x00000017 pop edi 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DDB93C second address: DDB942 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DDB942 second address: DDB948 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DDE6DE second address: DDE6EC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DDE6EC second address: DDE6F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DDE6F2 second address: DDE6F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DDE9A2 second address: DDE9E5 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F5FACC61D06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F5FACC61D17h 0x00000012 jbe 00007F5FACC61D06h 0x00000018 popad 0x00000019 push esi 0x0000001a jmp 00007F5FACC61D15h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DDE9E5 second address: DDEA04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 jnp 00007F5FAD07F446h 0x0000000c jnc 00007F5FAD07F446h 0x00000012 pop eax 0x00000013 popad 0x00000014 jbe 00007F5FAD07F450h 0x0000001a pushad 0x0000001b pushad 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DE3A10 second address: DE3A14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DE2E6E second address: DE2E9D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FAD07F44Bh 0x00000007 jmp 00007F5FAD07F459h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DE2E9D second address: DE2EA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DE31A0 second address: DE31A5 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DE7066 second address: DE707B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5FACC61D11h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DE707B second address: DE707F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DE7324 second address: DE733C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jl 00007F5FACC61D06h 0x00000012 jp 00007F5FACC61D06h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DE733C second address: DE7340 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DE7340 second address: DE734C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F5FACC61D06h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DE734C second address: DE7352 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DECD01 second address: DECD05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DECD05 second address: DECD09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DECD09 second address: DECD1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 js 00007F5FACC61D06h 0x0000000f push edi 0x00000010 pop edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DECD1C second address: DECD26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DECD26 second address: DECD55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F5FACC61D06h 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f push esi 0x00000010 jmp 00007F5FACC61D0Eh 0x00000015 pop esi 0x00000016 jc 00007F5FACC61D0Ch 0x0000001c jnp 00007F5FACC61D06h 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DEB7BB second address: DEB7C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DEB7C1 second address: DEB7C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D46158 second address: D4615E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DEB936 second address: DEB946 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop eax 0x00000007 pushad 0x00000008 jc 00007F5FACC61D06h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DEB946 second address: DEB96C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F5FAD07F446h 0x0000000a jng 00007F5FAD07F446h 0x00000010 popad 0x00000011 pop edi 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F5FAD07F452h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9E116 second address: D9E11A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9E11A second address: D9E12D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FAD07F44Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9E12D second address: D9E169 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F5FACC61D08h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b cmc 0x0000000c push 00000004h 0x0000000e push 00000000h 0x00000010 push ecx 0x00000011 call 00007F5FACC61D08h 0x00000016 pop ecx 0x00000017 mov dword ptr [esp+04h], ecx 0x0000001b add dword ptr [esp+04h], 00000015h 0x00000023 inc ecx 0x00000024 push ecx 0x00000025 ret 0x00000026 pop ecx 0x00000027 ret 0x00000028 mov ecx, esi 0x0000002a mov dword ptr [ebp+122D3856h], eax 0x00000030 push eax 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 push ecx 0x00000036 pop ecx 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9E169 second address: D9E173 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F5FAD07F446h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9E173 second address: D9E181 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5FACC61D0Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF2D1C second address: DF2D21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF2E87 second address: DF2E93 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 ja 00007F5FACC61D06h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF317B second address: DF317F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF317F second address: DF318A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF3447 second address: DF3457 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F5FAD07F44Bh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF3457 second address: DF345D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF345D second address: DF3461 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF3749 second address: DF3765 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FACC61D18h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF3765 second address: DF377E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jnc 00007F5FAD07F446h 0x0000000b js 00007F5FAD07F446h 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF377E second address: DF3790 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5FACC61D0Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF3790 second address: DF37AC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jnp 00007F5FAD07F446h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jns 00007F5FAD07F446h 0x00000013 push edx 0x00000014 pop edx 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a push ecx 0x0000001b pop ecx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF37AC second address: DF37C8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FACC61D18h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF48F0 second address: DF48F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF91D1 second address: DF91F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FACC61D0Eh 0x00000007 jc 00007F5FACC61D0Eh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push esi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF91F6 second address: DF91FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF91FC second address: DF921A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jbe 00007F5FACC61D19h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF921A second address: DF9222 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push esi 0x00000007 pop esi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DFA8B6 second address: DFA8BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DFA8BA second address: DFA8C4 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F5FAD07F446h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DFDE41 second address: DFDE85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F5FACC61D14h 0x0000000b popad 0x0000000c jns 00007F5FACC61D12h 0x00000012 jng 00007F5FACC61D08h 0x00000018 push eax 0x00000019 pop eax 0x0000001a pushad 0x0000001b pushad 0x0000001c popad 0x0000001d pushad 0x0000001e popad 0x0000001f popad 0x00000020 popad 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 push ebx 0x00000025 pop ebx 0x00000026 pushad 0x00000027 popad 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DFDE85 second address: DFDE8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F5FAD07F446h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DFDE8F second address: DFDE9E instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F5FACC61D06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E06C98 second address: E06C9E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E06C9E second address: E06CAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jnp 00007F5FACC61D06h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E04F2B second address: E04F44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5FAD07F451h 0x00000009 pop ebx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E04F44 second address: E04F5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5FACC61D10h 0x00000009 push esi 0x0000000a pop esi 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E04F5B second address: E04F62 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E0548A second address: E05495 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E05495 second address: E054A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5FAD07F44Bh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E05778 second address: E05786 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jns 00007F5FACC61D06h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E05786 second address: E0578A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E0578A second address: E05796 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E05796 second address: E0579B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E0579B second address: E057A4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E04A9B second address: E04AA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E04AA0 second address: E04AC2 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop edi 0x00000006 push esi 0x00000007 jno 00007F5FACC61D06h 0x0000000d jp 00007F5FACC61D06h 0x00000013 pop esi 0x00000014 pop edx 0x00000015 pop eax 0x00000016 pushad 0x00000017 pushad 0x00000018 push edx 0x00000019 pop edx 0x0000001a ja 00007F5FACC61D06h 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E0C1D3 second address: E0C1F0 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F5FAD07F446h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d ja 00007F5FAD07F44Ch 0x00000013 jp 00007F5FAD07F446h 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E0C1F0 second address: E0C1F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E0FB57 second address: E0FB72 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FAD07F456h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E0FB72 second address: E0FB78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E0FB78 second address: E0FB7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D500F9 second address: D50110 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F5FACC61D12h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D50110 second address: D50116 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E1DCCB second address: E1DCD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E1D825 second address: E1D82F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E1D82F second address: E1D83E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5FACC61D0Ah 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E1D83E second address: E1D84D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F5FAD07F44Ah 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E242C9 second address: E242D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E23CDE second address: E23CEA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 je 00007F5FAD07F446h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E2D2B9 second address: E2D2C5 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F5FACC61D0Eh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E2F463 second address: E2F46D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E2F46D second address: E2F473 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E2F473 second address: E2F47D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E33DB8 second address: E33DD7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FACC61D12h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push edi 0x0000000f pop edi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E33DD7 second address: E33DFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5FAD07F454h 0x00000009 popad 0x0000000a push ebx 0x0000000b jo 00007F5FAD07F446h 0x00000011 jns 00007F5FAD07F446h 0x00000017 pop ebx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E33DFE second address: E33E03 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E35C8F second address: E35CC1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b jmp 00007F5FAD07F44Fh 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F5FAD07F456h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E35CC1 second address: E35CC5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E3DF1D second address: E3DF21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E3DF21 second address: E3DF26 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E3CD1B second address: E3CD24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E3CE76 second address: E3CE88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5FACC61D0Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E3CFF2 second address: E3CFF8 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E3CFF8 second address: E3CFFE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E41693 second address: E416A4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FAD07F44Bh 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E4B2F8 second address: E4B2FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E4D0B8 second address: E4D0C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F5FAD07F446h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E4D0C2 second address: E4D0DC instructions: 0x00000000 rdtsc 0x00000002 je 00007F5FACC61D06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push esi 0x0000000c pop esi 0x0000000d jnl 00007F5FACC61D06h 0x00000013 jbe 00007F5FACC61D06h 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E4D0DC second address: E4D0E1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E611B2 second address: E611C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F5FACC61D06h 0x0000000a popad 0x0000000b push edi 0x0000000c jp 00007F5FACC61D06h 0x00000012 pop edi 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E63FF1 second address: E63FF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E63FF6 second address: E63FFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E63CF0 second address: E63CF4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E63CF4 second address: E63CFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E63CFA second address: E63D08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jp 00007F5FAD07F446h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E63D08 second address: E63D10 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E7C793 second address: E7C7BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007F5FAD07F446h 0x00000009 jmp 00007F5FAD07F456h 0x0000000e jp 00007F5FAD07F446h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E7CC3C second address: E7CC50 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F5FACC61D08h 0x00000008 push eax 0x00000009 push edx 0x0000000a jg 00007F5FACC61D06h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E7CC50 second address: E7CC54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E7D2B0 second address: E7D2C0 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F5FACC61D0Eh 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E7D430 second address: E7D436 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E7D436 second address: E7D43A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E7D43A second address: E7D43E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E7EDD1 second address: E7EDD7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4820B8E second address: 4820BD5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FAD07F451h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ecx, dword ptr [eax+00000FDCh] 0x0000000f jmp 00007F5FAD07F44Eh 0x00000014 test ecx, ecx 0x00000016 jmp 00007F5FAD07F450h 0x0000001b jns 00007F5FAD07F494h 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4820BD5 second address: 4820BD9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4820BD9 second address: 4820BDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4820BDF second address: 4820BEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5FACC61D0Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4820BEE second address: 4820C89 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FAD07F459h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b add eax, ecx 0x0000000d jmp 00007F5FAD07F44Eh 0x00000012 mov eax, dword ptr [eax+00000860h] 0x00000018 jmp 00007F5FAD07F450h 0x0000001d test eax, eax 0x0000001f jmp 00007F5FAD07F450h 0x00000024 je 00007F601F195560h 0x0000002a pushad 0x0000002b call 00007F5FAD07F44Eh 0x00000030 mov ch, 31h 0x00000032 pop edi 0x00000033 pushfd 0x00000034 jmp 00007F5FAD07F44Ch 0x00000039 or eax, 5906C468h 0x0000003f jmp 00007F5FAD07F44Bh 0x00000044 popfd 0x00000045 popad 0x00000046 test byte ptr [eax+04h], 00000005h 0x0000004a push eax 0x0000004b push edx 0x0000004c pushad 0x0000004d mov bx, 33D6h 0x00000051 popad 0x00000052 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D96D60 second address: D96D64 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: BE3C80 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: BE3D9F instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: BE3C86 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: D8AAA9 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: D9D477 instructions caused by: Self-modifying code

