Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1637464
MD5:cdb3cbc1da45ba7cf22a9d2a950a2e06
SHA1:29623c955ee4eb535d4f3dab196d725a36131f6d
SHA256:8f64ae1fd284f35875317eb3c8f7d8074111dd007014ea524e799b70ac02b9a1
Tags:exeuser-jstrosch
Infos:

Detection

LummaC Stealer
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected LummaC Stealer
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
PE file contains section with special chars
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Detected potential crypto function
Entry point lies outside standard sections
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 5580 cmdline: "C:\Users\user\Desktop\file.exe" MD5: CDB3CBC1DA45BA7CF22A9D2A950A2E06)
  • cleanup

Malware Configuration

Threatname: LummaC

{"C2 url": ["begindecafer.world/QwdZdf", "garagedrootz.top/oPsoJAN", "modelshiverd.icu/bJhnsj", "arisechairedd.shop/JnsHY", "catterjur.run/boSnzhu", "orangemyther.live/IozZ", "fostinjec.today/LksNAz"], "Build id": "ed282de2492e515b5a600f7d9993d88a1a4bd6ca37dc2297a2a91518"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1348888936.00000000004A1000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
    Process Memory Space: file.exe PID: 5580JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      Process Memory Space: file.exe PID: 5580JoeSecurity_LummaCStealerYara detected LummaC StealerJoe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.file.exe.4a0000.0.unpackJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security

          Sigma Signatures

          No Sigma rule has matched

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-03-13T16:56:16.869326+010020283713Unknown Traffic192.168.2.74968123.197.127.21443TCP
          2025-03-13T16:56:19.530031+010020283713Unknown Traffic192.168.2.749682188.114.96.3443TCP
          2025-03-13T16:56:22.474642+010020283713Unknown Traffic192.168.2.74968323.197.127.21443TCP
          2025-03-13T16:56:25.002564+010020283713Unknown Traffic192.168.2.749684188.114.96.3443TCP
          2025-03-13T16:56:27.734627+010020283713Unknown Traffic192.168.2.74968623.197.127.21443TCP
          2025-03-13T16:56:30.295860+010020283713Unknown Traffic192.168.2.749688188.114.96.3443TCP
          2025-03-13T16:56:32.961994+010020283713Unknown Traffic192.168.2.74969223.197.127.21443TCP
          2025-03-13T16:56:36.098741+010020283713Unknown Traffic192.168.2.74969323.197.127.21443TCP
          2025-03-13T16:56:39.803761+010020283713Unknown Traffic192.168.2.74969423.197.127.21443TCP
          2025-03-13T16:56:42.571736+010020283713Unknown Traffic192.168.2.74969523.197.127.21443TCP
          2025-03-13T16:56:45.772369+010020283713Unknown Traffic192.168.2.74969823.197.127.21443TCP
          2025-03-13T16:56:48.415007+010020283713Unknown Traffic192.168.2.749701188.114.96.3443TCP
          2025-03-13T16:56:50.953671+010020283713Unknown Traffic192.168.2.74970323.197.127.21443TCP
          2025-03-13T16:56:52.529933+010020283713Unknown Traffic192.168.2.74970423.197.127.21443TCP
          2025-03-13T16:56:55.165008+010020283713Unknown Traffic192.168.2.749705188.114.96.3443TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus / Scanner detection for submitted sample
          Source: file.exeAvira: detected
          Antivirus detection for URL or domain
          Source: begindecafer.world/QwdZdfAvira URL Cloud: Label: malware
          Source: orangemyther.live/IozZAvira URL Cloud: Label: malware
          Source: modelshiverd.icu/bJhnsjAvira URL Cloud: Label: malware
          Source: garagedrootz.top/oPsoJANAvira URL Cloud: Label: malware
          Source: arisechairedd.shop/JnsHYAvira URL Cloud: Label: malware
          Source: catterjur.run/boSnzhuAvira URL Cloud: Label: malware
          Found malware configuration
          Source: 00000000.00000002.1348888936.00000000004A1000.00000040.00000001.01000000.00000003.sdmpMalware Configuration Extractor: LummaC {"C2 url": ["begindecafer.world/QwdZdf", "garagedrootz.top/oPsoJAN", "modelshiverd.icu/bJhnsj", "arisechairedd.shop/JnsHY", "catterjur.run/boSnzhu", "orangemyther.live/IozZ", "fostinjec.today/LksNAz"], "Build id": "ed282de2492e515b5a600f7d9993d88a1a4bd6ca37dc2297a2a91518"}
          Multi AV Scanner detection for submitted file
          Source: file.exeVirustotal: Detection: 63%Perma Link
          Source: file.exeReversingLabs: Detection: 55%
          Joe Sandbox ML detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Sample uses string decryption to hide its real strings
          Source: 00000000.00000002.1348888936.00000000004A1000.00000040.00000001.01000000.00000003.sdmpString decryptor: begindecafer.world/QwdZdf
          Source: 00000000.00000002.1348888936.00000000004A1000.00000040.00000001.01000000.00000003.sdmpString decryptor: garagedrootz.top/oPsoJAN
          Source: 00000000.00000002.1348888936.00000000004A1000.00000040.00000001.01000000.00000003.sdmpString decryptor: modelshiverd.icu/bJhnsj
          Source: 00000000.00000002.1348888936.00000000004A1000.00000040.00000001.01000000.00000003.sdmpString decryptor: arisechairedd.shop/JnsHY
          Source: 00000000.00000002.1348888936.00000000004A1000.00000040.00000001.01000000.00000003.sdmpString decryptor: catterjur.run/boSnzhu
          Source: 00000000.00000002.1348888936.00000000004A1000.00000040.00000001.01000000.00000003.sdmpString decryptor: orangemyther.live/IozZ
          Source: 00000000.00000002.1348888936.00000000004A1000.00000040.00000001.01000000.00000003.sdmpString decryptor: fostinjec.today/LksNAz
          Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: unknownHTTPS traffic detected: 23.197.127.21:443 -> 192.168.2.7:49681 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49682 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 23.197.127.21:443 -> 192.168.2.7:49683 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49684 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 23.197.127.21:443 -> 192.168.2.7:49686 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49688 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 23.197.127.21:443 -> 192.168.2.7:49692 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 23.197.127.21:443 -> 192.168.2.7:49693 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 23.197.127.21:443 -> 192.168.2.7:49694 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 23.197.127.21:443 -> 192.168.2.7:49695 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 23.197.127.21:443 -> 192.168.2.7:49698 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49701 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 23.197.127.21:443 -> 192.168.2.7:49704 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49705 version: TLS 1.2