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\file.exe TID: 2084

Thread sleep time: -60000s >= -30000s

Jump to behavior

Source: file.exe, file.exe, 00000000.00000002.2215264660.0000000000D6D000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000003.2195582269.000000000056E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2214899190.000000000056E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW-
Source: file.exe, 00000000.00000002.2214899190.0000000000583000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2195582269.0000000000583000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2214770282.000000000050E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000002.2215264660.0000000000D6D000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\file.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks for debuggers (devices)

Source: C:\Users\user\Desktop\file.exe	File opened: NTICE
Source: C:\Users\user\Desktop\file.exe	File opened: SICE
Source: C:\Users\user\Desktop\file.exe	File opened: SIWVID

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BC5BB0 LdrInitializeThunk,

0_2_00BC5BB0

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: file.exe	String found in binary or memory: licendfilteo.site
Source: file.exe	String found in binary or memory: clearancek.site
Source: file.exe	String found in binary or memory: bathdoomgaz.stor
Source: file.exe	String found in binary or memory: spirittunek.stor
Source: file.exe	String found in binary or memory: dissapoiznw.stor
Source: file.exe	String found in binary or memory: studennotediw.stor
Source: file.exe	String found in binary or memory: mobbipenju.stor
Source: file.exe	String found in binary or memory: eaglepawnoy.stor

Source: file.exe, 00000000.00000002.2215387610.0000000000DAF000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: eQProgram Manager

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.102.49.254	steamcommunity.com	United States		16625	AKAMAI-ASUS	true

Contacted Domains

Name	IP	Active
steamcommunity.com	104.102.49.254	true
eaglepawnoy.store	unknown	unknown
bathdoomgaz.store	unknown	unknown
spirittunek.store	unknown	unknown
licendfilteo.site	unknown	unknown
studennotediw.store	unknown	unknown
mobbipenju.store	unknown	unknown
clearancek.site	unknown	unknown
dissapoiznw.store	unknown	unknown

Contacted URLs

Name	Malicious	Reputation
bathdoomgaz.store	true	unknown
studennotediw.store	true	unknown
clearancek.site	true	unknown
dissapoiznw.store	true	unknown
https://steamcommunity.com/profiles/76561199724331900	true	unknown
spirittunek.store	true	unknown
licendfilteo.site	true	unknown
eaglepawnoy.store	true	unknown
mobbipenju.store	true	unknown

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://steamcommunity.com:443/profiles/76561199724331900

URL Reputation: Label: malware

Found malware configuration

Source: file.exe.4876.0.memstrmin

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.2215087321.0000000000B81000.00000040.00000001.01000000.00000003.sdmp	String decryptor: clearancek.site
Source: 00000000.00000002.2215087321.0000000000B81000.00000040.00000001.01000000.00000003.sdmp	String decryptor: licendfilteo.site
Source: 00000000.00000002.2215087321.0000000000B81000.00000040.00000001.01000000.00000003.sdmp	String decryptor: spirittunek.store
Source: 00000000.00000002.2215087321.0000000000B81000.00000040.00000001.01000000.00000003.sdmp	String decryptor: bathdoomgaz.store
Source: 00000000.00000002.2215087321.0000000000B81000.00000040.00000001.01000000.00000003.sdmp	String decryptor: studennotediw.store
Source: 00000000.00000002.2215087321.0000000000B81000.00000040.00000001.01000000.00000003.sdmp	String decryptor: dissapoiznw.store
Source: 00000000.00000002.2215087321.0000000000B81000.00000040.00000001.01000000.00000003.sdmp	String decryptor: eaglepawnoy.store
Source: 00000000.00000002.2215087321.0000000000B81000.00000040.00000001.01000000.00000003.sdmp	String decryptor: mobbipenju.store
Source: 00000000.00000002.2215087321.0000000000B81000.00000040.00000001.01000000.00000003.sdmp	String decryptor: clearancek.site
Source: 00000000.00000002.2215087321.0000000000B81000.00000040.00000001.01000000.00000003.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.2215087321.0000000000B81000.00000040.00000001.01000000.00000003.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.2215087321.0000000000B81000.00000040.00000001.01000000.00000003.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.2215087321.0000000000B81000.00000040.00000001.01000000.00000003.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.2215087321.0000000000B81000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.2215087321.0000000000B81000.00000040.00000001.01000000.00000003.sdmp	String decryptor: 4SD0y4--legendaryy

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:49711 version: TLS 1.2

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00BC50FA
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00B8D110
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00B8D110
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C274D4CAh	0_2_00BC63B8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00BC5700
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh	0_2_00BC99D0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 27BAF212h	0_2_00BC695B
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	0_2_00B8FCA0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	0_2_00B90EEC
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	0_2_00BC6094
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then dec ebx	0_2_00BBF030
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	0_2_00B96F91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, dword ptr [edx]	0_2_00B81000
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h	0_2_00BC4040
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	0_2_00BAD1E1
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	0_2_00B942FC
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], dx	0_2_00BA2260
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [esi], ax	0_2_00BA2260
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	0_2_00BB23E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	0_2_00BB23E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	0_2_00BB23E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_00BB23E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	0_2_00BB23E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+14h]	0_2_00BB23E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebp, eax	0_2_00B8A300
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C274D4CAh	0_2_00BC64B8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	0_2_00B9B410
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	0_2_00BAE40C
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	0_2_00BAC470
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00B9D457
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	0_2_00BC1440
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [ecx+esi+25h]	0_2_00B88590
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	0_2_00B96536
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 7789B0CBh	0_2_00BC7520
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00BA9510
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	0_2_00BAE66A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_00BBB650
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	0_2_00BAD7AF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	0_2_00BC67EF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, word ptr [edi+eax]	0_2_00BC7710
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], dx	0_2_00BA28E9
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	0_2_00B849A0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 62429966h	0_2_00BC3920
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	0_2_00B9D961
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_00B91ACD
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_00B91A3C
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	0_2_00B85A50
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h	0_2_00BC4A40
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_2_00BB0B80
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+40h]	0_2_00B91BEE
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	0_2_00B93BE2
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+000006B8h]	0_2_00B9DB6F
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F8FD61B8h	0_2_00B9DB6F
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh	0_2_00BC9B60
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_00BAAC91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [edx], ax	0_2_00BAAC91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00BC9CE0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 9ECF05EBh	0_2_00BC9CE0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], C85F7986h	0_2_00BACCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00BACCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C85F7986h	0_2_00BACCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], A70A987Fh	0_2_00BBFC20
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	0_2_00BA7C00
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [eax+esi+02h], 0000h	0_2_00BAEC48
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00BC8D8A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	0_2_00BADD29
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [esp+1Ch], 5E46585Eh	0_2_00BAFD10
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp byte ptr [ebx], 00000000h	0_2_00B96EBF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, word ptr [ebp+00h]	0_2_00B8BEB0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	0_2_00B86EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+40h]	0_2_00B91E93
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edi, ecx	0_2_00B94E2A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00BA5E70
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00BA7E60
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, word ptr [ecx]	0_2_00BAAE57
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	0_2_00B96F91
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [edx], 0000h	0_2_00B9FFDF
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	0_2_00B88FD0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	0_2_00BC5FD6
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], F3285E74h	0_2_00BC7FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00BC7FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp]	0_2_00BBFF70
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp eax	0_2_00BA9F62

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2056471 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site) : 192.168.2.6:61633 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056475 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store) : 192.168.2.6:54440 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056483 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store) : 192.168.2.6:53030 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056479 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store) : 192.168.2.6:53312 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056481 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store) : 192.168.2.6:62675 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056477 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store) : 192.168.2.6:56684 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056485 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store) : 192.168.2.6:52867 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056473 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site) : 192.168.2.6:55726 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.6:49711 -> 104.102.49.254:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: eaglepawnoy.store
Source: Malware configuration extractor	URLs: spirittunek.store
Source: Malware configuration extractor	URLs: licendfilteo.site
Source: Malware configuration extractor	URLs: mobbipenju.store
Source: Malware configuration extractor	URLs: clearancek.site
Source: Malware configuration extractor	URLs: studennotediw.store
Source: Malware configuration extractor	URLs: bathdoomgaz.store
Source: Malware configuration extractor	URLs: dissapoiznw.store

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 104.102.49.254 104.102.49.254

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: AKAMAI-ASUS AKAMAI-ASUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Uses a known web browser user agent for HTTP communication

Source: global traffic

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

Source: file.exe, 00000000.00000002.2214944045.000000000059B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2195659404.000000000059B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://h equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000003.2195582269.0000000000583000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: YContent-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd883ccb3237fa39d2837163d0f38217b; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=b2ccaf742db2c221676d7547; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type25258Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveMon, 21 Oct 2024 09:37:10 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-ControlAF equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000003.2195582269.0000000000583000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: elp.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: clearancek.site
Source: global traffic	DNS traffic detected: DNS query: mobbipenju.store
Source: global traffic	DNS traffic detected: DNS query: eaglepawnoy.store
Source: global traffic	DNS traffic detected: DNS query: dissapoiznw.store
Source: global traffic	DNS traffic detected: DNS query: studennotediw.store
Source: global traffic	DNS traffic detected: DNS query: bathdoomgaz.store
Source: global traffic	DNS traffic detected: DNS query: spirittunek.store
Source: global traffic	DNS traffic detected: DNS query: licendfilteo.site
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com

Source: file.exe, 00000000.00000003.2195582269.0000000000583000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2195691419.0000000000561000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2214859085.0000000000561000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2195691419.0000000000561000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2214859085.0000000000561000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2195691419.0000000000561000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2214859085.0000000000561000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: file.exe, 00000000.00000003.2195582269.0000000000583000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: file.exe, 00000000.00000003.2195691419.000000000054E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2214859085.000000000054E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bathdoomgaz.store:443/apipg
Source: file.exe, 00000000.00000003.2195582269.0000000000583000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: file.exe, 00000000.00000003.2195582269.0000000000583000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/
Source: file.exe, 00000000.00000003.2195582269.0000000000583000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: file.exe, 00000000.00000002.2214899190.0000000000583000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2195582269.0000000000583000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clearancek.site/api7
Source: file.exe, 00000000.00000003.2195691419.000000000054E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2214859085.000000000054E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clearancek.site:443/api
Source: file.exe, 00000000.00000003.2195691419.000000000054E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2214859085.000000000054E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clearancek.site:443/apii
Source: file.exe, 00000000.00000003.2195582269.0000000000583000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2195582269.0000000000563000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/css/applications/community/main.css?v=DVae4t4RZiHA&l=en
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/css/globalv2.css?v=dQy8Omh4p9PH&l=english
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/css/skin_1/fatalerror.css?v=wctRWaBvNt2z&l=english
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/css/skin_1/header.css?v=pTvrRy1pm52p&l=english
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2195691419.0000000000561000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2214859085.0000000000561000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/javascript/applications/community/libraries~b28b7af69.js?v=
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2195691419.0000000000561000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2214859085.0000000000561000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/javascript/applications/community/main.js?v=4XouecKy8sZy&am
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2195582269.0000000000563000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/javascript/applications/community/manifest.js?v=r7a4-LYcQOj
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/javascript/global.js?v=7qlUmHSJhPRN&l=english
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL&l=
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/shared/css/buttons.css?v=-WV9f1LdxEjq&l=english
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/shared/css/motiva_sans.css?v=v7XTmVzbLV33&l=english
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/shared/css/shared_global.css?v=uF6G1wyNU-4c&l=english
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/shared/css/shared_responsive.css?v=kR9MtmbWSZEp&l=engli
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1&l=engl
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/shared/javascript/shared_global.js?v=7glT1n_nkVCs&l=eng
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSvIAKtunf
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: file.exe, 00000000.00000003.2195691419.000000000054E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2214859085.000000000054E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eaglepawnoy.store:443/api
Source: file.exe, 00000000.00000003.2195582269.0000000000583000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: file.exe, 00000000.00000003.2195582269.0000000000583000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: file.exe, 00000000.00000003.2195582269.0000000000583000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: file.exe, 00000000.00000003.2195582269.0000000000583000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: file.exe, 00000000.00000003.2195582269.0000000000583000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: file.exe, 00000000.00000003.2195582269.0000000000583000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: file.exe, 00000000.00000003.2195582269.0000000000583000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: file.exe, 00000000.00000003.2195582269.0000000000583000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: file.exe, 00000000.00000003.2195582269.0000000000583000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: file.exe, 00000000.00000003.2195691419.000000000054E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2214859085.000000000054E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spirittunek.store:443/api
Source: file.exe, 00000000.00000003.2195582269.0000000000583000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: file.exe, 00000000.00000003.2195582269.0000000000583000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: file.exe, 00000000.00000003.2195582269.0000000000583000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: file.exe, 00000000.00000003.2195582269.0000000000583000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.c
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2195691419.0000000000561000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2214859085.0000000000561000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com
Source: file.exe, 00000000.00000003.2195582269.0000000000583000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: file.exe, 00000000.00000002.2214899190.0000000000565000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2195582269.0000000000563000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/(
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2195691419.0000000000561000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2214859085.0000000000561000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: file.exe, 00000000.00000002.2214899190.0000000000565000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2195582269.0000000000563000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: file.exe, 00000000.00000002.2214770282.0000000000545000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900&&
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: file.exe, 00000000.00000003.2195691419.000000000054E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2214859085.000000000054E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com:443/profiles/76561199724331900
Source: file.exe, 00000000.00000003.2195582269.0000000000583000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2214899190.0000000000583000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2195582269.0000000000583000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: file.exe, 00000000.00000002.2214899190.0000000000583000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2195582269.0000000000583000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cd883ccb3237fa39
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2195691419.0000000000561000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2214859085.0000000000561000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: file.exe, 00000000.00000003.2195582269.0000000000583000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: file.exe, 00000000.00000003.2195582269.0000000000583000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: file.exe, 00000000.00000003.2195582269.0000000000583000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: file.exe, 00000000.00000003.2195582269.0000000000583000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: file.exe, 00000000.00000003.2195560224.00000000005CC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2195582269.0000000000563000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: file.exe, 00000000.00000003.2195582269.0000000000583000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: file.exe, 00000000.00000003.2195582269.0000000000583000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443