          Networking

          barindex
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: begindecafer.world/QwdZdf
          Source: Malware configuration extractorURLs: garagedrootz.top/oPsoJAN
          Source: Malware configuration extractorURLs: modelshiverd.icu/bJhnsj
          Source: Malware configuration extractorURLs: arisechairedd.shop/JnsHY
          Source: Malware configuration extractorURLs: catterjur.run/boSnzhu
          Source: Malware configuration extractorURLs: orangemyther.live/IozZ
          Source: Malware configuration extractorURLs: fostinjec.today/LksNAz
          Source: global trafficHTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
          Source: global trafficHTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
          Source: global trafficHTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
          Source: global trafficHTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
          Source: global trafficHTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
          Source: global trafficHTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
          Source: global trafficHTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
          Source: global trafficHTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
          Source: global trafficHTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
          Source: Joe Sandbox ViewIP Address: 23.197.127.21 23.197.127.21
          Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
          Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
          Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49688 -> 188.114.96.3:443
          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49686 -> 23.197.127.21:443
          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49683 -> 23.197.127.21:443
          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49692 -> 23.197.127.21:443
          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49682 -> 188.114.96.3:443
          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49684 -> 188.114.96.3:443
          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49681 -> 23.197.127.21:443
          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49693 -> 23.197.127.21:443
          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49704 -> 23.197.127.21:443
          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49698 -> 23.197.127.21:443
          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49695 -> 23.197.127.21:443
          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49703 -> 23.197.127.21:443
          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49694 -> 23.197.127.21:443
          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49705 -> 188.114.96.3:443
          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49701 -> 188.114.96.3:443
          Source: global trafficHTTP traffic detected: POST /bSHsyZD HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 65Host: guntac.bet
          Source: global trafficHTTP traffic detected: POST /bSHsyZD HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=0qMR7V0oNLrsXkxMSUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 14517Host: guntac.bet
          Source: global trafficHTTP traffic detected: POST /bSHsyZD HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=0K4tAOYWcJJ2980wUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15074Host: guntac.bet
          Source: global trafficHTTP traffic detected: POST /bSHsyZD HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=j79T892S0FUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 568483Host: guntac.bet
          Source: global trafficHTTP traffic detected: POST /bSHsyZD HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 103Host: guntac.bet
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: global trafficHTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
          Source: global trafficHTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
          Source: global trafficHTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
          Source: global trafficHTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
          Source: global trafficHTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
          Source: global trafficHTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
          Source: global trafficHTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
          Source: global trafficHTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
          Source: global trafficHTTP traffic detected: GET /profiles/76561199822375128 HTTP/1.1Connection: Keep-AliveHost: steamcommunity.com
          Source: file.exe, 00000000.00000003.1348330462.0000000005ACF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://steamloopback.host https://store.steampowered.com/; equals www.youtube.com (Youtube)
          Source: file.exe, 00000000.00000003.1169272115.0000000001193000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://steamloopback.host https://store.steampowered.com/;X-Frame-OptionsSAMEORIGINPersistent-AuthWWW-AuthenticateVarysteamCountry=US%7C14c9dde9b41d2538b03ea660c9fb439f; path=/; secure; HttpOnly; SameSite=Nonesessionid=010c6fea0c4a953016a00f91; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charsetyy equals www.youtube.com (Youtube)
          Source: file.exe, 00000000.00000003.1295004953.0000000001201000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://steamloopback.host https://store.steampowered.com/;X-Frame-OptionsSAMEORIGINPersistent-AuthWWW-AuthenticateVarysteamCountry=US%7C14c9dde9b41d2538b03ea660c9fb439f; path=/; secure; HttpOnly; SameSite=Nonesessionid=43bb9411b4781442e4dcef61; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type35710Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveThu, 13 Mar 2025 15:56:46 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-ControlBB equals www.youtube.com (Youtube)
          Source: file.exe, 00000000.00000003.1076319740.0000000005AB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://steamloopback.host https://store.steampowered.com/;X-Frame-OptionsSAMEORIGINPersistent-AuthWWW-AuthenticateVarysteamCountry=US%7C14c9dde9b41d2538b03ea660c9fb439f; path=/; secure; HttpOnly; SameSite=Nonesessionid=51c9ede8d1ec88b7ca5c40c0; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type35710Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveThu, 13 Mar 2025 15:56:28 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
          Source: file.exe, 00000000.00000003.967271913.00000000011BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://steamloopback.host https://store.steampowered.com/;X-Frame-OptionsSAMEORIGINPersistent-AuthWWW-AuthenticateVarysteamCountry=US%7C14c9dde9b41d2538b03ea660c9fb439f; path=/; secure; HttpOnly; SameSite=Nonesessionid=5c250aa1d8f99ec040bb43da; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type35710Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveThu, 13 Mar 2025 15:56:17 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
          Source: file.exe, 00000000.00000003.1323025095.00000000011AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://steamloopback.host https://store.steampowered.com/;X-Frame-OptionsSAMEORIGINPersistent-AuthWWW-AuthenticateVarysteamCountry=US%7C14c9dde9b41d2538b03ea660c9fb439f; path=/; secure; HttpOnly; SameSite=Nonesessionid=fdeea4f1d53013f33f9813aa; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type35710Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveThu, 13 Mar 2025 15:56:53 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
          Source: file.exeString found in binary or memory: cha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowe equals www.youtube.com (Youtube)
          Source: file.exe, 00000000.00000003.967271913.00000000011BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://steamloopback.host https://store.steampowered.com/; equals www.youtube.com (Youtube)
          Source: file.exeString found in binary or memory: ttp://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchf equals www.youtube.com (Youtube)
          Source: global trafficDNS traffic detected: DNS query: begindecafer.world
          Source: global trafficDNS traffic detected: DNS query: garagedrootz.top
          Source: global trafficDNS traffic detected: DNS query: modelshiverd.icu
          Source: global trafficDNS traffic detected: DNS query: arisechairedd.shop
          Source: global trafficDNS traffic detected: DNS query: catterjur.run
          Source: global trafficDNS traffic detected: DNS query: orangemyther.live
          Source: global trafficDNS traffic detected: DNS query: fostinjec.today
          Source: global trafficDNS traffic detected: DNS query: sterpickced.digital
          Source: global trafficDNS traffic detected: DNS query: steamcommunity.com
          Source: global trafficDNS traffic detected: DNS query: guntac.bet
          Source: unknownHTTP traffic detected: POST /bSHsyZD HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 65Host: guntac.bet
          Source: file.exe, 00000000.00000003.967271913.00000000011BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:27060
          Source: file.exe, 00000000.00000003.1100429335.0000000005AEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
          Source: file.exe, 00000000.00000003.1100429335.0000000005AEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
          Source: file.exe, 00000000.00000003.1169272115.00000000011A8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1169392611.00000000011BC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1169350686.00000000011AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft.
          Source: file.exe, 00000000.00000003.1100429335.0000000005AEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
          Source: file.exe, 00000000.00000003.1100429335.0000000005AEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
          Source: file.exe, 00000000.00000003.1100429335.0000000005AEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
          Source: file.exe, 00000000.00000003.1100429335.0000000005AEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
          Source: file.exe, 00000000.00000003.1100429335.0000000005AEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
          Source: file.exe, 00000000.00000003.1100429335.0000000005AEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
          Source: file.exe, 00000000.00000003.1100429335.0000000005AEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
          Source: file.exe, 00000000.00000003.1322651471.0000000005B2C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1352044644.0000000005B14000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1100179520.000000000123E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1245252856.0000000005B10000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227405938.0000000005B18000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076091419.0000000005AB4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1352044644.0000000005B10000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076218654.0000000005ACA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.967308864.000000000118D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163181143.0000000005AB0000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227405938.0000000005AB7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.967240912.0000000001201000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1322651471.0000000005B10000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1295004953.0000000001201000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163029494.0000000005B53000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163055639.0000000005ABB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076091419.0000000005ABB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.967240912.0000000001207000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076199595.0000000001236000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163199247.000000000123D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047076826.0000000005AD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
          Source: file.exe, 00000000.00000003.1047110900.0000000005AC1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047476865.0000000005ACA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047261962.0000000005AC1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047315391.0000000005AC3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/p
          Source: file.exe, 00000000.00000003.1322651471.0000000005B2C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1352044644.0000000005B14000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1100179520.000000000123E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1245252856.0000000005B10000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227405938.0000000005B18000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076091419.0000000005AB4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1352044644.0000000005B10000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076218654.0000000005ACA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.967308864.000000000118D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163181143.0000000005AB0000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227405938.0000000005AB7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.967240912.0000000001201000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1322651471.0000000005B10000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1295004953.0000000001201000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163029494.0000000005B53000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163055639.0000000005ABB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076091419.0000000005ABB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.967240912.0000000001207000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076199595.0000000001236000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163199247.000000000123D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047076826.0000000005AD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/privacy_agreement/
          Source: file.exe, 00000000.00000003.1322651471.0000000005B2C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1352044644.0000000005B14000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1100179520.000000000123E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1245252856.0000000005B10000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227405938.0000000005B18000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076091419.0000000005AB4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1352044644.0000000005B10000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076218654.0000000005ACA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.967308864.000000000118D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163181143.0000000005AB0000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227405938.0000000005AB7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047110900.0000000005AC1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047476865.0000000005ACA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.967240912.0000000001201000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1322651471.0000000005B10000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1295004953.0000000001201000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163029494.0000000005B53000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163055639.0000000005ABB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047261962.0000000005AC1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047315391.0000000005AC3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076091419.0000000005ABB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/subscriber_agreement/
          Source: file.exe, 00000000.00000003.1348614310.0000000001208000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227405938.0000000005AB7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163029494.0000000005B53000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227604567.0000000001210000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163055639.0000000005ABB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076091419.0000000005ABB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1349818035.000000000120A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.967240912.0000000001207000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076199595.0000000001236000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047076826.0000000005AD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.valvesoftware.com/legal.htm
          Source: file.exe, 00000000.00000003.1100429335.0000000005AEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
          Source: file.exe, 00000000.00000003.1100429335.0000000005AEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
          Source: file.exe, 00000000.00000003.994764200.0000000005B0B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org?q=
          Source: file.exe, 00000000.00000003.967271913.00000000011BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.steampowered.com/
          Source: file.exe, 00000000.00000003.1047110900.0000000005AC1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047476865.0000000005ACA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1048118715.0000000005ACC000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047261962.0000000005AC1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047315391.0000000005AC3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1048880161.0000000005ACC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158f
          Source: file.exe, 00000000.00000003.1047076826.0000000005AD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
          Source: file.exe, 00000000.00000003.967271913.00000000011BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://broadcast.st.dl.eccdnx.com
          Source: file.exe, 00000000.00000003.994764200.0000000005B0B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
          Source: file.exe, 00000000.00000003.967271913.00000000011BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/
          Source: file.exe, 00000000.00000003.994764200.0000000005B0B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
          Source: file.exe, 00000000.00000003.994764200.0000000005B0B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
          Source: file.exe, 00000000.00000003.967271913.00000000011BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://checkout.steampowered.com/
          Source: file.exe, 00000000.00000003.1169252310.0000000001201000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227779678.0000000001201000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.f
          Source: file.exe, 00000000.00000003.1169252310.0000000001201000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fa
          Source: file.exe, 00000000.00000003.1169252310.0000000001201000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fast
          Source: file.exe, 00000000.00000003.1076091419.0000000005AB4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1271711124.0000000005B02000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1352044644.0000000005B02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.fastl
          Source: file.exe, 00000000.00000003.1047642823.0000000005AA8000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1048923308.0000000005AA8000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047199578.0000000005AA6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.fastlC
          Source: file.exe, 00000000.00000003.967240912.0000000001201000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastlG
          Source: file.exe, 00000000.00000003.1169252310.0000000001201000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly
          Source: file.exe, 00000000.00000003.1169252310.0000000001201000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.
          Source: file.exe, 00000000.00000003.1169252310.0000000001201000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227779678.0000000001201000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamsD
          Source: file.exe, 00000000.00000003.1295004953.0000000001201000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1169252310.0000000001201000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227779678.0000000001201000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.
          Source: file.exe, 00000000.00000003.967271913.00000000011BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/
          Source: file.exe, 00000000.00000002.1352044644.0000000005B14000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1245252856.0000000005B10000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076091419.0000000005AB4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1352044644.0000000005B10000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076218654.0000000005ACA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.967308864.000000000118D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227405938.0000000005AB7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047110900.0000000005AB3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.967240912.0000000001201000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1322651471.0000000005B10000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1295004953.0000000001201000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163029494.0000000005B53000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163055639.0000000005ABB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076091419.0000000005ABB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.967240912.0000000001207000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076199595.0000000001236000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047076826.0000000005AD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=J1-T6FXbrr0Z&a
          Source: file.exe, 00000000.00000003.1166622128.0000000005B0A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1167329534.0000000005B05000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076091419.0000000005AB4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1322905656.0000000001208000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1228434054.0000000005B02000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163181143.0000000005AB0000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227405938.0000000005AB7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227405938.0000000005B0A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1271711124.0000000005B02000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.967240912.0000000001201000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1295004953.0000000001201000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1352044644.0000000005B02000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1169252310.0000000001201000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1348387143.000000000120C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227779678.0000000001201000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076091419.0000000005ABB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1349797667.0000000001204000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163504014.0000000005AB9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.967240912.0000000001207000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076199595.0000000001236000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047076826.0000000005AD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=GlKQ1cghJWE2&l=english&_c
          Source: file.exe, 00000000.00000003.1076091419.0000000005AB4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1271711124.0000000005B02000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.967240912.0000000001201000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1352044644.0000000005B02000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076091419.0000000005ABB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1349797667.0000000001204000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.967240912.0000000001207000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076199595.0000000001236000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047076826.0000000005AD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&amp
          Source: file.exe, 00000000.00000003.1166622128.0000000005B0A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1167329534.0000000005B05000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1228434054.0000000005B02000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163181143.0000000005AB0000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227405938.0000000005AB7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227405938.0000000005B0A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1271711124.0000000005B02000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1352044644.0000000005B02000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227779678.0000000001201000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163504014.0000000005AB9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/fatalerror.css?v=OFUqlcDNiD6y&l=engli
          Source: file.exe, 00000000.00000003.1163181143.0000000005AB0000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227405938.0000000005AB7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227405938.0000000005B0A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1271711124.0000000005B02000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.967240912.0000000001201000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1352044644.0000000005B02000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1169252310.0000000001201000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227779678.0000000001201000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076091419.0000000005ABB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1349797667.0000000001204000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163504014.0000000005AB9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.967240912.0000000001207000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076199595.0000000001236000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047076826.0000000005AD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a
          Source: file.exe, 00000000.00000003.1076091419.0000000005AB4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1271711124.0000000005B02000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.967240912.0000000001201000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1352044644.0000000005B02000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076091419.0000000005ABB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1349797667.0000000001204000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.967240912.0000000001207000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076199595.0000000001236000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047076826.0000000005AD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=eng
          Source: file.exe, 00000000.00000003.1076091419.0000000005AB4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1322905656.0000000001208000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1271711124.0000000005B02000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.967240912.0000000001201000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1295004953.0000000001201000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1352044644.0000000005B02000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1169252310.0000000001201000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1348387143.000000000120C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227779678.0000000001201000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076091419.0000000005ABB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1349797667.0000000001204000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.967240912.0000000001207000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076199595.0000000001236000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047076826.0000000005AD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englis
          Source: file.exe, 00000000.00000002.1352044644.0000000005B14000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076091419.0000000005AB4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1352044644.0000000005B10000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076218654.0000000005ACA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.967308864.000000000118D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047110900.0000000005AB3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047110900.0000000005AC1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047476865.0000000005ACA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.967240912.0000000001201000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1322651471.0000000005B10000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1295004953.0000000001201000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047261962.0000000005AC1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047315391.0000000005AC3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076091419.0000000005ABB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.967240912.0000000001207000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076199595.0000000001236000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047076826.0000000005AD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
          Source: file.exe, 00000000.00000003.1322651471.0000000005B2C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1352044644.0000000005B14000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1100179520.000000000123E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1245252856.0000000005B10000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227405938.0000000005B18000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076091419.0000000005AB4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1352044644.0000000005B10000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076218654.0000000005ACA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.967308864.000000000118D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163181143.0000000005AB0000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227405938.0000000005AB7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047110900.0000000005AC1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047476865.0000000005ACA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.967240912.0000000001201000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1322651471.0000000005B10000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1295004953.0000000001201000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163029494.0000000005B53000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163055639.0000000005ABB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047261962.0000000005AC1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047315391.0000000005AC3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076091419.0000000005ABB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
          Source: file.exe, 00000000.00000002.1352044644.0000000005B14000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1245252856.0000000005B10000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076091419.0000000005AB4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1352044644.0000000005B10000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076218654.0000000005ACA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.967308864.000000000118D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227405938.0000000005AB7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047110900.0000000005AB3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.967240912.0000000001201000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1322651471.0000000005B10000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1295004953.0000000001201000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163029494.0000000005B53000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163055639.0000000005ABB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076091419.0000000005ABB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.967240912.0000000001207000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076199595.0000000001236000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047076826.0000000005AD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
          Source: file.exe, 00000000.00000002.1352044644.0000000005B14000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1245252856.0000000005B10000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076091419.0000000005AB4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1352044644.0000000005B10000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076218654.0000000005ACA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.967308864.000000000118D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227405938.0000000005AB7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047110900.0000000005AB3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.967240912.0000000001201000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1322651471.0000000005B10000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1295004953.0000000001201000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163029494.0000000005B53000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163055639.0000000005ABB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076091419.0000000005ABB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.967240912.0000000001207000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076199595.0000000001236000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047076826.0000000005AD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=jfdbROVe
          Source: file.exe, 00000000.00000002.1352044644.0000000005B14000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1245252856.0000000005B10000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076091419.0000000005AB4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1352044644.0000000005B10000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076218654.0000000005ACA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.967308864.000000000118D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227405938.0000000005AB7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047110900.0000000005AB3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.967240912.0000000001201000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1322651471.0000000005B10000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1295004953.0000000001201000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163029494.0000000005B53000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163055639.0000000005ABB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076091419.0000000005ABB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.967240912.0000000001207000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076199595.0000000001236000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047076826.0000000005AD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=39xC
          Source: file.exe, 00000000.00000003.1166622128.0000000005B0A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1167329534.0000000005B05000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1348614310.0000000001208000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076091419.0000000005AB4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1228434054.0000000005B02000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163181143.0000000005AB0000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227405938.0000000005AB7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227405938.0000000005B0A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047642823.0000000005AA8000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1271711124.0000000005B02000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.967240912.0000000001201000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1048923308.0000000005AA8000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047199578.0000000005AA6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1352044644.0000000005B02000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163055639.0000000005ABB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227779678.0000000001201000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076091419.0000000005ABB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163504014.0000000005AB9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.967240912.0000000001207000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076199595.0000000001236000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047076826.0000000005AD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=cMt-H-zOgNUp&l=english&am
          Source: file.exe, 00000000.00000003.1227779678.0000000001201000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQH
          Source: file.exe, 00000000.00000003.1166622128.0000000005B0A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1167329534.0000000005B05000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1348614310.0000000001208000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076091419.0000000005AB4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1228434054.0000000005B02000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163181143.0000000005AB0000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227405938.0000000005AB7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227405938.0000000005B0A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047642823.0000000005AA8000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1271711124.0000000005B02000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.967240912.0000000001201000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1048923308.0000000005AA8000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1295004953.0000000001201000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047199578.0000000005AA6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1352044644.0000000005B02000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163055639.0000000005ABB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1169252310.0000000001201000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227779678.0000000001201000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076091419.0000000005ABB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163504014.0000000005AB9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.967240912.0000000001207000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l
          Source: file.exe, 00000000.00000003.1348614310.0000000001208000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076091419.0000000005AB4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047642823.0000000005AA8000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1271711124.0000000005B02000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.967240912.0000000001201000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1048923308.0000000005AA8000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047199578.0000000005AA6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1352044644.0000000005B02000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076091419.0000000005ABB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.967240912.0000000001207000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076199595.0000000001236000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047076826.0000000005AD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=engl
          Source: file.exe, 00000000.00000003.1348614310.0000000001208000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076091419.0000000005AB4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047642823.0000000005AA8000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1271711124.0000000005B02000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.967240912.0000000001201000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1048923308.0000000005AA8000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047199578.0000000005AA6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1352044644.0000000005B02000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076091419.0000000005ABB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.967240912.0000000001207000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076199595.0000000001236000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047076826.0000000005AD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&a
          Source: file.exe, 00000000.00000003.1348614310.0000000001208000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076091419.0000000005AB4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047642823.0000000005AA8000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1271711124.0000000005B02000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.967240912.0000000001201000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1048923308.0000000005AA8000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047199578.0000000005AA6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1352044644.0000000005B02000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076091419.0000000005ABB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.967240912.0000000001207000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076199595.0000000001236000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047076826.0000000005AD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&a
          Source: file.exe, 00000000.00000003.1348614310.0000000001208000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076091419.0000000005ABB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.967240912.0000000001207000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076199595.0000000001236000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047076826.0000000005AD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=en
          Source: file.exe, 00000000.00000003.1166622128.0000000005B0A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1167329534.0000000005B05000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1348614310.0000000001208000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076091419.0000000005AB4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1228434054.0000000005B02000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227405938.0000000005AB7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227405938.0000000005B0A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1271711124.0000000005B02000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.967240912.0000000001201000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1352044644.0000000005B02000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163055639.0000000005ABB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227779678.0000000001201000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076091419.0000000005ABB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.967240912.0000000001207000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076199595.0000000001236000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047076826.0000000005AD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng
          Source: file.exe, 00000000.00000003.1348614310.0000000001208000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076091419.0000000005ABB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.967240912.0000000001207000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076199595.0000000001236000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047076826.0000000005AD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=e
          Source: file.exe, 00000000.00000003.1322905656.0000000001208000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1295004953.0000000001201000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1169252310.0000000001201000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1348387143.000000000120C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227779678.0000000001201000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v
          Source: file.exe, 00000000.00000003.1166622128.0000000005B0A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1167329534.0000000005B05000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1348614310.0000000001208000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076091419.0000000005AB4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1228434054.0000000005B02000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163181143.0000000005AB0000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227405938.0000000005AB7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227405938.0000000005B0A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047642823.0000000005AA8000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1271711124.0000000005B02000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.967240912.0000000001201000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1048923308.0000000005AA8000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047199578.0000000005AA6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1352044644.0000000005B02000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163055639.0000000005ABB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227779678.0000000001201000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076091419.0000000005ABB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.967240912.0000000001207000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076199595.0000000001236000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047076826.0000000005AD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
          Source: file.exe, 00000000.00000003.1348614310.0000000001208000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076091419.0000000005ABB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.967240912.0000000001207000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076199595.0000000001236000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047076826.0000000005AD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=whw8EcafG167&l=e
          Source: file.exe, 00000000.00000003.1322905656.0000000001208000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1295004953.0000000001201000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1169252310.0000000001201000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1348387143.000000000120C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227779678.0000000001201000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/
          Source: file.exe, 00000000.00000003.1322905656.0000000001208000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1295004953.0000000001201000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1169252310.0000000001201000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227779678.0000000001201000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/
          Source: file.exe, 00000000.00000003.1166622128.0000000005B0A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1167329534.0000000005B05000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076091419.0000000005AB4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1322905656.0000000001208000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1228434054.0000000005B02000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163181143.0000000005AB0000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227405938.0000000005AB7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227405938.0000000005B0A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1271711124.0000000005B02000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.967240912.0000000001201000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1295004953.0000000001201000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1352044644.0000000005B02000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1169252310.0000000001201000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1348387143.000000000120C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227779678.0000000001201000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076091419.0000000005ABB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1349797667.0000000001204000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163504014.0000000005AB9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.967240912.0000000001207000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076199595.0000000001236000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047076826.0000000005AD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&
          Source: file.exe, 00000000.00000003.1047315391.0000000005ACF000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047220528.0000000005ACF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_s
          Source: file.exe, 00000000.00000003.1076199595.0000000001236000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047076826.0000000005AD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl
          Source: file.exe, 00000000.00000003.1163181143.0000000005AB0000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227405938.0000000005AB7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227405938.0000000005B0A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1271711124.0000000005B02000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.967240912.0000000001201000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1295004953.0000000001201000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1352044644.0000000005B02000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1169252310.0000000001201000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1348387143.000000000120C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227779678.0000000001201000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076091419.0000000005ABB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1349797667.0000000001204000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163504014.0000000005AB9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.967240912.0000000001207000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076199595.0000000001236000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047076826.0000000005AD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=Eq36AUaEgab8&l=en
          Source: file.exe, 00000000.00000003.1166622128.0000000005B0A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1167329534.0000000005B05000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076091419.0000000005AB4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1228434054.0000000005B02000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163181143.0000000005AB0000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227405938.0000000005AB7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227405938.0000000005B0A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1271711124.0000000005B02000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.967240912.0000000001201000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1352044644.0000000005B02000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1169252310.0000000001201000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227779678.0000000001201000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076091419.0000000005ABB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1349797667.0000000001204000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163504014.0000000005AB9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.967240912.0000000001207000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076199595.0000000001236000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047076826.0000000005AD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&
          Source: file.exe, 00000000.00000003.1227405938.0000000005AB7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163029494.0000000005B53000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227604567.0000000001210000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163055639.0000000005ABB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076091419.0000000005ABB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.967240912.0000000001207000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076199595.0000000001236000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047076826.0000000005AD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
          Source: file.exe, 00000000.00000003.1348614310.0000000001208000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227405938.0000000005AB7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163029494.0000000005B53000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227604567.0000000001210000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163055639.0000000005ABB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076091419.0000000005ABB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1349818035.000000000120A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.967240912.0000000001207000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076199595.0000000001236000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047076826.0000000005AD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
          Source: file.exe, 00000000.00000003.1348614310.0000000001208000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227405938.0000000005AB7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163029494.0000000005B53000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227604567.0000000001210000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163055639.0000000005ABB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076091419.0000000005ABB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1349818035.000000000120A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.967240912.0000000001207000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076199595.0000000001236000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047076826.0000000005AD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
          Source: file.exe, 00000000.00000003.1227405938.0000000005AB7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163029494.0000000005B53000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227604567.0000000001210000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163055639.0000000005ABB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076091419.0000000005ABB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.967240912.0000000001207000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076199595.0000000001236000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047076826.0000000005AD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
          Source: file.exe, 00000000.00000003.1166622128.0000000005B0A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1167329534.0000000005B05000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1348614310.0000000001208000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076091419.0000000005AB4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1322905656.0000000001208000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1228434054.0000000005B02000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227405938.0000000005AB7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227405938.0000000005B0A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047642823.0000000005AA8000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1271711124.0000000005B02000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.967240912.0000000001201000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1048923308.0000000005AA8000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1295004953.0000000001201000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163029494.0000000005B53000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047199578.0000000005AA6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1352044644.0000000005B02000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227604567.0000000001210000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163055639.0000000005ABB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1169252310.0000000001201000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1348387143.000000000120C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227779678.0000000001201000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
          Source: file.exe, 00000000.00000003.1166622128.0000000005B0A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1167329534.0000000005B05000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1348614310.0000000001208000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076091419.0000000005AB4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1228434054.0000000005B02000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227405938.0000000005AB7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227405938.0000000005B0A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047642823.0000000005AA8000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1271711124.0000000005B02000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.967240912.0000000001201000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1048923308.0000000005AA8000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163029494.0000000005B53000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047199578.0000000005AA6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1352044644.0000000005B02000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227604567.0000000001210000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163055639.0000000005ABB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076091419.0000000005ABB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.967240912.0000000001207000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076199595.0000000001236000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047076826.0000000005AD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=PCCoCNLxwF4M&am
          Source: file.exe, 00000000.00000003.1166622128.0000000005B0A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1167329534.0000000005B05000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1348614310.0000000001208000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1228434054.0000000005B02000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227405938.0000000005AB7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227405938.0000000005B0A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1271711124.0000000005B02000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163029494.0000000005B53000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1352044644.0000000005B02000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227604567.0000000001210000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163055639.0000000005ABB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076091419.0000000005ABB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.967240912.0000000001207000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076199595.0000000001236000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047076826.0000000005AD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ
          Source: file.exe, 00000000.00000003.1166622128.0000000005B0A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1167329534.0000000005B05000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1348614310.0000000001208000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076091419.0000000005AB4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1228434054.0000000005B02000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227405938.0000000005AB7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227405938.0000000005B0A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047642823.0000000005AA8000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1271711124.0000000005B02000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.967240912.0000000001201000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1048923308.0000000005AA8000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1295004953.0000000001201000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047199578.0000000005AA6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1352044644.0000000005B02000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227604567.0000000001210000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163055639.0000000005ABB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1169252310.0000000001201000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227779678.0000000001201000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076091419.0000000005ABB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.967240912.0000000001207000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076199595.0000000001236000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en
          Source: file.exe, 00000000.00000003.994764200.0000000005B0B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
          Source: file.exe, 00000000.00000003.994764200.0000000005B0B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabv20
          Source: file.exe, 00000000.00000003.994764200.0000000005B0B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
          Source: file.exe, 00000000.00000003.994764200.0000000005B0B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/app?q=
          Source: file.exe, 00000000.00000003.1348723372.000000000122B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1272099593.0000000001222000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1348387143.0000000001222000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1348701843.0000000001222000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1349905815.000000000122C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1295116371.000000000122B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://guntac.bet/
          Source: file.exe, 00000000.00000003.1348723372.000000000122B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1272099593.0000000001222000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1348387143.0000000001222000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1348701843.0000000001222000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1349905815.000000000122C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1295116371.000000000122B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://guntac.bet/2$
          Source: file.exe, 00000000.00000003.1348723372.000000000122B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1348387143.0000000001222000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1348701843.0000000001222000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1349905815.000000000122C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://guntac.bet/4$
          Source: file.exe, 00000000.00000003.1348723372.000000000122B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1272099593.0000000001222000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1322997431.0000000001222000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1348387143.0000000001222000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1348701843.0000000001222000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1349905815.000000000122C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1295116371.000000000122B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://guntac.bet/H$
          Source: file.exe, 00000000.00000003.1348701843.0000000001222000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1295029623.00000000011AB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047261962.0000000005AC1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1349797667.0000000001204000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1349760361.00000000011BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://guntac.bet/bSHsyZD
          Source: file.exe, 00000000.00000003.1348478286.00000000011AD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1348633206.00000000011BC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1349760361.00000000011BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://guntac.bet/bSHsyZDF
          Source: file.exe, 00000000.00000003.1047476865.0000000005AAB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047110900.0000000005AC1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047261962.0000000005AC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://guntac.bet/bSHsyZDT
          Source: file.exe, 00000000.00000003.1169203308.0000000001210000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.st
          Source: file.exe, 00000000.00000003.967271913.00000000011BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.steampowered.com/
          Source: file.exe, 00000000.00000003.1163181143.0000000005AB0000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227405938.0000000005AB7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163029494.0000000005B53000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227604567.0000000001210000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163055639.0000000005ABB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076091419.0000000005ABB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163504014.0000000005AB9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.967240912.0000000001207000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076199595.0000000001236000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047076826.0000000005AD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://help.steampowered.com/en/
          Source: file.exe, 00000000.00000003.967271913.00000000011BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.steampowered.com/
          Source: file.exe, 00000000.00000003.967271913.00000000011BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lv.queniujq.cn
          Source: file.exe, 00000000.00000003.967271913.00000000011BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://medal.tv
          Source: file.exe, 00000000.00000003.967271913.00000000011BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://player.vimeo.com
          Source: file.exe, 00000000.00000003.967271913.00000000011BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://recaptcha.net
          Source: file.exe, 00000000.00000003.967271913.00000000011BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://recaptcha.net/recaptcha/;
          Source: file.exe, 00000000.00000003.967271913.00000000011BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s.ytimg.com;
          Source: file.exe, 00000000.00000003.967271913.00000000011BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sketchfab.com
          Source: file.exe, 00000000.00000003.967271913.00000000011BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steam.tv/
          Source: file.exe, 00000000.00000003.967271913.00000000011BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast-test.akamaized.net
          Source: file.exe, 00000000.00000003.967271913.00000000011BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast.akamaized.net
          Source: file.exe, 00000000.00000003.967271913.00000000011BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcastchat.akamaized.net
          Source: file.exe, 00000000.00000003.1169252310.0000000001201000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcomm._;
          Source: file.exe, 00000000.00000003.1227405938.0000000005AB7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163029494.0000000005B53000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163055639.0000000005ABB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com
          Source: file.exe, 00000000.00000003.1047076826.0000000005AD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/
          Source: file.exe, 00000000.00000003.1163181143.0000000005AB0000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227405938.0000000005AB7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163029494.0000000005B53000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227604567.0000000001210000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163055639.0000000005ABB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076091419.0000000005ABB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163504014.0000000005AB9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.967240912.0000000001207000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076199595.0000000001236000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047076826.0000000005AD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
          Source: file.exe, 00000000.00000003.1163181143.0000000005AB0000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227405938.0000000005AB7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163029494.0000000005B53000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227604567.0000000001210000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163055639.0000000005ABB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076091419.0000000005ABB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163504014.0000000005AB9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.967240912.0000000001207000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076199595.0000000001236000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047076826.0000000005AD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/discussions/
          Source: file.exe, 00000000.00000003.1295137716.0000000001222000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227604567.0000000001222000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1272099593.0000000001222000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1349862759.0000000001222000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1322997431.0000000001222000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1348387143.0000000001222000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1348701843.0000000001222000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1169203308.0000000001222000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1245526492.0000000001222000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/e
          Source: file.exe, 00000000.00000003.1322651471.0000000005B2C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1352044644.0000000005B14000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1100179520.000000000123E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1245252856.0000000005B10000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227405938.0000000005B18000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076091419.0000000005AB4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1352044644.0000000005B10000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076218654.0000000005ACA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.967308864.000000000118D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163181143.0000000005AB0000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227405938.0000000005AB7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047110900.0000000005AC1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047476865.0000000005ACA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.967240912.0000000001201000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1322651471.0000000005B10000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1295004953.0000000001201000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163029494.0000000005B53000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163055639.0000000005ABB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047261962.0000000005AC1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047315391.0000000005AC3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076091419.0000000005ABB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
          Source: file.exe, 00000000.00000003.1047076826.0000000005AD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199822375128
          Source: file.exe, 00000000.00000003.1169203308.0000000001222000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/m
          Source: file.exe, 00000000.00000003.1163181143.0000000005AB0000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227405938.0000000005AB7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163029494.0000000005B53000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227604567.0000000001210000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163055639.0000000005ABB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076091419.0000000005ABB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163504014.0000000005AB9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.967240912.0000000001207000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076199595.0000000001236000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047076826.0000000005AD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/market/
          Source: file.exe, 00000000.00000003.1348614310.0000000001208000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227405938.0000000005AB7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163029494.0000000005B53000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227604567.0000000001210000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163055639.0000000005ABB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076091419.0000000005ABB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1349818035.000000000120A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.967240912.0000000001207000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076199595.0000000001236000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047076826.0000000005AD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/my/wishlist/
          Source: file.exe, 00000000.00000003.1047110900.0000000005AC1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047476865.0000000005ACA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047261962.0000000005AC1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047315391.0000000005AC3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles
          Source: file.exe, file.exe, 00000000.00000003.1295137716.0000000001222000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227604567.0000000001222000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163181143.0000000005AB0000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1272099593.0000000001222000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1323025095.00000000011AC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1349862759.0000000001222000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1322997431.0000000001222000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1348387143.0000000001222000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1348701843.0000000001222000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163644722.0000000005AB7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.967271913.00000000011BB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.967308864.0000000001193000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1245526492.0000000001222000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199822375128
          Source: file.exe, 00000000.00000003.1227405938.0000000005AB7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199822375128$0
          Source: file.exe, 00000000.00000003.967308864.0000000001193000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199822375128-oP
          Source: file.exe, 00000000.00000002.1352044644.0000000005B14000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076091419.0000000005AB4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1352044644.0000000005B10000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076218654.0000000005ACA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.967308864.000000000118D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047110900.0000000005AB3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047110900.0000000005AC1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047476865.0000000005ACA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.967240912.0000000001201000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1322651471.0000000005B10000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1295004953.0000000001201000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1348596402.0000000005C03000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1048118715.0000000005ACC000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047261962.0000000005AC1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047315391.0000000005AC3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1048880161.0000000005ACC000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076091419.0000000005ABB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.967240912.0000000001207000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076199595.0000000001236000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047076826.0000000005AD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199822375128/badges
          Source: file.exe, file.exe, 00000000.00000002.1352044644.0000000005B14000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1100179520.000000000123E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076091419.0000000005AB4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1352044644.0000000005B10000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076218654.0000000005ACA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1323025095.00000000011AC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.967240912.0000000001201000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1348478286.00000000011AD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1322651471.0000000005B10000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1348633206.00000000011BC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1295029623.00000000011AB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076091419.0000000005ABB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1349760361.00000000011BD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.967240912.0000000001207000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076199595.0000000001236000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163199247.000000000123D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047076826.0000000005AD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199822375128/inventory/
          Source: file.exe, 00000000.00000003.1227604567.0000000001222000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199822375128E
          Source: file.exe, 00000000.00000003.1322997431.0000000001222000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199822375128m
          Source: file.exe, 00000000.00000003.1169272115.00000000011A8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1169350686.00000000011AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/ro((
          Source: file.exe, 00000000.00000003.1295137716.0000000001222000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227604567.0000000001222000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1272099593.0000000001222000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1322997431.0000000001222000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1245526492.0000000001222000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/u
          Source: file.exe, 00000000.00000003.1163181143.0000000005AB0000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227405938.0000000005AB7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163029494.0000000005B53000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227604567.0000000001210000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163055639.0000000005ABB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076091419.0000000005ABB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163504014.0000000005AB9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.967240912.0000000001207000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076199595.0000000001236000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047076826.0000000005AD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/workshop/
          Source: file.exe, 00000000.00000003.967271913.00000000011BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamloopback.host
          Source: file.exe, 00000000.00000003.1169252310.0000000001201000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.s
          Source: file.exe, 00000000.00000003.1169252310.0000000001201000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steam
          Source: file.exeString found in binary or memory: https://store.steampowe
          Source: file.exe, 00000000.00000003.1169252310.0000000001201000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.c
          Source: file.exe, 00000000.00000003.1047076826.0000000005AD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/
          Source: file.exe, file.exe, 00000000.00000003.1165147720.0000000005ACF000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227405938.0000000005ACF000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1323025095.00000000011AC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163055639.0000000005ACF000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1295004953.0000000001201000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076091419.0000000005AD4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047199578.0000000005AA6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1100659516.0000000005AD3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1271711124.0000000005ACF000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1169272115.0000000001193000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1351974237.0000000005ACF000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1322829829.0000000005ACF000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.967353527.00000000011CF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1169083027.0000000005ACF000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076319740.0000000005AB1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1245252856.0000000005ACF000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1348330462.0000000005ACF000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.967271913.00000000011BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/;
          Source: file.exe, 00000000.00000003.1323025095.00000000011AC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1295004953.0000000001201000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1169272115.0000000001193000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076319740.0000000005AB1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.967271913.00000000011BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/;X-Frame-OptionsSAMEORIGINPersistent-AuthWWW-AuthenticateVarysteamCou
          Source: file.exe, 00000000.00000003.1047076826.0000000005AD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/about/
          Source: file.exe, 00000000.00000003.1163181143.0000000005AB0000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227405938.0000000005AB7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163029494.0000000005B53000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227604567.0000000001210000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163055639.0000000005ABB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076091419.0000000005ABB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163504014.0000000005AB9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.967240912.0000000001207000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076199595.0000000001236000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047076826.0000000005AD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/explore/
          Source: file.exe, 00000000.00000003.1322651471.0000000005B2C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1352044644.0000000005B14000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1100179520.000000000123E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1245252856.0000000005B10000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227405938.0000000005B18000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076091419.0000000005AB4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1352044644.0000000005B10000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076218654.0000000005ACA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.967308864.000000000118D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163181143.0000000005AB0000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227405938.0000000005AB7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047110900.0000000005AC1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047476865.0000000005ACA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.967240912.0000000001201000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1322651471.0000000005B10000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1295004953.0000000001201000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163029494.0000000005B53000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163055639.0000000005ABB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047261962.0000000005AC1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047315391.0000000005AC3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076091419.0000000005ABB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/legal/
          Source: file.exe, 00000000.00000003.1227405938.0000000005AB7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163029494.0000000005B53000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227604567.0000000001210000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163055639.0000000005ABB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076091419.0000000005ABB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.967240912.0000000001207000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076199595.0000000001236000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047076826.0000000005AD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/mobile
          Source: file.exe, 00000000.00000003.1348614310.0000000001208000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227405938.0000000005AB7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163029494.0000000005B53000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227604567.0000000001210000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163055639.0000000005ABB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076091419.0000000005ABB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1349818035.000000000120A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.967240912.0000000001207000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076199595.0000000001236000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047076826.0000000005AD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/news/
          Source: file.exe, 00000000.00000003.1227405938.0000000005AB7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163029494.0000000005B53000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227604567.0000000001210000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163055639.0000000005ABB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076091419.0000000005ABB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.967240912.0000000001207000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076199595.0000000001236000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047076826.0000000005AD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/points/shop/
          Source: file.exe, 00000000.00000003.1348614310.0000000001208000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227405938.0000000005AB7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163029494.0000000005B53000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227604567.0000000001210000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163055639.0000000005ABB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076091419.0000000005ABB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1349818035.000000000120A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.967240912.0000000001207000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076199595.0000000001236000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047076826.0000000005AD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/privacy_agreement/
          Source: file.exe, 00000000.00000003.1227405938.0000000005AB7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163029494.0000000005B53000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227604567.0000000001210000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163055639.0000000005ABB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076091419.0000000005ABB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.967240912.0000000001207000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076199595.0000000001236000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047076826.0000000005AD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/stats/
          Source: file.exe, 00000000.00000003.1348614310.0000000001208000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227405938.0000000005AB7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163029494.0000000005B53000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227604567.0000000001210000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163055639.0000000005ABB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076091419.0000000005ABB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1349818035.000000000120A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.967240912.0000000001207000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076199595.0000000001236000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047076826.0000000005AD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/steam_refunds/
          Source: file.exe, 00000000.00000003.1348614310.0000000001208000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227405938.0000000005AB7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163029494.0000000005B53000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227604567.0000000001210000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163055639.0000000005ABB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076091419.0000000005ABB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1349818035.000000000120A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.967240912.0000000001207000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076199595.0000000001236000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047076826.0000000005AD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/subscriber_agreement/
          Source: file.exe, 00000000.00000003.1101696075.0000000005BC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
          Source: file.exe, 00000000.00000003.1101696075.0000000005BC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
          Source: file.exe, 00000000.00000003.994764200.0000000005B0B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/v20
          Source: file.exe, 00000000.00000003.967271913.00000000011BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
          Source: file.exe, 00000000.00000003.994764200.0000000005B0B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
          Source: file.exe, 00000000.00000003.967271913.00000000011BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/recaptcha/
          Source: file.exe, 00000000.00000003.967271913.00000000011BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.cn/recaptcha/
          Source: file.exe, 00000000.00000003.967271913.00000000011BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/recaptcha/
          Source: file.exe, 00000000.00000003.1101696075.0000000005BC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.jXqaKJMO4ZEP
          Source: file.exe, 00000000.00000003.1101696075.0000000005BC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.NYz0wxyUaYSW
          Source: file.exe, 00000000.00000003.1101696075.0000000005BC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/gro.allizom.www.d
          Source: file.exe, 00000000.00000003.1101696075.0000000005BC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
          Source: file.exe, 00000000.00000003.1101696075.0000000005BC6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
          Source: file.exe, 00000000.00000003.1322651471.0000000005B2C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1352044644.0000000005B14000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1245252856.0000000005B10000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227405938.0000000005B18000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163181143.0000000005AB0000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1227405938.0000000005AB7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047110900.0000000005AB3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1163029494.0000000005B53000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076091419.0000000005ABB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.967240912.0000000001207000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1076199595.0000000001236000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1047076826.0000000005AD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
          Source: file.exe, 00000000.00000003.967271913.00000000011BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com
          Source: file.exe, 00000000.00000003.967271913.00000000011BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49688
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49686
          Source: unknownNetwork traffic detected: HTTP traffic on port 49695 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49684
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49683
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49682
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49681
          Source: unknownNetwork traffic detected: HTTP traffic on port 49693 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49686 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49684 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49688 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49682 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49698 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49698
          Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49695
          Source: unknownNetwork traffic detected: HTTP traffic on port 49694 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49694
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49693
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49692
          Source: unknownNetwork traffic detected: HTTP traffic on port 49692 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49683 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49681 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
          Source: unknownHTTPS traffic detected: 23.197.127.21:443 -> 192.168.2.7:49681 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49682 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 23.197.127.21:443 -> 192.168.2.7:49683 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49684 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 23.197.127.21:443 -> 192.168.2.7:49686 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49688 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 23.197.127.21:443 -> 192.168.2.7:49692 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 23.197.127.21:443 -> 192.168.2.7:49693 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 23.197.127.21:443 -> 192.168.2.7:49694 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 23.197.127.21:443 -> 192.168.2.7:49695 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 23.197.127.21:443 -> 192.168.2.7:49698 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49701 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 23.197.127.21:443 -> 192.168.2.7:49704 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49705 version: TLS 1.2