Source: unknown

HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:49711 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B90228	0_2_00B90228
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BCA0D0	0_2_00BCA0D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B92030	0_2_00B92030
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B81000	0_2_00B81000
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BC4040	0_2_00BC4040
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D4D02A	0_2_00D4D02A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B8E1A0	0_2_00B8E1A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B871F0	0_2_00B871F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D4811A	0_2_00D4811A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B85160	0_2_00B85160
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B812F7	0_2_00B812F7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB82D0	0_2_00BB82D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB12D0	0_2_00BB12D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D572AB	0_2_00D572AB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B8B3A0	0_2_00B8B3A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B813A3	0_2_00B813A3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB23E0	0_2_00BB23E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B8A300	0_2_00B8A300
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D5C32D	0_2_00D5C32D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B9049B	0_2_00B9049B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B94487	0_2_00B94487
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB64F0	0_2_00BB64F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BAC470	0_2_00BAC470
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B835B0	0_2_00B835B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B88590	0_2_00B88590
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B9C5F0	0_2_00B9C5F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BC86F0	0_2_00BC86F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BBF620	0_2_00BBF620
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D4666E	0_2_00D4666E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D2E60D	0_2_00D2E60D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BC8652	0_2_00BC8652
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B8164F	0_2_00B8164F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D5A7BD	0_2_00D5A7BD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BBE8A0	0_2_00BBE8A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D5F8C8	0_2_00D5F8C8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BBB8C0	0_2_00BBB8C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB1860	0_2_00BB1860
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B8A850	0_2_00B8A850
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BC89A0	0_2_00BC89A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BA098B	0_2_00BA098B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D50AD6	0_2_00D50AD6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BC7AB0	0_2_00BC7AB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CACAC5	0_2_00CACAC5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BC8A80	0_2_00BC8A80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BC4A40	0_2_00BC4A40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B87BF0	0_2_00B87BF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D49B59	0_2_00D49B59
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B9DB6F	0_2_00B9DB6F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BF9B5B	0_2_00BF9B5B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BC6CBF	0_2_00BC6CBF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BACCD0	0_2_00BACCD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BC8C02	0_2_00BC8C02
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C09C16	0_2_00C09C16
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D53C0F	0_2_00D53C0F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CB9DD0	0_2_00CB9DD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C29D52	0_2_00C29D52
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BADD29	0_2_00BADD29
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BAFD10	0_2_00BAFD10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BA8D62	0_2_00BA8D62
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D58D3B	0_2_00D58D3B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B96EBF	0_2_00B96EBF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B8BEB0	0_2_00B8BEB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B94E2A	0_2_00B94E2A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BC8E70	0_2_00BC8E70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BAAE57	0_2_00BAAE57
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D11FC5	0_2_00D11FC5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E06F86	0_2_00E06F86
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B88FD0	0_2_00B88FD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BC7FC0	0_2_00BC7FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B8AF10	0_2_00B8AF10

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00B8CAA0 appears 48 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00B9D300 appears 152 times

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe

Static PE information: Section: ZLIB complexity 0.9996132425742574

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@9/1

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BB8220 CoCreateInstance,

0_2_00BB8220

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior

Source: file.exe

Static file information: File size 2986496 > 1048576

Source: file.exe

Static PE information: Raw size of ugbetnis is bigger than: 0x100000 < 0x2afa00

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.b80000.0.unpack :EW;.rsrc :W;.idata :W;ugbetnis:EW;nmfuvorh:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W;ugbetnis:EW;nmfuvorh:EW;.taggant:EW;

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

PE file contains an invalid checksum

Source: file.exe

Static PE information: real checksum: 0x2dab13 should be: 0x2e0b37

PE file contains sections with non-standard names

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name: ugbetnis
Source: file.exe	Static PE information: section name: nmfuvorh
Source: file.exe	Static PE information: section name: .taggant

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E7F06B push 472D0FD6h; mov dword ptr [esp], edi	0_2_00E7F108
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E7F06B push 59D9D71Bh; mov dword ptr [esp], ebp	0_2_00E7F135
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C4306D push edi; mov dword ptr [esp], 5A37E455h	0_2_00C43106
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C4306D push 383EA6A1h; mov dword ptr [esp], ebx	0_2_00C43150
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C4306D push eax; mov dword ptr [esp], ebx	0_2_00C43178
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D8703F push 6FEABE20h; mov dword ptr [esp], edx	0_2_00D87072
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D4D02A push esi; mov dword ptr [esp], ebp	0_2_00D4D039
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D4D02A push edi; mov dword ptr [esp], 7EDA5782h	0_2_00D4D07C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D4D02A push 4777AC65h; mov dword ptr [esp], eax	0_2_00D4D0D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D4D02A push edi; mov dword ptr [esp], ebx	0_2_00D4D0F4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D4D02A push 36BFE9E0h; mov dword ptr [esp], edi	0_2_00D4D107
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D4D02A push 5FD9CD7Ch; mov dword ptr [esp], esi	0_2_00D4D144
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D4D02A push ebp; mov dword ptr [esp], 777F2C84h	0_2_00D4D169
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D4D02A push 058F03BCh; mov dword ptr [esp], eax	0_2_00D4D1CB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D4D02A push edx; mov dword ptr [esp], 735A606Bh	0_2_00D4D1D9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D4D02A push edi; mov dword ptr [esp], 567E7BD1h	0_2_00D4D224
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D4D02A push ecx; mov dword ptr [esp], ebx	0_2_00D4D2E6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D4D02A push 325E1001h; mov dword ptr [esp], edx	0_2_00D4D344
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D4D02A push ecx; mov dword ptr [esp], ebp	0_2_00D4D35E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D4D02A push esi; mov dword ptr [esp], 1FAB12A0h	0_2_00D4D38E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D4D02A push esi; mov dword ptr [esp], edi	0_2_00D4D3D3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D4D02A push 76F5C44Bh; mov dword ptr [esp], ebp	0_2_00D4D3F2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D4D02A push 5FD7482Dh; mov dword ptr [esp], esi	0_2_00D4D442
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D4D02A push 78029952h; mov dword ptr [esp], ebx	0_2_00D4D47B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D4D02A push edx; mov dword ptr [esp], ebp	0_2_00D4D49A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D4D02A push 7F4E2BCEh; mov dword ptr [esp], eax	0_2_00D4D4F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D4D02A push ebp; mov dword ptr [esp], edx	0_2_00D4D4FB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D4D02A push ebx; mov dword ptr [esp], eax	0_2_00D4D53C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D4D02A push 35AE3E43h; mov dword ptr [esp], ebx	0_2_00D4D581
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D4D02A push edx; mov dword ptr [esp], 6D406487h	0_2_00D4D5DC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D4D02A push 4189E539h; mov dword ptr [esp], ecx	0_2_00D4D603