          System Summary

          barindex
          PE file contains section with special chars
          Source: file.exeStatic PE information: section name:
          Source: file.exeStatic PE information: section name: .idata
          Source: file.exeStatic PE information: section name:
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_011BA98B0_3_011BA98B
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_011BA98B0_3_011BA98B
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_011BA98B0_3_011BA98B
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_011BA98B0_3_011BA98B
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_011BA98B0_3_011BA98B
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_011BA98B0_3_011BA98B
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_011BA98B0_3_011BA98B
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_011BA98B0_3_011BA98B
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_011BA98B0_3_011BA98B
          Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: file.exeStatic PE information: Section: dylwzorj ZLIB complexity 0.9942242969218095
          Source: file.exeStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@12/2
          Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: file.exe, 00000000.00000003.1047835569.0000000005AD6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.994209833.0000000005AF9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.994597418.0000000005AC9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1048118715.0000000005AB0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
          Source: file.exeVirustotal: Detection: 63%
          Source: file.exeReversingLabs: Detection: 55%
          Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: webio.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: file.exeStatic file information: File size 2114048 > 1048576
          Source: file.exeStatic PE information: Raw size of dylwzorj is bigger than: 0x100000 < 0x1a1400

          Data Obfuscation

          barindex
          Detected unpacking (changes PE section rights)
          Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.4a0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;dylwzorj:EW;klmlriwd:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;dylwzorj:EW;klmlriwd:EW;.taggant:EW;
          Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
          Source: file.exeStatic PE information: real checksum: 0x209569 should be: 0x20cf20
          Source: file.exeStatic PE information: section name:
          Source: file.exeStatic PE information: section name: .idata
          Source: file.exeStatic PE information: section name:
          Source: file.exeStatic PE information: section name: dylwzorj
          Source: file.exeStatic PE information: section name: klmlriwd
          Source: file.exeStatic PE information: section name: .taggant
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_011AD21A push cs; ret 0_3_011AD244
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_011AD21A push cs; ret 0_3_011AD244
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_011AD21A push cs; ret 0_3_011AD244
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_011AD248 push cs; ret 0_3_011AD244
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_011AD248 push cs; ret 0_3_011AD244
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_011AD248 push cs; ret 0_3_011AD244
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_011AD21A push cs; ret 0_3_011AD244
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_011AD21A push cs; ret 0_3_011AD244
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_011AD21A push cs; ret 0_3_011AD244
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_011AD248 push cs; ret 0_3_011AD244
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_011AD248 push cs; ret 0_3_011AD244
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_011AD248 push cs; ret 0_3_011AD244
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_011AD21A push cs; ret 0_3_011AD244
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_011AD21A push cs; ret 0_3_011AD244
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_011AD21A push cs; ret 0_3_011AD244
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_011AD248 push cs; ret 0_3_011AD244
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_011AD248 push cs; ret 0_3_011AD244
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_011AD248 push cs; ret 0_3_011AD244
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_011AD21A push cs; ret 0_3_011AD244
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_011AD21A push cs; ret 0_3_011AD244
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_011AD21A push cs; ret 0_3_011AD244
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_011AD248 push cs; ret 0_3_011AD244
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_011AD248 push cs; ret 0_3_011AD244
          Source: C:\Users\user\Desktop\file.exeCode function: 0_3_011AD248 push cs; ret 0_3_011AD244
          Source: file.exeStatic PE information: section name: entropy: 7.140193618273644
          Source: file.exeStatic PE information: section name: dylwzorj entropy: 7.9537942670027775

          Boot Survival

          barindex
          Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
          Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
          Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
          Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
          Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
          Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
          Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
          Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonclassJump to behavior
          Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
          Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
          Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
          Query firmware table information (likely to detect VMs)
          Source: C:\Users\user\Desktop\file.exeSystem information queried: FirmwareTableInformationJump to behavior
          Tries to detect sandboxes / dynamic malware analysis system (registry check)
          Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
          Tries to detect virtualization through RDTSC time measurements
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5062F6 second address: 505AC4 instructions: 0x00000000 rdtsc 0x00000002 je 00007FF154E37328h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f jmp 00007FF154E3732Bh 0x00000014 pop eax 0x00000015 pushad 0x00000016 pushad 0x00000017 popad 0x00000018 jno 00007FF154E37326h 0x0000001e popad 0x0000001f popad 0x00000020 nop 0x00000021 jmp 00007FF154E37337h 0x00000026 jns 00007FF154E37332h 0x0000002c push dword ptr [ebp+122D0B0Dh] 0x00000032 sub dword ptr [ebp+122D1CEAh], ebx 0x00000038 call dword ptr [ebp+122D1CA4h] 0x0000003e pushad 0x0000003f js 00007FF154E37332h 0x00000045 xor eax, eax 0x00000047 jns 00007FF154E3733Bh 0x0000004d mov edx, dword ptr [esp+28h] 0x00000051 jmp 00007FF154E37331h 0x00000056 mov dword ptr [ebp+122D38BEh], eax 0x0000005c mov dword ptr [ebp+122D22D7h], eax 0x00000062 mov esi, 0000003Ch 0x00000067 add dword ptr [ebp+122D1D6Dh], ebx 0x0000006d add esi, dword ptr [esp+24h] 0x00000071 je 00007FF154E3732Eh 0x00000077 jng 00007FF154E37328h 0x0000007d pushad 0x0000007e popad 0x0000007f lodsw 0x00000081 jmp 00007FF154E37337h 0x00000086 add eax, dword ptr [esp+24h] 0x0000008a mov dword ptr [ebp+122D22D7h], edi 0x00000090 mov ebx, dword ptr [esp+24h] 0x00000094 sub dword ptr [ebp+122D22D7h], edx 0x0000009a nop 0x0000009b push eax 0x0000009c push edx 0x0000009d jmp 00007FF154E37339h 0x000000a2 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 505AC4 second address: 505AE2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF154E32A4Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jnp 00007FF154E32A54h 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 684839 second address: 68483F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68483F second address: 684844 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 668111 second address: 668117 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68397B second address: 683998 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FF154E32A46h 0x0000000a jmp 00007FF154E32A4Ch 0x0000000f popad 0x00000010 pop edx 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 683998 second address: 68399E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68399E second address: 6839A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 683B14 second address: 683B3E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF154E3732Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a jmp 00007FF154E37337h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 683B3E second address: 683B44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 683C92 second address: 683C9C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 683F33 second address: 683F38 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 683F38 second address: 683F3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68407D second address: 684085 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 687070 second address: 505AC4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 add dword ptr [esp], 7670F129h 0x0000000e mov edx, dword ptr [ebp+122D39C2h] 0x00000014 push dword ptr [ebp+122D0B0Dh] 0x0000001a call dword ptr [ebp+122D1CA4h] 0x00000020 pushad 0x00000021 js 00007FF154E37332h 0x00000027 xor eax, eax 0x00000029 jns 00007FF154E3733Bh 0x0000002f mov edx, dword ptr [esp+28h] 0x00000033 jmp 00007FF154E37331h 0x00000038 mov dword ptr [ebp+122D38BEh], eax 0x0000003e mov dword ptr [ebp+122D22D7h], eax 0x00000044 mov esi, 0000003Ch 0x00000049 add dword ptr [ebp+122D1D6Dh], ebx 0x0000004f add esi, dword ptr [esp+24h] 0x00000053 je 00007FF154E3732Eh 0x00000059 jng 00007FF154E37328h 0x0000005f pushad 0x00000060 popad 0x00000061 lodsw 0x00000063 jmp 00007FF154E37337h 0x00000068 add eax, dword ptr [esp+24h] 0x0000006c mov dword ptr [ebp+122D22D7h], edi 0x00000072 mov ebx, dword ptr [esp+24h] 0x00000076 sub dword ptr [ebp+122D22D7h], edx 0x0000007c nop 0x0000007d push eax 0x0000007e push edx 0x0000007f jmp 00007FF154E37339h 0x00000084 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6870C1 second address: 6870C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6872EC second address: 6872F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 687392 second address: 6873A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF154E32A4Eh 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6873A4 second address: 6873A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6873A8 second address: 6873F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b mov ch, 11h 0x0000000d push 00000000h 0x0000000f mov cx, dx 0x00000012 call 00007FF154E32A49h 0x00000017 jmp 00007FF154E32A4Dh 0x0000001c push eax 0x0000001d jmp 00007FF154E32A53h 0x00000022 mov eax, dword ptr [esp+04h] 0x00000026 je 00007FF154E32A54h 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f popad 0x00000030 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6873F2 second address: 687476 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FF154E37326h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c push edi 0x0000000d pushad 0x0000000e jmp 00007FF154E3732Ah 0x00000013 jg 00007FF154E37326h 0x00000019 popad 0x0000001a pop edi 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f jmp 00007FF154E3732Fh 0x00000024 pop eax 0x00000025 mov cl, bh 0x00000027 push 00000003h 0x00000029 mov esi, dword ptr [ebp+122D3906h] 0x0000002f mov ecx, 624FB782h 0x00000034 push 00000000h 0x00000036 pushad 0x00000037 sub dword ptr [ebp+122D18ACh], edi 0x0000003d mov eax, edx 0x0000003f popad 0x00000040 push 00000003h 0x00000042 sub ch, FFFFFFC9h 0x00000045 call 00007FF154E37329h 0x0000004a jmp 00007FF154E3732Ch 0x0000004f push eax 0x00000050 jmp 00007FF154E37331h 0x00000055 mov eax, dword ptr [esp+04h] 0x00000059 push eax 0x0000005a push edx 0x0000005b push esi 0x0000005c push eax 0x0000005d push edx 0x0000005e rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 687476 second address: 68747B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68747B second address: 68749E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a jmp 00007FF154E3732Ch 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 jo 00007FF154E3732Eh 0x00000019 push esi 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68749E second address: 687511 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop eax 0x00000006 push 00000000h 0x00000008 push ebx 0x00000009 call 00007FF154E32A48h 0x0000000e pop ebx 0x0000000f mov dword ptr [esp+04h], ebx 0x00000013 add dword ptr [esp+04h], 00000018h 0x0000001b inc ebx 0x0000001c push ebx 0x0000001d ret 0x0000001e pop ebx 0x0000001f ret 0x00000020 add dword ptr [ebp+122D1D4Bh], edx 0x00000026 add edi, 1E064C2Fh 0x0000002c lea ebx, dword ptr [ebp+12454FB1h] 0x00000032 cld 0x00000033 jg 00007FF154E32A5Ch 0x00000039 xchg eax, ebx 0x0000003a push eax 0x0000003b push edx 0x0000003c pushad 0x0000003d push edi 0x0000003e pop edi 0x0000003f jmp 00007FF154E32A57h 0x00000044 popad 0x00000045 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 698C42 second address: 698C48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A6573 second address: 6A657D instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FF154E32A46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A657D second address: 6A6582 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A6A44 second address: 6A6A63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 jmp 00007FF154E32A58h 0x0000000c rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A6A63 second address: 6A6A78 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FF154E3732Eh 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A6BF2 second address: 6A6BF8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A6DD6 second address: 6A6DE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007FF154E37326h 0x0000000a je 00007FF154E37326h 0x00000010 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A6F89 second address: 6A6F93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A6F93 second address: 6A6FC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 jnp 00007FF154E37326h 0x0000000c jmp 00007FF154E37339h 0x00000011 pop ebx 0x00000012 popad 0x00000013 jnp 00007FF154E3734Eh 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A727F second address: 6A7291 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FF154E32A46h 0x0000000a jc 00007FF154E32A46h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69CDAE second address: 69CDB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67C011 second address: 67C025 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007FF154E32A46h 0x0000000a jmp 00007FF154E32A4Ah 0x0000000f rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67C025 second address: 67C04D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF154E37339h 0x00000007 jp 00007FF154E37326h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A799D second address: 6A79A8 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A79A8 second address: 6A79D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jc 00007FF154E3732Eh 0x0000000d jbe 00007FF154E37326h 0x00000013 pushad 0x00000014 popad 0x00000015 pushad 0x00000016 jmp 00007FF154E37337h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A79D7 second address: 6A79DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A7B7D second address: 6A7B9C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF154E37338h 0x00000008 push edx 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A7B9C second address: 6A7BC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 push eax 0x00000007 pop eax 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jo 00007FF154E32A5Ch 0x00000013 jmp 00007FF154E32A50h 0x00000018 jne 00007FF154E32A46h 0x0000001e rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A7BC5 second address: 6A7BD1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 jnp 00007FF154E37326h 0x0000000c rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A80B0 second address: 6A80C0 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jo 00007FF154E32A46h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f pop ecx 0x00000010 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A80C0 second address: 6A80C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A80C6 second address: 6A80CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A80CC second address: 6A80D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A80D0 second address: 6A80D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A80D4 second address: 6A80FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007FF154E3733Dh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A80FE second address: 6A8108 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FF154E32A46h 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AB9A5 second address: 6AB9C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pushad 0x00000006 popad 0x00000007 pop eax 0x00000008 pop edx 0x00000009 jl 00007FF154E3734Bh 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FF154E37333h 0x00000016 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6ADDEB second address: 6ADE04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a jng 00007FF154E32A54h 0x00000010 pushad 0x00000011 ja 00007FF154E32A46h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B0588 second address: 6B058C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66EB02 second address: 66EB0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FF154E32A46h 0x0000000a popad 0x0000000b rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66EB0D second address: 66EB2B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF154E37338h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B6055 second address: 6B605A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B53FF second address: 6B5406 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B56CC second address: 6B56D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B56D2 second address: 6B56D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B56D6 second address: 6B56F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF154E32A52h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B56F4 second address: 6B56F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B5892 second address: 6B589D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FF154E32A46h 0x0000000a popad 0x0000000b rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B589D second address: 6B58B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FF154E3732Dh 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B58B7 second address: 6B58BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B58BB second address: 6B58D5 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FF154E37326h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jnl 00007FF154E37326h 0x00000014 jne 00007FF154E37326h 0x0000001a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B5C97 second address: 6B5CC0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FF154E32A4Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FF154E32A58h 0x00000010 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B5CC0 second address: 6B5CF5 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FF154E3733Ch 0x00000008 push eax 0x00000009 pop eax 0x0000000a jmp 00007FF154E37334h 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 js 00007FF154E37333h 0x00000019 pushad 0x0000001a popad 0x0000001b jmp 00007FF154E3732Bh 0x00000020 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B5CF5 second address: 6B5D0E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF154E32A54h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B5D0E second address: 6B5D1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push edi 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B5EB6 second address: 6B5EBA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B5EBA second address: 6B5ED6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF154E3732Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jp 00007FF154E37326h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B8640 second address: 6B86BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF154E32A56h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 2C900E04h 0x00000010 push 00000000h 0x00000012 push edx 0x00000013 call 00007FF154E32A48h 0x00000018 pop edx 0x00000019 mov dword ptr [esp+04h], edx 0x0000001d add dword ptr [esp+04h], 0000001Ch 0x00000025 inc edx 0x00000026 push edx 0x00000027 ret 0x00000028 pop edx 0x00000029 ret 0x0000002a call 00007FF154E32A49h 0x0000002f jmp 00007FF154E32A4Dh 0x00000034 push eax 0x00000035 push ecx 0x00000036 jl 00007FF154E32A4Ch 0x0000003c jns 00007FF154E32A46h 0x00000042 pop ecx 0x00000043 mov eax, dword ptr [esp+04h] 0x00000047 jl 00007FF154E32A4Ah 0x0000004d push esi 0x0000004e push ebx 0x0000004f pop ebx 0x00000050 pop esi 0x00000051 mov eax, dword ptr [eax] 0x00000053 pushad 0x00000054 push eax 0x00000055 push edx 0x00000056 push ecx 0x00000057 pop ecx 0x00000058 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B89E2 second address: 6B89E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B98BB second address: 6B98BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B9D6F second address: 6B9D73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B9D73 second address: 6B9D87 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FF154E32A4Ch 0x0000000d rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B9D87 second address: 6B9DFC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF154E37330h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b jne 00007FF154E37346h 0x00000011 nop 0x00000012 movsx edi, ax 0x00000015 push 00000000h 0x00000017 stc 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push esi 0x0000001d call 00007FF154E37328h 0x00000022 pop esi 0x00000023 mov dword ptr [esp+04h], esi 0x00000027 add dword ptr [esp+04h], 0000001Ch 0x0000002f inc esi 0x00000030 push esi 0x00000031 ret 0x00000032 pop esi 0x00000033 ret 0x00000034 xchg eax, ebx 0x00000035 push eax 0x00000036 push edx 0x00000037 pushad 0x00000038 je 00007FF154E37326h 0x0000003e push eax 0x0000003f push edx 0x00000040 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B9DFC second address: 6B9E01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B9E01 second address: 6B9E07 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B9E07 second address: 6B9E0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B9E0B second address: 6B9E31 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jl 00007FF154E37338h 0x00000010 jmp 00007FF154E37332h 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B9E31 second address: 6B9E35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BA61D second address: 6BA621 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BD9F3 second address: 6BD9FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pushad 0x0000000a popad 0x0000000b pop ebx 0x0000000c rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BD9FF second address: 6BDA86 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF154E37334h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push ecx 0x0000000d call 00007FF154E37328h 0x00000012 pop ecx 0x00000013 mov dword ptr [esp+04h], ecx 0x00000017 add dword ptr [esp+04h], 0000001Ch 0x0000001f inc ecx 0x00000020 push ecx 0x00000021 ret 0x00000022 pop ecx 0x00000023 ret 0x00000024 jnc 00007FF154E3733Dh 0x0000002a push 00000000h 0x0000002c mov dword ptr [ebp+1245014Fh], edx 0x00000032 push 00000000h 0x00000034 mov dword ptr [ebp+12479392h], ebx 0x0000003a xchg eax, ebx 0x0000003b push eax 0x0000003c push edx 0x0000003d pushad 0x0000003e jmp 00007FF154E37337h 0x00000043 push eax 0x00000044 push edx 0x00000045 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BDA86 second address: 6BDA8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C04EB second address: 6C04EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C04EF second address: 6C04FE instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C04FE second address: 6C0503 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C1992 second address: 6C1996 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C1996 second address: 6C199C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C199C second address: 6C19A1 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C2F99 second address: 6C302D instructions: 0x00000000 rdtsc 0x00000002 jp 00007FF154E37326h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c pop eax 0x0000000d jnc 00007FF154E37326h 0x00000013 popad 0x00000014 popad 0x00000015 mov dword ptr [esp], eax 0x00000018 cmc 0x00000019 push 00000000h 0x0000001b push 00000000h 0x0000001d push ecx 0x0000001e call 00007FF154E37328h 0x00000023 pop ecx 0x00000024 mov dword ptr [esp+04h], ecx 0x00000028 add dword ptr [esp+04h], 0000001Ch 0x00000030 inc ecx 0x00000031 push ecx 0x00000032 ret 0x00000033 pop ecx 0x00000034 ret 0x00000035 push 00000000h 0x00000037 push 00000000h 0x00000039 push ebx 0x0000003a call 00007FF154E37328h 0x0000003f pop ebx 0x00000040 mov dword ptr [esp+04h], ebx 0x00000044 add dword ptr [esp+04h], 00000019h 0x0000004c inc ebx 0x0000004d push ebx 0x0000004e ret 0x0000004f pop ebx 0x00000050 ret 0x00000051 adc bx, 3FE3h 0x00000056 xchg eax, esi 0x00000057 pushad 0x00000058 jl 00007FF154E3732Ch 0x0000005e jc 00007FF154E37326h 0x00000064 jmp 00007FF154E37339h 0x00000069 popad 0x0000006a push eax 0x0000006b pushad 0x0000006c pushad 0x0000006d push eax 0x0000006e push edx 0x0000006f rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C4028 second address: 6C402E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C402E second address: 6C4032 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C02A0 second address: 6C02C0 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FF154E32A55h 0x00000010 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C4032 second address: 6C4057 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF154E37339h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C31DB second address: 6C31EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 je 00007FF154E32A4Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C4057 second address: 6C4069 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF154E3732Dh 0x00000009 popad 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C4069 second address: 6C406E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C406E second address: 6C40EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ebp 0x0000000b call 00007FF154E37328h 0x00000010 pop ebp 0x00000011 mov dword ptr [esp+04h], ebp 0x00000015 add dword ptr [esp+04h], 00000018h 0x0000001d inc ebp 0x0000001e push ebp 0x0000001f ret 0x00000020 pop ebp 0x00000021 ret 0x00000022 mov ebx, dword ptr [ebp+122D3125h] 0x00000028 push 00000000h 0x0000002a push 00000000h 0x0000002c push edx 0x0000002d call 00007FF154E37328h 0x00000032 pop edx 0x00000033 mov dword ptr [esp+04h], edx 0x00000037 add dword ptr [esp+04h], 00000014h 0x0000003f inc edx 0x00000040 push edx 0x00000041 ret 0x00000042 pop edx 0x00000043 ret 0x00000044 pushad 0x00000045 mov dword ptr [ebp+12489C45h], ebx 0x0000004b cld 0x0000004c popad 0x0000004d push 00000000h 0x0000004f jmp 00007FF154E37333h 0x00000054 jmp 00007FF154E3732Dh 0x00000059 xchg eax, esi 0x0000005a push eax 0x0000005b push edx 0x0000005c push ebx 0x0000005d pushad 0x0000005e popad 0x0000005f pop ebx 0x00000060 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C432F second address: 6C435C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007FF154E32A48h 0x0000000c popad 0x0000000d push eax 0x0000000e pushad 0x0000000f jns 00007FF154E32A48h 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FF154E32A52h 0x0000001c rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C435C second address: 6C4360 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C6F3B second address: 6C6FA9 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov dword ptr [esp], eax 0x0000000a mov edi, edx 0x0000000c push 00000000h 0x0000000e jmp 00007FF154E32A50h 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push esi 0x00000018 call 00007FF154E32A48h 0x0000001d pop esi 0x0000001e mov dword ptr [esp+04h], esi 0x00000022 add dword ptr [esp+04h], 0000001Ch 0x0000002a inc esi 0x0000002b push esi 0x0000002c ret 0x0000002d pop esi 0x0000002e ret 0x0000002f mov ebx, dword ptr [ebp+122D37EEh] 0x00000035 mov ebx, dword ptr [ebp+122D37FEh] 0x0000003b xchg eax, esi 0x0000003c jmp 00007FF154E32A4Bh 0x00000041 push eax 0x00000042 pushad 0x00000043 jno 00007FF154E32A4Ch 0x00000049 push eax 0x0000004a push edx 0x0000004b push eax 0x0000004c push edx 0x0000004d rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C6FA9 second address: 