Source: file.exe

Static PE information: section name: entropy: 7.988947159062327

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE3D49 second address: BE3D53 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F5FAD07F446h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D6556F second address: D65593 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jg 00007F5FACC61D06h 0x0000000c popad 0x0000000d jmp 00007F5FACC61D0Fh 0x00000012 popad 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 push esi 0x00000019 pop esi 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4B0FE second address: D4B102 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D6458C second address: D645A2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F5FACC61D0Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D645A2 second address: D645AF instructions: 0x00000000 rdtsc 0x00000002 jg 00007F5FAD07F446h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D648BC second address: D648CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push ecx 0x00000008 push esi 0x00000009 pop esi 0x0000000a push edi 0x0000000b pop edi 0x0000000c pop ecx 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D648CC second address: D648DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jnp 00007F5FAD07F44Eh 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D648DE second address: D648E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D648E2 second address: D648E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D67714 second address: D6778E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F5FACC61D0Dh 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e jns 00007F5FACC61D0Eh 0x00000014 jc 00007F5FACC61D08h 0x0000001a nop 0x0000001b mov dx, 7BF4h 0x0000001f push 00000000h 0x00000021 or dword ptr [ebp+122D3A78h], edx 0x00000027 xor dword ptr [ebp+122D1CCFh], ebx 0x0000002d push 9DDBF869h 0x00000032 pushad 0x00000033 push edx 0x00000034 pushad 0x00000035 popad 0x00000036 pop edx 0x00000037 push ecx 0x00000038 jnc 00007F5FACC61D06h 0x0000003e pop ecx 0x0000003f popad 0x00000040 add dword ptr [esp], 62240817h 0x00000047 push 00000003h 0x00000049 movzx edx, dx 0x0000004c movsx edx, dx 0x0000004f push 00000000h 0x00000051 or edi, 50580213h 0x00000057 push 00000003h 0x00000059 push ecx 0x0000005a sub dword ptr [ebp+122D3640h], esi 0x00000060 pop edi 0x00000061 push AF458B63h 0x00000066 push eax 0x00000067 push edx 0x00000068 jc 00007F5FACC61D0Ch 0x0000006e push eax 0x0000006f push edx 0x00000070 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D6778E second address: D67792 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D67792 second address: D677E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FACC61D14h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 6F458B63h 0x00000010 push 00000000h 0x00000012 push eax 0x00000013 call 00007F5FACC61D08h 0x00000018 pop eax 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d add dword ptr [esp+04h], 00000018h 0x00000025 inc eax 0x00000026 push eax 0x00000027 ret 0x00000028 pop eax 0x00000029 ret 0x0000002a cmc 0x0000002b mov dl, bh 0x0000002d lea ebx, dword ptr [ebp+124575CDh] 0x00000033 sub ecx, dword ptr [ebp+122D39AEh] 0x00000039 push eax 0x0000003a push eax 0x0000003b push edx 0x0000003c push edx 0x0000003d pushad 0x0000003e popad 0x0000003f pop edx 0x00000040 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D677E7 second address: D677EC instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D6793D second address: D67992 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FACC61D17h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push eax 0x0000000f call 00007F5FACC61D08h 0x00000014 pop eax 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 add dword ptr [esp+04h], 00000015h 0x00000021 inc eax 0x00000022 push eax 0x00000023 ret 0x00000024 pop eax 0x00000025 ret 0x00000026 mov edx, 6FA7CC7Ah 0x0000002b push 00000000h 0x0000002d mov edi, dword ptr [ebp+122D2D73h] 0x00000033 call 00007F5FACC61D09h 0x00000038 push esi 0x00000039 push ebx 0x0000003a push eax 0x0000003b push edx 0x0000003c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D67992 second address: D679A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop esi 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a je 00007F5FAD07F446h 0x00000010 pop eax 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D679A3 second address: D679D9 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F5FACC61D08h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e jng 00007F5FACC61D1Ah 0x00000014 pushad 0x00000015 jmp 00007F5FACC61D0Ch 0x0000001a jne 00007F5FACC61D06h 0x00000020 popad 0x00000021 mov eax, dword ptr [eax] 0x00000023 jng 00007F5FACC61D10h 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c pop eax 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D679D9 second address: D679E8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D679E8 second address: D679EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4CB36 second address: D4CB3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4CB3A second address: D4CB76 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F5FACC61D06h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e pushad 0x0000000f jmp 00007F5FACC61D0Ch 0x00000014 jg 00007F5FACC61D06h 0x0000001a jmp 00007F5FACC61D17h 0x0000001f popad 0x00000020 pushad 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D85A4B second address: D85A65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5FAD07F452h 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D85EDF second address: D85EEB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F5FACC61D06h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D86042 second address: D8608E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FAD07F44Ch 0x00000007 jng 00007F5FAD07F446h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007F5FAD07F451h 0x00000014 pop esi 0x00000015 pushad 0x00000016 jmp 00007F5FAD07F44Fh 0x0000001b jmp 00007F5FAD07F44Ah 0x00000020 push esi 0x00000021 push eax 0x00000022 pop eax 0x00000023 pushad 0x00000024 popad 0x00000025 pop esi 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8608E second address: D86092 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D86317 second address: D86336 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F5FAD07F446h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F5FAD07F450h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D86336 second address: D8633A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8633A second address: D86344 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F5FAD07F446h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D86344 second address: D8635B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F5FACC61D0Fh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8635B second address: D8635F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D865CC second address: D865F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5FACC61D13h 0x00000009 pop eax 0x0000000a jmp 00007F5FACC61D0Ch 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D865F3 second address: D865F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D865F9 second address: D865FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D865FF second address: D86605 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D86605 second address: D86614 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jnp 00007F5FACC61D06h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D86A58 second address: D86A82 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FAD07F453h 0x00000007 je 00007F5FAD07F446h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jnp 00007F5FAD07F44Ah 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 push eax 0x00000018 pop eax 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D86A82 second address: D86A8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D86BFD second address: D86C35 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F5FAD07F454h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F5FAD07F44Fh 0x00000015 jmp 00007F5FAD07F44Ah 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D86C35 second address: D86C39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D86C39 second address: D86C3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D86C3F second address: D86C45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D7D09A second address: D7D0A4 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F5FAD07F446h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D7D0A4 second address: D7D0BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5FACC61D14h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8736C second address: D87375 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D87375 second address: D87388 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5FACC61D0Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D87514 second address: D8751A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8751A second address: D87520 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8783F second address: D8784F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F5FAD07F446h 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8A9D5 second address: D8A9DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F5FACC61D06h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8A9DF second address: D8AA0F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FAD07F450h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F5FAD07F457h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8AC28 second address: D8AC2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D91BB4 second address: D91BD6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FAD07F456h 0x00000007 push eax 0x00000008 push edx 0x00000009 ja 00007F5FAD07F446h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D91D36 second address: D91D3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D91D3C second address: D91D41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D920F2 second address: D92112 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jng 00007F5FACC61D10h 0x0000000e jmp 00007F5FACC61D0Ah 0x00000013 push eax 0x00000014 push edx 0x00000015 jp 00007F5FACC61D06h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D92112 second address: D92129 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FAD07F451h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D923CD second address: D923D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D923D1 second address: D923D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D923D9 second address: D923E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D93F58 second address: D93F5E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D93F5E second address: D93F96 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FACC61D19h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007F5FACC61D15h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D93F96 second address: D93F9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D93F9B second address: D93FD1 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F5FACC61D15h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e jl 00007F5FACC61D0Eh 0x00000014 jne 00007F5FACC61D08h 0x0000001a mov eax, dword ptr [eax] 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f jns 00007F5FACC61D06h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D93FD1 second address: D93FD5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D94319 second address: D9431D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9431D second address: D94323 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D94CDD second address: D94D35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5FACC61D12h 0x00000009 popad 0x0000000a push eax 0x0000000b push ecx 0x0000000c jc 00007F5FACC61D08h 0x00000012 pushad 0x00000013 popad 0x00000014 pop ecx 0x00000015 xchg eax, ebx 0x00000016 push 00000000h 0x00000018 push ecx 0x00000019 call 00007F5FACC61D08h 0x0000001e pop ecx 0x0000001f mov dword ptr [esp+04h], ecx 0x00000023 add dword ptr [esp+04h], 00000015h 0x0000002b inc ecx 0x0000002c push ecx 0x0000002d ret 0x0000002e pop ecx 0x0000002f ret 0x00000030 jo 00007F5FACC61D0Ch 0x00000036 sub edi, dword ptr [ebp+122D1D3Ch] 0x0000003c mov dword ptr [ebp+122D396Bh], edx 0x00000042 push eax 0x00000043 push eax 0x00000044 push edx 0x00000045 pushad 0x00000046 push eax 0x00000047 push edx 0x00000048 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D94D35 second address: D94D3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D94D3B second address: D94D40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D95027 second address: D95045 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FAD07F456h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D95045 second address: D95049 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D97A5F second address: D97A65 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9B423 second address: D9B42D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F5FACC61D06h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9B42D second address: D9B43B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9B43B second address: D9B442 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9B442 second address: D9B44C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F5FAD07F446h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9C047 second address: D9C051 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F5FACC61D06h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9C051 second address: D9C055 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA0178 second address: DA017C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA017C second address: DA018F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FAD07F44Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9C976 second address: D9C97A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9C97A second address: D9C97E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA0360 second address: DA0364 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA1111 second address: DA111B instructions: 0x00000000 rdtsc 0x00000002 jc 00007F5FAD07F44Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA0364 second address: DA036E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA111B second address: DA118B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 mov edi, 7889AA80h 0x0000000e push 00000000h 0x00000010 push 00000000h 0x00000012 push eax 0x00000013 call 00007F5FAD07F448h 0x00000018 pop eax 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d add dword ptr [esp+04h], 00000019h 0x00000025 inc eax 0x00000026 push eax 0x00000027 ret 0x00000028 pop eax 0x00000029 ret 0x0000002a mov bx, 57D4h 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push edx 0x00000033 call 00007F5FAD07F448h 0x00000038 pop edx 0x00000039 mov dword ptr [esp+04h], edx 0x0000003d add dword ptr [esp+04h], 00000018h 0x00000045 inc edx 0x00000046 push edx 0x00000047 ret 0x00000048 pop edx 0x00000049 ret 0x0000004a mov edi, dword ptr [ebp+122D2D7Bh] 0x00000050 push eax 0x00000051 push edx 0x00000052 pushad 0x00000053 jmp 00007F5FAD07F44Eh 0x00000058 push eax 0x00000059 push edx 0x0000005a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA20FC second address: DA2101 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA319D second address: DA31AC instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jg 00007F5FAD07F446h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA41DD second address: DA4263 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F5FACC61D06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F5FACC61D0Ah 0x0000000f popad 0x00000010 nop 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push ecx 0x00000016 call 00007F5FACC61D08h 0x0000001b pop ecx 0x0000001c mov dword ptr [esp+04h], ecx 0x00000020 add dword ptr [esp+04h], 00000014h 0x00000028 inc ecx 0x00000029 push ecx 0x0000002a ret 0x0000002b pop ecx 0x0000002c ret 0x0000002d jmp 00007F5FACC61D0Ah 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push ebx 0x00000037 call 00007F5FACC61D08h 0x0000003c pop ebx 0x0000003d mov dword ptr [esp+04h], ebx 0x00000041 add dword ptr [esp+04h], 0000001Ch 0x00000049 inc ebx 0x0000004a push ebx 0x0000004b ret 0x0000004c pop ebx 0x0000004d ret 0x0000004e sub dword ptr [ebp+122D3880h], esi 0x00000054 push edx 0x00000055 cld 0x00000056 pop ebx 0x00000057 xchg eax, esi 0x00000058 pushad 0x00000059 push eax 0x0000005a push edx 0x0000005b jmp 00007F5FACC61D15h 0x00000060 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA51FF second address: DA5203 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA5203 second address: DA5207 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA5207 second address: DA520D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA520D second address: DA526C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007F5FACC61D06h 0x00000009 jmp 00007F5FACC61D13h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov dword ptr [esp], eax 0x00000014 jnc 00007F5FACC61D0Ch 0x0000001a and ebx, dword ptr [ebp+122DB877h] 0x00000020 push 00000000h 0x00000022 push 00000000h 0x00000024 push edx 0x00000025 call 00007F5FACC61D08h 0x0000002a pop edx 0x0000002b mov dword ptr [esp+04h], edx 0x0000002f add dword ptr [esp+04h], 0000001Ch 0x00000037 inc edx 0x00000038 push edx 0x00000039 ret 0x0000003a pop edx 0x0000003b ret 0x0000003c movzx edi, bx 0x0000003f push 00000000h 0x00000041 cmc 0x00000042 push eax 0x00000043 push edi 0x00000044 push edi 0x00000045 push eax 0x00000046 push edx 0x00000047 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA61AF second address: DA61B9 instructions: 0x00000000 rdtsc 0x00000002 je 00007F5FAD07F44Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA54B4 second address: DA54B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA7178 