6C6FAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C6160 second address: 6C6164 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C6164 second address: 6C621A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jbe 00007FF154E37326h 0x0000000d push edx 0x0000000e pop edx 0x0000000f popad 0x00000010 popad 0x00000011 push eax 0x00000012 pushad 0x00000013 jo 00007FF154E3732Ch 0x00000019 jne 00007FF154E37326h 0x0000001f jmp 00007FF154E3732Ah 0x00000024 popad 0x00000025 nop 0x00000026 mov ebx, dword ptr [ebp+122D3732h] 0x0000002c push dword ptr fs:[00000000h] 0x00000033 push 00000000h 0x00000035 push esi 0x00000036 call 00007FF154E37328h 0x0000003b pop esi 0x0000003c mov dword ptr [esp+04h], esi 0x00000040 add dword ptr [esp+04h], 0000001Ch 0x00000048 inc esi 0x00000049 push esi 0x0000004a ret 0x0000004b pop esi 0x0000004c ret 0x0000004d adc bx, 6746h 0x00000052 movsx edi, ax 0x00000055 mov dword ptr fs:[00000000h], esp 0x0000005c xor dword ptr [ebp+12467880h], esi 0x00000062 mov eax, dword ptr [ebp+122D15C9h] 0x00000068 mov edi, esi 0x0000006a push FFFFFFFFh 0x0000006c mov edi, dword ptr [ebp+122D3802h] 0x00000072 jmp 00007FF154E37339h 0x00000077 nop 0x00000078 jnp 00007FF154E3732Eh 0x0000007e push edx 0x0000007f jp 00007FF154E37326h 0x00000085 pop edx 0x00000086 push eax 0x00000087 push eax 0x00000088 push edx 0x00000089 jmp 00007FF154E3732Ah 0x0000008e rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C621A second address: 6C6220 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6CCA63 second address: 6CCAAD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 push ebx 0x0000000a xor bx, EACAh 0x0000000f pop edi 0x00000010 push 00000000h 0x00000012 xor bx, 7A86h 0x00000017 push 00000000h 0x00000019 mov dword ptr [ebp+122D1D35h], edi 0x0000001f xchg eax, esi 0x00000020 jmp 00007FF154E3732Fh 0x00000025 push eax 0x00000026 pushad 0x00000027 jmp 00007FF154E37336h 0x0000002c push esi 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6CBBCE second address: 6CBBD4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6CBBD4 second address: 6CBBD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6CDA38 second address: 6CDA3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6CDA3C second address: 6CDA46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6CDA46 second address: 6CDA4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6CDA4A second address: 6CDAC9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF154E37333h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c jno 00007FF154E3732Ch 0x00000012 jns 00007FF154E37328h 0x00000018 popad 0x00000019 nop 0x0000001a push 00000000h 0x0000001c push eax 0x0000001d call 00007FF154E37328h 0x00000022 pop eax 0x00000023 mov dword ptr [esp+04h], eax 0x00000027 add dword ptr [esp+04h], 00000016h 0x0000002f inc eax 0x00000030 push eax 0x00000031 ret 0x00000032 pop eax 0x00000033 ret 0x00000034 add ebx, dword ptr [ebp+122D59F5h] 0x0000003a push 00000000h 0x0000003c push 00000000h 0x0000003e push 00000000h 0x00000040 push ecx 0x00000041 call 00007FF154E37328h 0x00000046 pop ecx 0x00000047 mov dword ptr [esp+04h], ecx 0x0000004b add dword ptr [esp+04h], 00000019h 0x00000053 inc ecx 0x00000054 push ecx 0x00000055 ret 0x00000056 pop ecx 0x00000057 ret 0x00000058 push eax 0x00000059 push ecx 0x0000005a push eax 0x0000005b push edx 0x0000005c push eax 0x0000005d push edx 0x0000005e rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6CDAC9 second address: 6CDACD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6CEA1B second address: 6CEA1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6CEA1F second address: 6CEA25 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6CEA25 second address: 6CEA55 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF154E3732Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jo 00007FF154E3733Ah 0x00000012 jmp 00007FF154E37334h 0x00000017 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6CEA55 second address: 6CEABB instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FF154E32A4Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b jmp 00007FF154E32A53h 0x00000010 mov di, ax 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push ecx 0x00000018 call 00007FF154E32A48h 0x0000001d pop ecx 0x0000001e mov dword ptr [esp+04h], ecx 0x00000022 add dword ptr [esp+04h], 00000017h 0x0000002a inc ecx 0x0000002b push ecx 0x0000002c ret 0x0000002d pop ecx 0x0000002e ret 0x0000002f push 00000000h 0x00000031 xchg eax, esi 0x00000032 jmp 00007FF154E32A50h 0x00000037 push eax 0x00000038 push eax 0x00000039 push edx 0x0000003a push ecx 0x0000003b jne 00007FF154E32A46h 0x00000041 pop ecx 0x00000042 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6CEABB second address: 6CEACC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF154E3732Dh 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6CEC31 second address: 6CEC36 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6CCCF8 second address: 6CCD10 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF154E3732Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6CCD10 second address: 6CCD14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6CECEB second address: 6CED23 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FF154E37326h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b jmp 00007FF154E37338h 0x00000010 pop ecx 0x00000011 popad 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 push edi 0x00000016 jmp 00007FF154E3732Eh 0x0000001b pop edi 0x0000001c rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D382E second address: 6D384B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FF154E32A51h 0x0000000f push eax 0x00000010 pop eax 0x00000011 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D384B second address: 6D3853 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D4E05 second address: 6D4E12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push esi 0x0000000b pop esi 0x0000000c pop eax 0x0000000d rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D410B second address: 6D4111 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D4F40 second address: 6D4F4B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007FF154E32A46h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D4F4B second address: 6D4FEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a mov ebx, dword ptr [ebp+122D398Ah] 0x00000010 push dword ptr fs:[00000000h] 0x00000017 mov bx, 2CE0h 0x0000001b mov dword ptr fs:[00000000h], esp 0x00000022 push 00000000h 0x00000024 push edi 0x00000025 call 00007FF154E37328h 0x0000002a pop edi 0x0000002b mov dword ptr [esp+04h], edi 0x0000002f add dword ptr [esp+04h], 00000014h 0x00000037 inc edi 0x00000038 push edi 0x00000039 ret 0x0000003a pop edi 0x0000003b ret 0x0000003c and edi, dword ptr [ebp+122D374Ah] 0x00000042 mov eax, dword ptr [ebp+122D0BB9h] 0x00000048 call 00007FF154E3732Ah 0x0000004d mov edi, 3BD382B0h 0x00000052 pop edi 0x00000053 push FFFFFFFFh 0x00000055 push 00000000h 0x00000057 push edx 0x00000058 call 00007FF154E37328h 0x0000005d pop edx 0x0000005e mov dword ptr [esp+04h], edx 0x00000062 add dword ptr [esp+04h], 0000001Ch 0x0000006a inc edx 0x0000006b push edx 0x0000006c ret 0x0000006d pop edx 0x0000006e ret 0x0000006f mov dword ptr [ebp+1245F167h], ecx 0x00000075 nop 0x00000076 pushad 0x00000077 jmp 00007FF154E37335h 0x0000007c push esi 0x0000007d push eax 0x0000007e push edx 0x0000007f rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6DD765 second address: 6DD786 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FF154E32A52h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c jno 00007FF154E32A46h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6DD786 second address: 6DD78B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6DD78B second address: 6DD7B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF154E32A54h 0x00000009 jmp 00007FF154E32A51h 0x0000000e rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6DD90B second address: 6DD913 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6DD913 second address: 6DD917 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6DD917 second address: 6DD921 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FF154E37326h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E2CAC second address: 6E2CB6 instructions: 0x00000000 rdtsc 0x00000002 js 00007FF154E32A46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E2F38 second address: 6E2F42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007FF154E37326h 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E2FF9 second address: 6E2FFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E2FFE second address: 505AC4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF154E37331h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 6A036276h 0x00000010 pushad 0x00000011 jng 00007FF154E3732Ch 0x00000017 mov ecx, esi 0x00000019 popad 0x0000001a push dword ptr [ebp+122D0B0Dh] 0x00000020 jmp 00007FF154E3732Ah 0x00000025 call dword ptr [ebp+122D1CA4h] 0x0000002b pushad 0x0000002c js 00007FF154E37332h 0x00000032 xor eax, eax 0x00000034 jns 00007FF154E3733Bh 0x0000003a mov edx, dword ptr [esp+28h] 0x0000003e jmp 00007FF154E37331h 0x00000043 mov dword ptr [ebp+122D38BEh], eax 0x00000049 mov dword ptr [ebp+122D22D7h], eax 0x0000004f mov esi, 0000003Ch 0x00000054 add dword ptr [ebp+122D1D6Dh], ebx 0x0000005a add esi, dword ptr [esp+24h] 0x0000005e je 00007FF154E3732Eh 0x00000064 jng 00007FF154E37328h 0x0000006a pushad 0x0000006b popad 0x0000006c lodsw 0x0000006e jmp 00007FF154E37337h 0x00000073 add eax, dword ptr [esp+24h] 0x00000077 mov dword ptr [ebp+122D22D7h], edi 0x0000007d mov ebx, dword ptr [esp+24h] 0x00000081 sub dword ptr [ebp+122D22D7h], edx 0x00000087 nop 0x00000088 push eax 0x00000089 push edx 0x0000008a jmp 00007FF154E37339h 0x0000008f rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E7CC3 second address: 6E7CC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67F577 second address: 67F58E instructions: 0x00000000 rdtsc 0x00000002 jc 00007FF154E3732Eh 0x00000008 ja 00007FF154E37326h 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67F58E second address: 67F5B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 jbe 00007FF154E32A74h 0x0000000d jmp 00007FF154E32A53h 0x00000012 push esi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E6A1C second address: 6E6A22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E6A22 second address: 6E6A26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E6A26 second address: 6E6A2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E6A2C second address: 6E6A32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E6A32 second address: 6E6A3F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007FF154E37326h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E6FBA second address: 6E6FBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E6FBF second address: 6E6FC4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E6FC4 second address: 6E701E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FF154E32A46h 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007FF154E32A4Bh 0x00000011 popad 0x00000012 jmp 00007FF154E32A4Bh 0x00000017 pop edx 0x00000018 pop eax 0x00000019 pushad 0x0000001a jmp 00007FF154E32A55h 0x0000001f jmp 00007FF154E32A57h 0x00000024 push eax 0x00000025 push edx 0x00000026 jo 00007FF154E32A46h 0x0000002c rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6E701E second address: 6E7022 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6EBFED second address: 6EBFF9 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FF154E32A46h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6EBFF9 second address: 6EC02B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF154E3732Eh 0x00000007 jbe 00007FF154E3732Eh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push edi 0x00000012 jnl 00007FF154E37326h 0x00000018 pop edi 0x00000019 jnl 00007FF154E37328h 0x0000001f rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6EC02B second address: 6EC040 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF154E32A51h 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B702C second address: 6B703A instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FF154E37326h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B703A second address: 6B703E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B703E second address: 69CDAE instructions: 0x00000000 rdtsc 0x00000002 jne 00007FF154E37326h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e jmp 00007FF154E3732Ah 0x00000013 jne 00007FF154E37326h 0x00000019 popad 0x0000001a jmp 00007FF154E3732Ch 0x0000001f popad 0x00000020 nop 0x00000021 push 00000000h 0x00000023 push edi 0x00000024 call 00007FF154E37328h 0x00000029 pop edi 0x0000002a mov dword ptr [esp+04h], edi 0x0000002e add dword ptr [esp+04h], 00000015h 0x00000036 inc edi 0x00000037 push edi 0x00000038 ret 0x00000039 pop edi 0x0000003a ret 0x0000003b mov dword ptr [ebp+122D1D63h], edx 0x00000041 call dword ptr [ebp+12455682h] 0x00000047 push eax 0x00000048 push edx 0x00000049 jmp 00007FF154E3732Ch 0x0000004e rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B7146 second address: 6B7201 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FF154E32A59h 0x0000000e xchg eax, ebx 0x0000000f mov ecx, dword ptr [ebp+122D1C1Bh] 0x00000015 push dword ptr fs:[00000000h] 0x0000001c mov dh, B3h 0x0000001e mov dword ptr fs:[00000000h], esp 0x00000025 sub dx, 956Dh 0x0000002a mov dword ptr [ebp+12484DBDh], esp 0x00000030 mov dword ptr [ebp+122D1D63h], ebx 0x00000036 cmp dword ptr [ebp+122D37F6h], 00000000h 0x0000003d jne 00007FF154E32B1Dh 0x00000043 and ecx, 32810451h 0x00000049 jns 00007FF154E32A4Ch 0x0000004f mov byte ptr [ebp+122D1CCAh], 00000047h 0x00000056 call 00007FF154E32A50h 0x0000005b mov edi, dword ptr [ebp+122D3792h] 0x00000061 pop edx 0x00000062 mov eax, D49AA7D2h 0x00000067 mov edi, dword ptr [ebp+122D364Ah] 0x0000006d mov dword ptr [ebp+122D1C9Fh], ebx 0x00000073 nop 0x00000074 jmp 00007FF154E32A55h 0x00000079 push eax 0x0000007a push eax 0x0000007b push edx 0x0000007c jmp 00007FF154E32A4Ah 0x00000081 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B7201 second address: 6B7212 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF154E3732Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B74A6 second address: 505AC4 instructions: 0x00000000 rdtsc 0x00000002 js 00007FF154E32A48h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b mov ecx, dword ptr [ebp+122D380Ah] 0x00000011 mov cx, F078h 0x00000015 push dword ptr [ebp+122D0B0Dh] 0x0000001b sub dword ptr [ebp+122D1D35h], edx 0x00000021 call dword ptr [ebp+122D1CA4h] 0x00000027 pushad 0x00000028 js 00007FF154E32A52h 0x0000002e xor eax, eax 0x00000030 jns 00007FF154E32A5Bh 0x00000036 mov edx, dword ptr [esp+28h] 0x0000003a jmp 00007FF154E32A51h 0x0000003f mov dword ptr [ebp+122D38BEh], eax 0x00000045 mov dword ptr [ebp+122D22D7h], eax 0x0000004b mov esi, 0000003Ch 0x00000050 add dword ptr [ebp+122D1D6Dh], ebx 0x00000056 add esi, dword ptr [esp+24h] 0x0000005a je 00007FF154E32A4Eh 0x00000060 jng 00007FF154E32A48h 0x00000066 pushad 0x00000067 popad 0x00000068 lodsw 0x0000006a jmp 00007FF154E32A57h 0x0000006f add eax, dword ptr [esp+24h] 0x00000073 mov dword ptr [ebp+122D22D7h], edi 0x00000079 mov ebx, dword ptr [esp+24h] 0x0000007d sub dword ptr [ebp+122D22D7h], edx 0x00000083 nop 0x00000084 push eax 0x00000085 push edx 0x00000086 jmp 00007FF154E32A59h 0x0000008b rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B7718 second address: 6B771F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B7780 second address: 6B77C2 instructions: 0x00000000 rdtsc 0x00000002 je 00007FF154E32A46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c jp 00007FF154E32A4Ah 0x00000012 xchg eax, esi 0x00000013 js 00007FF154E32A47h 0x00000019 cld 0x0000001a and edi, dword ptr [ebp+122D39AEh] 0x00000020 push eax 0x00000021 push ebx 0x00000022 pushad 0x00000023 jmp 00007FF154E32A59h 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B7E57 second address: 6B7E5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B8178 second address: 6B817D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69D8A6 second address: 69D8C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pushad 0x0000000a jnl 00007FF154E37328h 0x00000010 push eax 0x00000011 push edx 0x00000012 jns 00007FF154E37326h 0x00000018 jno 00007FF154E37326h 0x0000001e rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69D8C6 second address: 69D8D0 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69D8D0 second address: 69D8D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67A5F8 second address: 67A604 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67A604 second address: 67A608 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67A608 second address: 67A60E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6EB180 second address: 6EB189 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6EB413 second address: 6EB419 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6EB419 second address: 6EB41D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6EB41D second address: 6EB422 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6EB422 second address: 6EB428 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6EB428 second address: 6EB42E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6EB9E6 second address: 6EB9EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6EB9EC second address: 6EB9F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6EBB3A second address: 6EBB3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6EBB3F second address: 6EBB44 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F10CA second address: 6F10CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F10CE second address: 6F10D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F10D2 second address: 6F10DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F10DD second address: 6F10E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F13BC second address: 6F13CD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF154E3732Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F13CD second address: 6F13D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jno 00007FF154E32A46h 0x0000000c rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F1565 second address: 6F158B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FF154E37336h 0x0000000f jc 00007FF154E37326h 0x00000015 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F158B second address: 6F158F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F158F second address: 6F159E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F159E second address: 6F15A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F15A2 second address: 6F15A8 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F15A8 second address: 6F15AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F1A02 second address: 6F1A1F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF154E3732Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FF154E3732Ch 0x0000000e rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F1A1F second address: 6F1A23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F2349 second address: 6F234D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F234D second address: 6F2362 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF154E32A51h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F2362 second address: 6F2368 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F2368 second address: 6F2389 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007FF154E32A46h 0x00000009 jmp 00007FF154E32A4Ah 0x0000000e jnp 00007FF154E32A46h 0x00000014 popad 0x00000015 pushad 0x00000016 push edx 0x00000017 pop edx 0x00000018 pushad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F0B1E second address: 6F0B22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F0B22 second address: 6F0B26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F59BF second address: 6F59C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F59C3 second address: 6F59C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F59C9 second address: 6F59D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 pushad 0x00000008 popad 0x00000009 pop edi 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67066A second address: 670687 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007FF154E32A58h 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FE7D7 second address: 6FE7E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF154E3732Ch 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FE7E7 second address: 6FE7FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 ja 00007FF154E32A46h 0x0000000d pushad 0x0000000e popad 0x0000000f jbe 00007FF154E32A46h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FD4C7 second address: 6FD4D4 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FF154E37326h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FD4D4 second address: 6FD4DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FDA4A second address: 6FDA56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FF154E37326h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FDA56 second address: 6FDA72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FF154E32A50h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FDA72 second address: 6FDA78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FDA78 second address: 6FDA88 instructions: 0x00000000 rdtsc 0x00000002 js 00007FF154E32A46h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FDA88 second address: 6FDA8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FDA8C second address: 6FDAA7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF154E32A57h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FDC00 second address: 6FDC06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FDC06 second address: 6FDC0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FE009 second address: 6FE015 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jne 00007FF154E37326h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FE015 second address: 6FE020 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jno 00007FF154E32A46h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FE45B second address: 6FE46B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push esi 0x00000004 pop esi 0x00000005 pushad 0x00000006 popad 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a jl 00007FF154E37326h 0x00000010 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6FE46B second address: 6FE48B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FF154E32A4Fh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d jg 00007FF154E32A4Eh 0x00000013 push ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 700AFA second address: 700B0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF154E37331h 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 700B0F second address: 700B13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70065C second address: 700660 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 700660 second address: 7006C7 instructions: 0x00000000 rdtsc 0x00000002 je 00007FF154E32A46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jc 00007FF154E32A5Dh 0x00000010 jmp 00007FF154E32A57h 0x00000015 pushad 0x00000016 jmp 00007FF154E32A4Dh 0x0000001b jmp 00007FF154E32A59h 0x00000020 jmp 00007FF154E32A4Ah 0x00000025 popad 0x00000026 push eax 0x00000027 push edx 0x00000028 jbe 00007FF154E32A46h 0x0000002e ja 00007FF154E32A46h 0x00000034 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7030DB second address: 7030E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 703256 second address: 70325A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7092F2 second address: 7092F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7092F6 second address: 709308 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jng 00007FF154E32A46h 0x00000010 push edx 0x00000011 pop edx 0x00000012 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 708575 second address: 708585 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FF154E37326h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 708585 second address: 7085A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FF154E32A54h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7085A5 second address: 7085A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7089C4 second address: 7089F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jbe 00007FF154E32A46h 0x0000000d pop edx 0x0000000e pushad 0x0000000f jnl 00007FF154E32A46h 0x00000015 jng 00007FF154E32A46h 0x0000001b popad 0x0000001c pushad 0x0000001d jmp 00007FF154E32A56h 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 708B72 second address: 708B7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FF154E37326h 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 708B7C second address: 708B82 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 708E66 second address: 708E6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 708E6A second address: 708E84 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FF154E32A51h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70C323 second address: 70C32E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FF154E37326h 0x0000000a popad 0x0000000b rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70C32E second address: 70C33F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF154E32A4Bh 0x00000009 push edx 0x0000000a pop edx 0x0000000b rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70C33F second address: 70C343 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70BA2F second address: 70BA33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 711A7C second address: 711A84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 710276 second address: 710280 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FF154E32A46h 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 710280 second address: 710291 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF154E3732Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71055A second address: 710562 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 710562 second address: 710568 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 710819 second address: 71081F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71081F second address: 71084E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 jmp 00007FF154E37338h 0x0000000c jmp 00007FF154E3732Ch 0x00000011 popad 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7109B0 second address: 7109B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7109B4 second address: 7109C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jg 00007FF154E37328h 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7109C4 second address: 7109FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF154E32A58h 0x00000008 jnc 00007FF154E32A46h 0x0000000e jnl 00007FF154E32A46h 0x00000014 jns 00007FF154E32A46h 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d jc 00007FF154E32A46h 0x00000023 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7109FA second address: 7109FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7109FE second address: 710A04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B7C51 second address: 6B7C57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B7C57 second address: 6B7C9E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF154E32A56h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push ecx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 pop ecx 0x00000014 nop 0x00000015 mov dword ptr [ebp+1247769Ch], ecx 0x0000001b mov ebx, dword ptr [ebp+12484DA4h] 0x00000021 sub dword ptr [ebp+122D1C25h], eax 0x00000027 mov edx, dword ptr [ebp+122D38E6h] 0x0000002d add eax, ebx 0x0000002f clc 0x00000030 nop 0x00000031 pushad 0x00000032 push eax 0x00000033 push edx 0x00000034 pushad 0x00000035 popad 0x00000036 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B7C9E second address: 6B7CA8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B7CA8 second address: 6B7D0C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF154E32A58h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push esi 0x0000000c pushad 0x0000000d jbe 00007FF154E32A46h 0x00000013 push eax 0x00000014 pop eax 0x00000015 popad 0x00000016 pop esi 0x00000017 nop 0x00000018 jmp 00007FF154E32A51h 0x0000001d push 00000004h 0x0000001f push 00000000h 0x00000021 push eax 0x00000022 call 00007FF154E32A48h 0x00000027 pop eax 0x00000028 mov dword ptr [esp+04h], eax 0x0000002c add dword ptr [esp+04h], 00000015h 0x00000034 inc eax 0x00000035 push eax 0x00000036 ret 0x00000037 pop eax 0x00000038 ret 0x00000039 movzx edi, dx 0x0000003c push eax 0x0000003d push esi 0x0000003e push eax 0x0000003f push edx 0x00000040 pushad 0x00000041 popad 0x00000042 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 710B61 second address: 710B6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 711735 second address: 711739 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 711739 second address: 711762 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007FF154E37343h 0x0000000c rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7177DD second address: 7177E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 717944 second address: 717956 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jg 00007FF154E37326h 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71809C second address: 7180A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7180A0 second address: 7180C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jns 00007FF154E37326h 0x0000000e jmp 00007FF154E37338h 0x00000013 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 719493 second address: 719497 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 719497 second address: 71949D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71949D second address: 7194A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7194A3 second address: 7194A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7194A7 second address: 7194AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71E0C1 second address: 71E0C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71E0C5 second address: 71E0CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 721124 second address: 721148 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF154E37337h 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jc 00007FF154E37326h 0x00000012 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7218BD second address: 7218D9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF154E32A58h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 721A22 second address: 721A38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF154E37330h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 721A38 second address: 721A41 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 728A64 second address: 728A6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 728A6A second address: 728A6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 728A6E second address: 728A7C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007FF154E3732Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 728A7C second address: 728AA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jmp 00007FF154E32A56h 0x0000000b push eax 0x0000000c push edx 0x0000000d jns 00007FF154E32A46h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 728EB2 second address: 728EC4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF154E3732Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72902D second address: 729033 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7294AF second address: 7294C8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF154E37335h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7294C8 second address: 7294F9 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FF154E32A4Eh 0x00000008 pushad 0x00000009 push edx 0x0000000a pop edx 0x0000000b pushad 0x0000000c popad 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push ebx 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 jnl 00007FF154E32A46h 0x0000001e push edi 0x0000001f pop edi 0x00000020 popad 0x00000021 push eax 0x00000022 push edx 0x00000023 js 00007FF154E32A46h 0x00000029 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7297BD second address: 7297C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7285E8 second address: 728631 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF154E32A53h 0x00000009 popad 0x0000000a pushad 0x0000000b jno 00007FF154E32A46h 0x00000011 pushad 0x00000012 popad 0x00000013 jmp 00007FF154E32A57h 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b jp 00007FF154E32A4Eh 0x00000021 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 728631 second address: 728653 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF154E37339h 0x00000007 pushad 0x00000008 push edx 0x00000009 pop edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7319D0 second address: 7319D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7319D6 second address: 7319FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FF154E37333h 0x0000000b popad 0x0000000c push ebx 0x0000000d jmp 00007FF154E3732Bh 0x00000012 push eax 0x00000013 pop eax 0x00000014 pop ebx 0x00000015 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7319FF second address: 731A04 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 731A04 second address: 731A0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 731A0A second address: 731A12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 731CEC second address: 731D15 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF154E3732Eh 0x00000007 jmp 00007FF154E37337h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 731D15 second address: 731D29 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007FF154E32A46h 0x0000000a jmp 00007FF154E32A4Ah 0x0000000f rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 735081 second address: 735087 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 735087 second address: 735090 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 735090 second address: 735098 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 735098 second address: 7350A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7350A0 second address: 7350A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7350A9 second address: 7350BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF154E32A4Eh 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73DE7B second address: 73DE8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF154E3732Ch 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73DE8F second address: 73DE9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FF154E32A46h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73DE9B second address: 73DEA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73DEA0 second address: 73DEBF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF154E32A52h 0x00000008 pushad 0x00000009 popad 0x0000000a ja 00007FF154E32A46h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73DD12 second address: 73DD16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73DD16 second address: 73DD1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7460DB second address: 7460E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66B6CA second address: 66B6D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75655B second address: 756562 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7563D8 second address: 756403 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jp 00007FF154E32A46h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FF154E32A4Fh 0x00000013 jc 00007FF154E32A4Eh 0x00000019 pushad 0x0000001a popad 0x0000001b jbe 00007FF154E32A46h 0x00000021 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 758877 second address: 75887B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75887B second address: 758881 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75AB87 second address: 75ABA3 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FF154E37326h 0x00000008 js 00007FF154E37326h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pop ebx 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 push edi 0x00000015 pop edi 0x00000016 jo 00007FF154E37326h 0x0000001c rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75ABA3 second address: 75ABDB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF154E32A58h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FF154E32A4Eh 0x0000000e jmp 00007FF154E32A4Bh 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75FCFE second address: 75FD04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75FD04 second address: 75FD08 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75FD08 second address: 75FD12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75FD12 second address: 75FD18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75FD18 second address: 75FD40 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FF154E37326h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FF154E37332h 0x0000000f popad 0x00000010 pushad 0x00000011 js 00007FF154E3732Eh 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75FE83 second address: 75FEAF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF154E32A55h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a pushad 0x0000000b jmp 00007FF154E32A4Dh 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 75FFFA second address: 75FFFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 760BAF second address: 760BCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007FF154E32A55h 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 760BCF second address: 760BEE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF154E37339h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 760BEE second address: 760BF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 760BF2 second address: 760BF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 763BC7 second address: 763BE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF154E32A59h 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 763BE4 second address: 763C39 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF154E37338h 0x00000007 ja 00007FF154E37326h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007FF154E37331h 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 jbe 00007FF154E3732Eh 0x0000001d jmp 00007FF154E37331h 0x00000022 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7638F9 second address: 76391D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF154E32A50h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d js 00007FF154E32A46h 0x00000013 jl 00007FF154E32A46h 0x00000019 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 766B77 second address: 766B7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 766B7D second address: 766B96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF154E32A51h 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76E001 second address: 76E010 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jo 00007FF154E37326h 0x0000000f rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76E010 second address: 76E025 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 jnc 00007FF154E32A56h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 pop eax 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76F774 second address: 76F77A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 76F77A second address: 76F780 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 775631 second address: 775639 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 775639 second address: 77563F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77563F second address: 775643 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 779272 second address: 77927C instructions: 0x00000000 rdtsc 0x00000002 jo 00007FF154E32A46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 77927C second address: 779281 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 779281 second address: 779287 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7726F8 second address: 7726FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79A2AC second address: 79A2D0 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007FF154E32A56h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jc 00007FF154E32A48h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79ABBB second address: 79ABDE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF154E37330h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jc 00007FF154E37326h 0x00000010 je 00007FF154E37326h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79ABDE second address: 79AC0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FF154E32A46h 0x0000000a popad 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007FF154E32A59h 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79AC0D second address: 79AC17 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FF154E37326h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79AC17 second address: 79AC1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79AC1D second address: 79AC24 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79AEEE second address: 79AF0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007FF154E32A54h 0x0000000c pop ecx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 push esi 0x00000011 pop esi 0x00000012 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79AF0F second address: 79AF1E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jnp 00007FF154E37326h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 79F753 second address: 79F758 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A23FE second address: 7A2415 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF154E37333h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A2415 second address: 7A241A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A241A second address: 7A2420 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A2420 second address: 7A2426 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A3E3B second address: 7A3E3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A3E3F second address: 7A3E4B instructions: 0x00000000 rdtsc 0x00000002 jng 00007FF154E32A46h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BCB9E second address: 6BCBCC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF154E37338h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FF154E3732Eh 0x00000012 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5130832 second address: 5130836 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5130836 second address: 513083C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 513083C second address: 5130890 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF154E32A4Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a jmp 00007FF154E32A4Eh 0x0000000f xchg eax, esi 0x00000010 pushad 0x00000011 jmp 00007FF154E32A4Eh 0x00000016 jmp 00007FF154E32A52h 0x0000001b popad 0x0000001c push eax 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007FF154E32A4Eh 0x00000024 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5130890 second address: 51308E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, edx 0x00000005 pushfd 0x00000006 jmp 00007FF154E3732Dh 0x0000000b add ah, 00000006h 0x0000000e jmp 00007FF154E37331h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 xchg eax, esi 0x00000018 pushad 0x00000019 mov si, DC53h 0x0000001d mov ax, EAAFh 0x00000021 popad 0x00000022 lea eax, dword ptr [ebp-04h] 0x00000025 jmp 00007FF154E37332h 0x0000002a nop 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 popad 0x00000031 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51308E2 second address: 51308E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51308E6 second address: 51308EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51308EC second address: 51308FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF154E32A4Bh 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51308FB second address: 5130929 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF154E37339h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FF154E3732Ch 0x00000013 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5130929 second address: 5130979 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FF154E32A51h 0x00000009 adc si, C186h 0x0000000e jmp 00007FF154E32A51h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 nop 0x00000018 pushad 0x00000019 pushad 0x0000001a mov edx, 49C0C03Ch 0x0000001f call 00007FF154E32A55h 0x00000024 pop esi 0x00000025 popad 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51309A4 second address: 51309BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF154E37333h 0x00000009 popad 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51309BC second address: 5130A3B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, ax 0x00000006 pushfd 0x00000007 jmp 00007FF154E32A50h 0x0000000c adc cx, CB48h 0x00000011 jmp 00007FF154E32A4Bh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a cmp dword ptr [ebp-04h], 00000000h 0x0000001e jmp 00007FF154E32A56h 0x00000023 mov esi, eax 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 pushfd 0x00000029 jmp 00007FF154E32A4Dh 0x0000002e sbb ah, 00000016h 0x00000031 jmp 00007FF154E32A51h 0x00000036 popfd 0x00000037 call 00007FF154E32A50h 0x0000003c pop eax 0x0000003d popad 0x0000003e rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5130A9C second address: 5120035 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF154E37331h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a jmp 00007FF154E3732Eh 0x0000000f leave 0x00000010 jmp 00007FF154E37330h 0x00000015 retn 0004h 0x00000018 nop 0x00000019 sub esp, 04h 0x0000001c xor ebx, ebx 0x0000001e cmp eax, 00000000h 0x00000021 je 00007FF154E3748Fh 0x00000027 mov dword ptr [esp], 0000000Dh 0x0000002e call 00007FF159A783E5h 0x00000033 mov edi, edi 0x00000035 jmp 00007FF154E3732Eh 0x0000003a xchg eax, ebp 0x0000003b pushad 0x0000003c mov si, B38Dh 0x00000040 mov ax, FB89h 0x00000044 popad 0x00000045 push eax 0x00000046 push eax 0x00000047 push edx 0x00000048 pushad 0x00000049 jmp 00007FF154E37330h 0x0000004e mov esi, 21C0AE31h 0x00000053 popad 0x00000054 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5120035 second address: 51200DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FF154E32A4Dh 0x00000008 pop ecx 0x00000009 mov di, DEB4h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 xchg eax, ebp 0x00000011 pushad 0x00000012 mov dh, 50h 0x00000014 movzx eax, dx 0x00000017 popad 0x00000018 mov ebp, esp 0x0000001a jmp 00007FF154E32A4Dh 0x0000001f sub esp, 2Ch 0x00000022 pushad 0x00000023 pushad 0x00000024 mov ah, A6h 0x00000026 mov ax, di 0x00000029 popad 0x0000002a pushfd 0x0000002b jmp 00007FF154E32A4Bh 0x00000030 or ecx, 23CDAFAEh 0x00000036 jmp 00007FF154E32A59h 0x0000003b popfd 0x0000003c popad 0x0000003d xchg eax, ebx 0x0000003e pushad 0x0000003f mov bx, cx 0x00000042 push esi 0x00000043 pop edi 0x00000044 popad 0x00000045 push eax 0x00000046 jmp 00007FF154E32A51h 0x0000004b xchg eax, ebx 0x0000004c jmp 00007FF154E32A4Eh 0x00000051 xchg eax, edi 0x00000052 push eax 0x00000053 push edx 0x00000054 jmp 00007FF154E32A57h 0x00000059 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 512019F second address: 51201B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF154E37334h 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5120212 second address: 5120251 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cl, dh 0x00000005 pushfd 0x00000006 jmp 00007FF154E32A4Ch 0x0000000b or eax, 4E769B48h 0x00000011 jmp 