second address: DA7195 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FAD07F459h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA63FE second address: DA6408 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F5FACC61D0Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA7339 second address: DA7343 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F5FAD07F446h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA9049 second address: DA905C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5FACC61D0Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DAB0C6 second address: DAB0CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DAB0CA second address: DAB14F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F5FACC61D0Fh 0x0000000e pop edx 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push ecx 0x00000013 call 00007F5FACC61D08h 0x00000018 pop ecx 0x00000019 mov dword ptr [esp+04h], ecx 0x0000001d add dword ptr [esp+04h], 00000017h 0x00000025 inc ecx 0x00000026 push ecx 0x00000027 ret 0x00000028 pop ecx 0x00000029 ret 0x0000002a add di, 56D2h 0x0000002f push 00000000h 0x00000031 push 00000000h 0x00000033 push eax 0x00000034 call 00007F5FACC61D08h 0x00000039 pop eax 0x0000003a mov dword ptr [esp+04h], eax 0x0000003e add dword ptr [esp+04h], 00000019h 0x00000046 inc eax 0x00000047 push eax 0x00000048 ret 0x00000049 pop eax 0x0000004a ret 0x0000004b jmp 00007F5FACC61D15h 0x00000050 push 00000000h 0x00000052 mov dword ptr [ebp+122D35B8h], edx 0x00000058 xchg eax, esi 0x00000059 push eax 0x0000005a push edx 0x0000005b push esi 0x0000005c pushad 0x0000005d popad 0x0000005e pop esi 0x0000005f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DACD32 second address: DACD39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DADD09 second address: DADD0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DADD0E second address: DADDB5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FAD07F44Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push ebx 0x0000000d call 00007F5FAD07F448h 0x00000012 pop ebx 0x00000013 mov dword ptr [esp+04h], ebx 0x00000017 add dword ptr [esp+04h], 00000014h 0x0000001f inc ebx 0x00000020 push ebx 0x00000021 ret 0x00000022 pop ebx 0x00000023 ret 0x00000024 jmp 00007F5FAD07F44Eh 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push edx 0x0000002e call 00007F5FAD07F448h 0x00000033 pop edx 0x00000034 mov dword ptr [esp+04h], edx 0x00000038 add dword ptr [esp+04h], 00000018h 0x00000040 inc edx 0x00000041 push edx 0x00000042 ret 0x00000043 pop edx 0x00000044 ret 0x00000045 push 00000000h 0x00000047 push 00000000h 0x00000049 push edi 0x0000004a call 00007F5FAD07F448h 0x0000004f pop edi 0x00000050 mov dword ptr [esp+04h], edi 0x00000054 add dword ptr [esp+04h], 0000001Dh 0x0000005c inc edi 0x0000005d push edi 0x0000005e ret 0x0000005f pop edi 0x00000060 ret 0x00000061 xchg eax, esi 0x00000062 je 00007F5FAD07F452h 0x00000068 jg 00007F5FAD07F44Ch 0x0000006e push eax 0x0000006f jbe 00007F5FAD07F458h 0x00000075 push eax 0x00000076 push edx 0x00000077 jp 00007F5FAD07F446h 0x0000007d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DACFA1 second address: DACFA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DACFA5 second address: DACFA9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DADF1D second address: DADF22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DAEF99 second address: DAEFA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 je 00007F5FAD07F446h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D56DCD second address: D56DD1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DB7FC0 second address: DB7FC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DB7FC6 second address: DB7FCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DB7FCA second address: DB7FCE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DB7FCE second address: DB7FD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DB7FD6 second address: DB7FE0 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F5FAD07F452h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DB8372 second address: DB8380 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F5FACC61D06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DB8380 second address: DB838A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DB838A second address: DB838E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DB838E second address: DB8392 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DBB965 second address: DBB969 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DBB9F2 second address: DBB9F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DBBAFE second address: DBBB08 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F5FACC61D0Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DBBB08 second address: DBBB36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jns 00007F5FAD07F44Eh 0x0000000d jnl 00007F5FAD07F448h 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 mov eax, dword ptr [esp+04h] 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F5FAD07F453h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DBBB36 second address: DBBB6F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FACC61D15h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b push esi 0x0000000c jmp 00007F5FACC61D12h 0x00000011 pop esi 0x00000012 mov dword ptr [esp+04h], eax 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push ebx 0x0000001a pop ebx 0x0000001b pop eax 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC191A second address: DC191E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC1E54 second address: DC1E59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC229F second address: DC22A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC248F second address: DC2493 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC2493 second address: DC2497 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC2497 second address: DC24A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ecx 0x00000009 push eax 0x0000000a pushad 0x0000000b push esi 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9D795 second address: D9D7A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 jl 00007F5FAD07F44Eh 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9DB26 second address: D9DB70 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, esi 0x00000009 call 00007F5FACC61D13h 0x0000000e mov dword ptr [ebp+122D3606h], edi 0x00000014 pop edx 0x00000015 nop 0x00000016 pushad 0x00000017 push ecx 0x00000018 jnc 00007F5FACC61D06h 0x0000001e pop ecx 0x0000001f jnl 00007F5FACC61D16h 0x00000025 popad 0x00000026 push eax 0x00000027 pushad 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9DB70 second address: D9DB74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9DB74 second address: D9DB78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9DC76 second address: D9DCAE instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F5FAD07F446h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e push eax 0x0000000f pop eax 0x00000010 jnl 00007F5FAD07F446h 0x00000016 popad 0x00000017 jmp 00007F5FAD07F457h 0x0000001c popad 0x0000001d mov eax, dword ptr [esp+04h] 0x00000021 push ebx 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9DCAE second address: D9DCC1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov eax, dword ptr [eax] 0x00000009 js 00007F5FACC61D14h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 pop eax 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9DCC1 second address: D9DCC5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9DD7E second address: D9DD83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9DE9F second address: D9DEA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9DEA3 second address: D9DEE4 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jc 00007F5FACC61D06h 0x0000000d jmp 00007F5FACC61D0Bh 0x00000012 popad 0x00000013 popad 0x00000014 mov dword ptr [esp], eax 0x00000017 jnc 00007F5FACC61D08h 0x0000001d or di, A504h 0x00000022 push 00000004h 0x00000024 mov edx, dword ptr [ebp+1245EE53h] 0x0000002a nop 0x0000002b pushad 0x0000002c jns 00007F5FACC61D08h 0x00000032 pushad 0x00000033 popad 0x00000034 pushad 0x00000035 pushad 0x00000036 popad 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9DEE4 second address: D9DF02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F5FAD07F455h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9E26F second address: D9E275 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9E275 second address: D9E2C1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 0000001Eh 0x0000000d push 00000000h 0x0000000f push ebx 0x00000010 call 00007F5FAD07F448h 0x00000015 pop ebx 0x00000016 mov dword ptr [esp+04h], ebx 0x0000001a add dword ptr [esp+04h], 00000014h 0x00000022 inc ebx 0x00000023 push ebx 0x00000024 ret 0x00000025 pop ebx 0x00000026 ret 0x00000027 mov dword ptr [ebp+122D34D9h], ebx 0x0000002d mov dword ptr [ebp+122D3AE5h], ecx 0x00000033 nop 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007F5FAD07F454h 0x0000003b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9E2C1 second address: D9E2C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9E2C7 second address: D9E2CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9E2CB second address: D9E2CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9E642 second address: D9E646 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9E646 second address: D9E64C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9E64C second address: D9E652 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9E652 second address: D9E6AE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push esi 0x0000000c call 00007F5FACC61D08h 0x00000011 pop esi 0x00000012 mov dword ptr [esp+04h], esi 0x00000016 add dword ptr [esp+04h], 00000015h 0x0000001e inc esi 0x0000001f push esi 0x00000020 ret 0x00000021 pop esi 0x00000022 ret 0x00000023 jng 00007F5FACC61D0Ch 0x00000029 mov dword ptr [ebp+122D1DCCh], esi 0x0000002f lea eax, dword ptr [ebp+1248D0C4h] 0x00000035 pushad 0x00000036 xor si, F0D5h 0x0000003b mov edx, dword ptr [ebp+12455764h] 0x00000041 popad 0x00000042 nop 0x00000043 pushad 0x00000044 push edi 0x00000045 jmp 00007F5FACC61D10h 0x0000004a pop edi 0x0000004b pushad 0x0000004c push eax 0x0000004d push edx 0x0000004e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9E6AE second address: D9E6C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F5FAD07F446h 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jp 00007F5FAD07F44Ch 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9E6C9 second address: D9E704 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 mov cx, 2C21h 0x0000000d lea eax, dword ptr [ebp+1248D080h] 0x00000013 add ecx, 4A162F87h 0x00000019 nop 0x0000001a jo 00007F5FACC61D1Ch 0x00000020 push eax 0x00000021 push edx 0x00000022 push ebx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC6D4F second address: DC6D54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC6D54 second address: DC6D5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jne 00007F5FACC61D06h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC6EC3 second address: DC6EC9 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC704E second address: DC7056 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC7056 second address: DC7060 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F5FAD07F446h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC7060 second address: DC706F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC7485 second address: DC748B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC748B second address: DC7495 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F5FACC61D06h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D588BD second address: D588C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D588C1 second address: D588DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F5FACC61D0Fh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DCCCDA second address: DCCCE6 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F5FAD07F44Eh 0x00000008 push esi 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DCCE77 second address: DCCE89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5FACC61D0Dh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DCCE89 second address: DCCEAF instructions: 0x00000000 rdtsc 0x00000002 js 00007F5FAD07F448h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jng 00007F5FAD07F446h 0x00000012 jmp 00007F5FAD07F454h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DCC89C second address: DCC8B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jp 00007F5FACC61D06h 0x0000000d jno 00007F5FACC61D06h 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DCC8B6 second address: DCC8BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DCD5EF second address: DCD5F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DCD7B3 second address: DCD7C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FAD07F44Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DCD7C3 second address: DCD7E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F5FACC61D06h 0x0000000a jmp 00007F5FACC61D18h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DCD7E5 second address: DCD7F9 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F5FAD07F446h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jnc 00007F5FAD07F446h 0x00000012 push edx 0x00000013 pop edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DCD989 second address: DCD991 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DCDC5D second address: DCDC61 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DCDC61 second address: DCDC67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD114B second address: DD1152 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD1152 second address: DD1170 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5FACC61D18h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD53AD second address: DD53B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD53B1 second address: DD53BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD53BB second address: DD53BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD59B5 second address: DD59C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5FACC61D0Ch 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD59C6 second address: DD59ED instructions: 0x00000000 rdtsc 0x00000002 jc 00007F5FAD07F448h 0x00000008 pushad 0x00000009 popad 0x0000000a push esi 0x0000000b push edi 0x0000000c pop edi 0x0000000d push eax 0x0000000e pop eax 0x0000000f pop esi 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F5FAD07F453h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD5B52 second address: DD5B57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD5B57 second address: DD5B66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop eax 0x00000007 js 00007F5FAD07F44Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD5B66 second address: DD5B8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 jnc 00007F5FACC61D06h 0x0000000f jmp 00007F5FACC61D14h 0x00000014 pop edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD5E77 second address: DD5E84 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 jne 00007F5FAD07F446h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD6052 second address: DD6056 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD6056 second address: DD6093 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F5FAD07F446h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jbe 00007F5FAD07F44Ch 0x00000012 je 00007F5FAD07F446h 0x00000018 push edi 0x00000019 pushad 0x0000001a popad 0x0000001b pushad 0x0000001c popad 0x0000001d pop edi 0x0000001e popad 0x0000001f je 00007F5FAD07F46Eh 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007F5FAD07F454h 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD6093 second address: DD6097 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD6097 second address: DD609D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD61DC second address: DD61E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD61E2 second address: DD61E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD61E6 second address: DD621B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F5FACC61D14h 0x0000000e jmp 00007F5FACC61D15h 0x00000013 push esi 0x00000014 pop esi 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD621B second address: DD6227 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F5FAD07F446h 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD6227 second address: DD622B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD64CA second address: DD64D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD690D second address: DD6913 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD6913 second address: DD6917 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD6917 second address: DD695F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jne 00007F5FACC61D06h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jns 00007F5FACC61D1Ah 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 jbe 00007F5FACC61D06h 0x0000001d jmp 00007F5FACC61D12h 0x00000022 popad 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD695F second address: DD6965 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD6965 second address: DD696B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD696B second address: DD6971 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD6971 second address: DD6975 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD9A10 second address: DD9A16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5BEC7 second address: D5BEDF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push esi 0x0000000a pop esi 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d jg 00007F5FACC61D06h 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 push edi 0x00000017 pop edi 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DDB93C second address: DDB942 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DDB942 second address: DDB948 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DDE6DE second address: DDE6EC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DDE6EC second address: DDE6F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DDE6F2 second address: DDE6F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DDE9A2 second address: DDE9E5 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F5FACC61D06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F5FACC61D17h 0x00000012 jbe 00007F5FACC61D06h 0x00000018 popad 0x00000019 push esi 0x0000001a jmp 00007F5FACC61D15h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DDE9E5 second address: DDEA04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 jnp 00007F5FAD07F446h 0x0000000c jnc 00007F5FAD07F446h 0x00000012 pop eax 0x00000013 popad 0x00000014 jbe 00007F5FAD07F450h 0x0000001a pushad 0x0000001b pushad 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DE3A10 second address: DE3A14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DE2E6E second address: DE2E9D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FAD07F44Bh 0x00000007 jmp 00007F5FAD07F459h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DE2E9D second address: DE2EA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DE31A0 second address: DE31A5 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DE7066 second address: DE707B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5FACC61D11h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DE707B second address: DE707F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DE7324 second address: DE733C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jl 00007F5FACC61D06h 0x00000012 jp 00007F5FACC61D06h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DE733C second address: DE7340 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DE7340 second address: DE734C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F5FACC61D06h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DE734C second address: DE7352 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DECD01 second address: DECD05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DECD05 second address: DECD09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DECD09 second address: DECD1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 js 00007F5FACC61D06h 0x0000000f push edi 0x00000010 pop edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DECD1C second address: DECD26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DECD26 second address: DECD55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F5FACC61D06h 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f push esi 0x00000010 jmp 00007F5FACC61D0Eh 0x00000015 pop esi 0x00000016 jc 00007F5FACC61D0Ch 0x0000001c jnp 00007F5FACC61D06h 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DEB7BB second address: DEB7C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DEB7C1 second address: DEB7C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D46158 second address: D4615E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DEB936 second address: DEB946 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop eax 0x00000007 pushad 0x00000008 jc 00007F5FACC61D06h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DEB946 second address: DEB96C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F5FAD07F446h 0x0000000a jng 00007F5FAD07F446h 0x00000010 popad 0x00000011 pop edi 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F5FAD07F452h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9E116 second address: D9E11A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9E11A second address: D9E12D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FAD07F44Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9E12D second address: D9E169 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F5FACC61D08h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b cmc 0x0000000c push 00000004h 0x0000000e push 00000000h 0x00000010 push ecx 0x00000011 call 00007F5FACC61D08h 0x00000016 pop ecx 0x00000017 mov dword ptr [esp+04h], ecx 0x0000001b add dword ptr [esp+04h], 00000015h 0x00000023 inc ecx 0x00000024 push ecx 0x00000025 ret 0x00000026 pop ecx 0x00000027 ret 0x00000028 mov ecx, esi 0x0000002a mov dword ptr [ebp+122D3856h], eax 0x00000030 push eax 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 push ecx 0x00000036 pop ecx 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9E169 second address: D9E173 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F5FAD07F446h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9E173 second address: D9E181 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5FACC61D0Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF2D1C second address: DF2D21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF2E87 second address: DF2E93 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 ja 00007F5FACC61D06h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF317B second address: DF317F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF317F second address: DF318A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF3447 second address: DF3457 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F5FAD07F44Bh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF3457 second address: DF345D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF345D second address: DF3461 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF3749 second address: DF3765 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FACC61D18h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF3765 second address: DF377E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jnc 00007F5FAD07F446h 0x0000000b js 00007F5FAD07F446h 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF377E second address: DF3790 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5FACC61D0Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF3790 second address: DF37AC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jnp 00007F5FAD07F446h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jns 00007F5FAD07F446h 0x00000013 push edx 0x00000014 pop edx 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a push ecx 0x0000001b pop ecx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF37AC second address: DF37C8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FACC61D18h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF48F0 second address: DF48F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF91D1 second address: DF91F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FACC61D0Eh 0x00000007 jc 00007F5FACC61D0Eh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push esi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF91F6 second address: DF91FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF91FC second address: DF921A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jbe 00007F5FACC61D19h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF921A second address: DF9222 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push esi 0x00000007 pop esi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DFA8B6 second address: DFA8BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DFA8BA second address: DFA8C4 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F5FAD07F446h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DFDE41 second address: DFDE85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F5FACC61D14h 0x0000000b popad 0x0000000c jns 00007F5FACC61D12h 0x00000012 jng 00007F5FACC61D08h 0x00000018 push eax 0x00000019 pop eax 0x0000001a pushad 0x0000001b pushad 0x0000001c popad 0x0000001d pushad 0x0000001e popad 0x0000001f popad 0x00000020 popad 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 push ebx 0x00000025 pop ebx 0x00000026 pushad 0x00000027 popad 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DFDE85 second address: DFDE8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F5FAD07F446h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DFDE8F second address: DFDE9E instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F5FACC61D06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E06C98 second address: E06C9E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E06C9E second address: E06CAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jnp 00007F5FACC61D06h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E04F2B second address: E04F44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5FAD07F451h 0x00000009 pop ebx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E04F44 second address: E04F5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5FACC61D10h 0x00000009 push esi 0x0000000a pop esi 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E04F5B second address: E04F62 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E0548A second address: E05495 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E05495 second address: E054A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5FAD07F44Bh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E05778 second address: E05786 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jns 00007F5FACC61D06h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E05786 second address: E0578A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E0578A second address: E05796 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E05796 second address: E0579B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E0579B second address: E057A4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E04A9B second address: E04AA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E04AA0 second address: E04AC2 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop edi 0x00000006 push esi 0x00000007 jno 00007F5FACC61D06h 0x0000000d jp 00007F5FACC61D06h 0x00000013 pop esi 0x00000014 pop edx 0x00000015 pop eax 0x00000016 pushad 0x00000017 pushad 0x00000018 push edx 0x00000019 pop edx 0x0000001a ja 00007F5FACC61D06h 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E0C1D3 second address: E0C1F0 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F5FAD07F446h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d ja 00007F5FAD07F44Ch 0x00000013 jp 00007F5FAD07F446h 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E0C1F0 second address: E0C1F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E0FB57 second address: E0FB72 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FAD07F456h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E0FB72 second address: E0FB78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E0FB78 second address: E0FB7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D500F9 second address: D50110 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F5FACC61D12h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D50110 second address: D50116 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E1DCCB second address: E1DCD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E1D825 second address: E1D82F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E1D82F second address: E1D83E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5FACC61D0Ah 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E1D83E second address: E1D84D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F5FAD07F44Ah 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E242C9 second address: E242D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E23CDE second address: E23CEA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 je 00007F5FAD07F446h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E2D2B9 second address: E2D2C5 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F5FACC61D0Eh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E2F463 second address: E2F46D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E2F46D second address: E2F473 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E2F473 second address: E2F47D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E33DB8 second address: E33DD7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FACC61D12h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push edi 0x0000000f pop edi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E33DD7 second address: E33DFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5FAD07F454h 0x00000009 popad 0x0000000a push ebx 0x0000000b jo 00007F5FAD07F446h 0x00000011 jns 00007F5FAD07F446h 0x00000017 pop ebx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E33DFE second address: E33E03 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E35C8F second address: E35CC1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b jmp 00007F5FAD07F44Fh 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F5FAD07F456h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E35CC1 second address: E35CC5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E3DF1D second address: E3DF21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E3DF21 second address: E3DF26 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E3CD1B second address: E3CD24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E3CE76 second address: E3CE88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5FACC61D0Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E3CFF2 second address: E3CFF8 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E3CFF8 second address: E3CFFE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E41693 second address: E416A4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FAD07F44Bh 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E4B2F8 second address: E4B2FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E4D0B8 second address: E4D0C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F5FAD07F446h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E4D0C2 second address: E4D0DC instructions: 0x00000000 rdtsc 0x00000002 je 00007F5FACC61D06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push esi 0x0000000c pop esi 0x0000000d jnl 00007F5FACC61D06h 0x00000013 jbe 00007F5FACC61D06h 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E4D0DC second address: E4D0E1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E611B2 second address: E611C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F5FACC61D06h 0x0000000a popad 0x0000000b push edi 0x0000000c jp 00007F5FACC61D06h 0x00000012 pop edi 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E63FF1 second address: E63FF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E63FF6 second address: E63FFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E63CF0 second address: E63CF4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E63CF4 second address: E63CFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E63CFA second address: E63D08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jp 00007F5FAD07F446h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E63D08 second address: E63D10 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E7C793 second address: E7C7BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007F5FAD07F446h 0x00000009 jmp 00007F5FAD07F456h 0x0000000e jp 00007F5FAD07F446h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E7CC3C second address: E7CC50 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F5FACC61D08h 0x00000008 push eax 0x00000009 push edx 0x0000000a jg 00007F5FACC61D06h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E7CC50 second address: E7CC54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E7D2B0 second address: E7D2C0 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F5FACC61D0Eh 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E7D430 second address: E7D436 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E7D436 second address: E7D43A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E7D43A second address: E7D43E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E7EDD1 second address: E7EDD7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4820B8E second address: 4820BD5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FAD07F451h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ecx, dword ptr [eax+00000FDCh] 0x0000000f jmp 00007F5FAD07F44Eh 0x00000014 test ecx, ecx 0x00000016 jmp 00007F5FAD07F450h 0x0000001b jns 00007F5FAD07F494h 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4820BD5 second address: 4820BD9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4820BD9 second address: 4820BDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4820BDF second address: 4820BEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5FACC61D0Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4820BEE second address: 4820C89 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5FAD07F459h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b add eax, ecx 0x0000000d jmp 00007F5FAD07F44Eh 0x00000012 mov eax, dword ptr [eax+00000860h] 0x00000018 jmp 00007F5FAD07F450h 0x0000001d test eax, eax 0x0000001f jmp 00007F5FAD07F450h 0x00000024 je 00007F601F195560h 0x0000002a pushad 0x0000002b call 00007F5FAD07F44Eh 0x00000030 mov ch, 31h 0x00000032 pop edi 0x00000033 pushfd 0x00000034 jmp 00007F5FAD07F44Ch 0x00000039 or eax, 5906C468h 0x0000003f jmp 00007F5FAD07F44Bh 0x00000044 popfd 0x00000045 popad 0x00000046 test byte ptr [eax+04h], 00000005h 0x0000004a push eax 0x0000004b push edx 0x0000004c pushad 0x0000004d mov bx, 33D6h 0x00000051 popad 0x00000052 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D96D60 second address: D96D64 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: BE3C80 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: BE3D9F instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: BE3C86 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: D8AAA9 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: D9D477 instructions caused by: Self-modifying code

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\file.exe TID: 2084

Thread sleep time: -60000s >= -30000s

Jump to behavior

Source: file.exe, file.exe, 00000000.00000002.2215264660.0000000000D6D000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000003.2195582269.000000000056E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2214899190.000000000056E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW-
Source: file.exe, 00000000.00000002.2214899190.0000000000583000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2195582269.0000000000583000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2214770282.000000000050E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000002.2215264660.0000000000D6D000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\file.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks for debuggers (devices)

Source: C:\Users\user\Desktop\file.exe	File opened: NTICE
Source: C:\Users\user\Desktop\file.exe	File opened: SICE
Source: C:\Users\user\Desktop\file.exe	File opened: SIWVID

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00BC5BB0 LdrInitializeThunk,

0_2_00BC5BB0

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: file.exe	String found in binary or memory: licendfilteo.site
Source: file.exe	String found in binary or memory: clearancek.site
Source: file.exe	String found in binary or memory: bathdoomgaz.stor
Source: file.exe	String found in binary or memory: spirittunek.stor
Source: file.exe	String found in binary or memory: dissapoiznw.stor
Source: file.exe	String found in binary or memory: studennotediw.stor
Source: file.exe	String found in binary or memory: mobbipenju.stor
Source: file.exe	String found in binary or memory: eaglepawnoy.stor

Source: file.exe, 00000000.00000002.2215387610.0000000000DAF000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: eQProgram Manager

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

ID:	1538479
Product:	CloudBasic
Start time:	11:36:07
Start date:	21.10.2024
Sample:	file.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	dc43c9288aea0674eedfbe45f76ce6cc
SHA1:	10bfb95432e5f7ae66ef733ff82f9754dbfdd058
SHA256:	96681940b7062345ddf56e494ee4f177098d5789c38eba3f6d751389a029d25a
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Windows Analysis Report
file.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Boot Survival

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Boot Survival

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
file.exe

Malware Threat Intel
Provided by