00007FF154E32A4Bh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a nop 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007FF154E32A55h 0x00000022 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5120251 second address: 512029B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF154E37331h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov ax, bx 0x0000000e pushfd 0x0000000f jmp 00007FF154E37333h 0x00000014 jmp 00007FF154E37333h 0x00000019 popfd 0x0000001a popad 0x0000001b nop 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 popad 0x00000022 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 512029B second address: 51202A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51202C2 second address: 51202D7 instructions: 0x00000000 rdtsc 0x00000002 movsx ebx, si 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov edx, esi 0x00000009 popad 0x0000000a jg 00007FF1C64054E6h 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51202D7 second address: 5120331 instructions: 0x00000000 rdtsc 0x00000002 call 00007FF154E32A54h 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov edx, 65120496h 0x0000000f popad 0x00000010 js 00007FF154E32AD1h 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 pushfd 0x0000001a jmp 00007FF154E32A59h 0x0000001f xor ecx, 7F8F85F6h 0x00000025 jmp 00007FF154E32A51h 0x0000002a popfd 0x0000002b rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5120331 second address: 51203CF instructions: 0x00000000 rdtsc 0x00000002 mov ah, 82h 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 cmp dword ptr [ebp-14h], edi 0x0000000a pushad 0x0000000b movsx edi, ax 0x0000000e push esi 0x0000000f mov ecx, ebx 0x00000011 pop edx 0x00000012 popad 0x00000013 jne 00007FF1C640547Dh 0x00000019 pushad 0x0000001a movzx esi, dx 0x0000001d pushfd 0x0000001e jmp 00007FF154E37337h 0x00000023 xor esi, 7C5C888Eh 0x00000029 jmp 00007FF154E37339h 0x0000002e popfd 0x0000002f popad 0x00000030 mov ebx, dword ptr [ebp+08h] 0x00000033 jmp 00007FF154E3732Eh 0x00000038 lea eax, dword ptr [ebp-2Ch] 0x0000003b jmp 00007FF154E37330h 0x00000040 xchg eax, esi 0x00000041 jmp 00007FF154E37330h 0x00000046 push eax 0x00000047 jmp 00007FF154E3732Bh 0x0000004c xchg eax, esi 0x0000004d push eax 0x0000004e push edx 0x0000004f push eax 0x00000050 push edx 0x00000051 pushad 0x00000052 popad 0x00000053 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51203CF second address: 51203D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51203D5 second address: 5120417 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF154E3732Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a jmp 00007FF154E37330h 0x0000000f push eax 0x00000010 pushad 0x00000011 mov edi, 274056A4h 0x00000016 mov bx, 3910h 0x0000001a popad 0x0000001b nop 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f jmp 00007FF154E37330h 0x00000024 pushad 0x00000025 popad 0x00000026 popad 0x00000027 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5120417 second address: 512041D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 512041D second address: 5120421 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5120421 second address: 5120447 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 jmp 00007FF154E32A54h 0x0000000e mov dword ptr [esp], ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5120447 second address: 512044B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 512044B second address: 512044F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 512044F second address: 5120455 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5120492 second address: 51204A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov esi, eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51204A0 second address: 51204A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51204A4 second address: 51204AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51204AA second address: 51204CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF154E37330h 0x00000008 mov dh, ah 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d test esi, esi 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51204CA second address: 51204CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51204CE second address: 51204D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51204D4 second address: 5110D25 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF154E32A51h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FF1C6400BB2h 0x0000000f xor eax, eax 0x00000011 jmp 00007FF154E0C17Ah 0x00000016 pop esi 0x00000017 pop edi 0x00000018 pop ebx 0x00000019 leave 0x0000001a retn 0004h 0x0000001d nop 0x0000001e sub esp, 04h 0x00000021 mov esi, eax 0x00000023 cmp esi, 00000000h 0x00000026 setne al 0x00000029 xor ebx, ebx 0x0000002b test al, 01h 0x0000002d jne 00007FF154E32A47h 0x0000002f jmp 00007FF154E32B83h 0x00000034 call 00007FF159A646C3h 0x00000039 mov edi, edi 0x0000003b push eax 0x0000003c push edx 0x0000003d pushad 0x0000003e pushad 0x0000003f popad 0x00000040 mov edi, 1F63C61Ah 0x00000045 popad 0x00000046 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5110D25 second address: 5110D97 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FF154E3732Eh 0x00000009 sbb cx, 7E58h 0x0000000e jmp 00007FF154E3732Bh 0x00000013 popfd 0x00000014 pushfd 0x00000015 jmp 00007FF154E37338h 0x0000001a sbb ax, 08B8h 0x0000001f jmp 00007FF154E3732Bh 0x00000024 popfd 0x00000025 popad 0x00000026 pop edx 0x00000027 pop eax 0x00000028 xchg eax, ebp 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c mov edx, 124D2CA6h 0x00000031 call 00007FF154E37337h 0x00000036 pop ecx 0x00000037 popad 0x00000038 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5110D97 second address: 5110E1A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF154E32A56h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FF154E32A4Bh 0x0000000f xchg eax, ebp 0x00000010 pushad 0x00000011 mov eax, 096C14CBh 0x00000016 mov bx, si 0x00000019 popad 0x0000001a mov ebp, esp 0x0000001c pushad 0x0000001d mov edx, eax 0x0000001f pushad 0x00000020 pushfd 0x00000021 jmp 00007FF154E32A52h 0x00000026 jmp 00007FF154E32A55h 0x0000002b popfd 0x0000002c mov ecx, 4F492977h 0x00000031 popad 0x00000032 popad 0x00000033 xchg eax, ecx 0x00000034 jmp 00007FF154E32A4Ah 0x00000039 push eax 0x0000003a push eax 0x0000003b push edx 0x0000003c jmp 00007FF154E32A4Eh 0x00000041 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5110EB5 second address: 51208C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF154E37335h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 ret 0x0000000a nop 0x0000000b jmp 00007FF154E37322h 0x0000000d and bl, 00000001h 0x00000010 movzx eax, bl 0x00000013 add esp, 3Ch 0x00000016 pop esi 0x00000017 pop edi 0x00000018 pop ebx 0x00000019 pop ebp 0x0000001a ret 0x0000001b add esp, 04h 0x0000001e mov eax, dword ptr [004F3010h+ebx*4] 0x00000025 mov ecx, 3C17A731h 0x0000002a xor ecx, dword ptr [004F3018h] 0x00000030 add eax, ecx 0x00000032 inc eax 0x00000033 jmp eax 0x00000035 mov eax, dword ptr [004F301Ch] 0x0000003a mov ecx, EB7ED259h 0x0000003f xor ecx, dword ptr [004F3024h] 0x00000045 add eax, ecx 0x00000047 inc eax 0x00000048 jmp eax 0x0000004a push edi 0x0000004b call 00007FF154E63050h 0x00000050 push ebp 0x00000051 push ebx 0x00000052 push edi 0x00000053 push esi 0x00000054 sub esp, 44h 0x00000057 push 00000000h 0x00000059 call 00007FF159A78B1Bh 0x0000005e mov edi, edi 0x00000060 push eax 0x00000061 push edx 0x00000062 jmp 00007FF154E3732Ah 0x00000067 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51208C2 second address: 5120913 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FF154E32A51h 0x00000008 pop eax 0x00000009 pushfd 0x0000000a jmp 00007FF154E32A51h 0x0000000f adc cx, 0CE6h 0x00000014 jmp 00007FF154E32A51h 0x00000019 popfd 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d xchg eax, ebp 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FF154E32A4Dh 0x00000025 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5120913 second address: 5120923 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF154E3732Ch 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5120923 second address: 5120937 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushad 0x0000000b mov ah, 95h 0x0000000d push edx 0x0000000e pop eax 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push ebx 0x00000013 pop ecx 0x00000014 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5120937 second address: 5120949 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b mov edi, eax 0x0000000d mov cx, 5173h 0x00000011 popad 0x00000012 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5120949 second address: 51209E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FF154E32A4Fh 0x00000008 pop ecx 0x00000009 jmp 00007FF154E32A59h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov ebp, esp 0x00000013 pushad 0x00000014 mov ebx, ecx 0x00000016 pushfd 0x00000017 jmp 00007FF154E32A58h 0x0000001c or al, 00000008h 0x0000001f jmp 00007FF154E32A4Bh 0x00000024 popfd 0x00000025 popad 0x00000026 cmp dword ptr [7674459Ch], 05h 0x0000002d jmp 00007FF154E32A56h 0x00000032 je 00007FF1C63F0A82h 0x00000038 jmp 00007FF154E32A50h 0x0000003d pop ebp 0x0000003e push eax 0x0000003f push edx 0x00000040 push eax 0x00000041 push edx 0x00000042 push eax 0x00000043 push edx 0x00000044 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51209E0 second address: 51209E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51209E4 second address: 5120A01 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF154E32A59h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5120A01 second address: 5120A11 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF154E3732Ch 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5120A11 second address: 5120A15 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5120A36 second address: 5120A7E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF154E3732Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push 559D7703h 0x0000000e jmp 00007FF154E37331h 0x00000013 xor dword ptr [esp], 23EEEB2Bh 0x0000001a jmp 00007FF154E3732Eh 0x0000001f call 00007FF1C63FC425h 0x00000024 push 766E2B70h 0x00000029 push dword ptr fs:[00000000h] 0x00000030 mov eax, dword ptr [esp+10h] 0x00000034 mov dword ptr [esp+10h], ebp 0x00000038 lea ebp, dword ptr [esp+10h] 0x0000003c sub esp, eax 0x0000003e push ebx 0x0000003f push esi 0x00000040 push edi 0x00000041 mov eax, dword ptr [76744538h] 0x00000046 xor dword ptr [ebp-04h], eax 0x00000049 xor eax, ebp 0x0000004b push eax 0x0000004c mov dword ptr [ebp-18h], esp 0x0000004f push dword ptr [ebp-08h] 0x00000052 mov eax, dword ptr [ebp-04h] 0x00000055 mov dword ptr [ebp-04h], FFFFFFFEh 0x0000005c mov dword ptr [ebp-08h], eax 0x0000005f lea eax, dword ptr [ebp-10h] 0x00000062 mov dword ptr fs:[00000000h], eax 0x00000068 ret 0x00000069 push eax 0x0000006a push edx 0x0000006b push eax 0x0000006c push edx 0x0000006d pushad 0x0000006e popad 0x0000006f rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5120A7E second address: 5120A9B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF154E32A59h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5120A9B second address: 5120AFD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF154E37331h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub esi, esi 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FF154E3732Dh 0x00000012 add eax, 3EA05D66h 0x00000018 jmp 00007FF154E37331h 0x0000001d popfd 0x0000001e mov ecx, 22076997h 0x00000023 popad 0x00000024 mov dword ptr [ebp-1Ch], esi 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007FF154E37339h 0x0000002e rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5120AFD second address: 5120B0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF154E32A4Ch 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5120B39 second address: 5120B3D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5120B3D second address: 5120B43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5120B43 second address: 5120B48 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5120B48 second address: 5120B70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop edx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FF1C63E687Ah 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FF154E32A57h 0x00000016 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5130B18 second address: 5130B27 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF154E3732Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5130B27 second address: 5130B3B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF154E32A4Fh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5130B3B second address: 5130BCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov ebp, esp 0x00000009 jmp 00007FF154E37334h 0x0000000e xchg eax, esi 0x0000000f pushad 0x00000010 call 00007FF154E3732Eh 0x00000015 pushfd 0x00000016 jmp 00007FF154E37332h 0x0000001b or eax, 74B7F568h 0x00000021 jmp 00007FF154E3732Bh 0x00000026 popfd 0x00000027 pop ecx 0x00000028 mov ebx, 629E3DACh 0x0000002d popad 0x0000002e push eax 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 movsx edx, cx 0x00000035 pushfd 0x00000036 jmp 00007FF154E37338h 0x0000003b jmp 00007FF154E37335h 0x00000040 popfd 0x00000041 popad 0x00000042 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5130BCB second address: 5130C0E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF154E32A51h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a jmp 00007FF154E32A4Eh 0x0000000f mov esi, dword ptr [ebp+0Ch] 0x00000012 pushad 0x00000013 movzx eax, dx 0x00000016 mov bh, 8Ch 0x00000018 popad 0x00000019 test esi, esi 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007FF154E32A51h 0x00000022 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5130C0E second address: 5130C31 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF154E37331h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FF1C63E4ABAh 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 mov eax, 5FDB3E65h 0x00000017 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5130C31 second address: 5130C86 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FF154E32A52h 0x00000008 add ch, 00000078h 0x0000000b jmp 00007FF154E32A4Bh 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 popad 0x00000014 cmp dword ptr [7674459Ch], 05h 0x0000001b pushad 0x0000001c mov edi, ecx 0x0000001e push esi 0x0000001f mov dx, 72F2h 0x00000023 pop edi 0x00000024 popad 0x00000025 je 00007FF1C63F8274h 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007FF154E32A55h 0x00000032 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5130C86 second address: 5130C8C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5130C8C second address: 5130C90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5130D5F second address: 5130D88 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bh, DCh 0x00000005 pushfd 0x00000006 jmp 00007FF154E3732Ah 0x0000000b xor ch, 00000078h 0x0000000e jmp 00007FF154E3732Bh 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 pop esi 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5130D88 second address: 5130DA3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF154E32A57h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5130DA3 second address: 5130DA9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5130DA9 second address: 5130DAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5130DAD second address: 5130DB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5130DB1 second address: 5130DC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FF154E32A4Ah 0x00000010 rdtsc
          Tries to evade debugger and weak emulator (self modifying code)
          Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 505A58 instructions caused by: Self-modifying code
          Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 505B59 instructions caused by: Self-modifying code
          Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 6ACA2E instructions caused by: Self-modifying code
          Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 503006 instructions caused by: Self-modifying code
          Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 735B71 instructions caused by: Self-modifying code
          Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
          Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
          Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
          Source: C:\Users\user\Desktop\file.exe TID: 5476Thread sleep time: -40020s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\file.exe TID: 3892Thread sleep time: -30015s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\file.exe TID: 5240Thread sleep time: -38019s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\file.exe TID: 7116Thread sleep time: -180000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\file.exe TID: 3116Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
          Source: file.exe, 00000000.00000002.1348974721.000000000068D000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
          Source: file.exe, 00000000.00000003.1048454603.0000000005AFC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
          Source: file.exe, 00000000.00000003.1048454603.0000000005AFC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
          Source: file.exe, 00000000.00000003.1048454603.0000000005AFC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696492231}
          Source: file.exe, 00000000.00000003.1048454603.0000000005AFC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696492231d
          Source: file.exe, 00000000.00000003.1048454603.0000000005AFC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696492231
          Source: file.exe, 00000000.00000003.1048454603.0000000005AFC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696492231s
          Source: file.exe, 00000000.00000003.1048454603.0000000005AFC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
          Source: file.exe, 00000000.00000003.1048454603.0000000005AFC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696492231
          Source: file.exe, 00000000.00000003.1048454603.0000000005AFC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696492231
          Source: file.exe, 00000000.00000003.1048454603.0000000005AFC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696492231x
          Source: file.exe, file.exe, 00000000.00000003.1323025095.00000000011AC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1349538221.0000000001177000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1348478286.00000000011AD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1169272115.00000000011A8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1348633206.00000000011BC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1295029623.00000000011AB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1169392611.00000000011BC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.967271913.00000000011BB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1349760361.00000000011BD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1169350686.00000000011AA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: file.exe, 00000000.00000003.1048454603.0000000005AFC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
          Source: file.exe, 00000000.00000003.1048454603.0000000005AFC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
          Source: file.exe, 00000000.00000003.1048454603.0000000005AFC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696492231
          Source: file.exe, 00000000.00000003.1048454603.0000000005AFC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696492231t
          Source: file.exe, 00000000.00000003.1048287794.0000000005B09000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696492231p
          Source: file.exe, 00000000.00000003.1048454603.0000000005AFC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
          Source: file.exe, 00000000.00000003.1048454603.0000000005AFC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696492231f
          Source: file.exe, 00000000.00000003.1048454603.0000000005AFC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696492231
          Source: file.exe, 00000000.00000003.1048454603.0000000005AFC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696492231j
          Source: file.exe, 00000000.00000003.1048454603.0000000005AFC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696492231}
          Source: file.exe, 00000000.00000003.1048454603.0000000005AFC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
          Source: file.exe, 00000000.00000003.1048454603.0000000005AFC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696492231x
          Source: file.exe, 00000000.00000003.1048454603.0000000005AFC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696492231h
          Source: file.exe, 00000000.00000003.1048454603.0000000005AFC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696492231o
          Source: file.exe, 00000000.00000003.1048454603.0000000005AFC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696492231u
          Source: file.exe, 00000000.00000003.1048454603.0000000005AFC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231
          Source: file.exe, 00000000.00000003.1048454603.0000000005AFC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
          Source: file.exe, 00000000.00000003.1048454603.0000000005AFC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696492231
          Source: file.exe, 00000000.00000002.1348974721.000000000068D000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
          Source: file.exe, 00000000.00000003.1048454603.0000000005AFC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696492231t
          Source: file.exe, 00000000.00000003.1048454603.0000000005AFC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
          Source: file.exe, 00000000.00000003.1048454603.0000000005AFC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696492231x
          Source: file.exe, 00000000.00000003.1048454603.0000000005AFC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696492231]
          Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

          Anti Debugging

          barindex
          Hides threads from debuggers
          Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
          Tries to detect sandboxes and other dynamic analysis tools (window names)
          Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
          Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
          Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
          Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
          Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
          Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
          Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
          Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
          Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
          Source: C:\Users\user\Desktop\file.exeFile opened: SICE
          Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
          Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
          Source: file.exe, 00000000.00000002.1348974721.000000000068D000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: 5[Program Manager
          Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
          Source: file.exe, file.exe, 00000000.00000003.1323025095.00000000011AC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1348478286.00000000011AD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1295029623.00000000011AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
          Source: file.exe, 00000000.00000003.1295029623.00000000011AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \Windows Defender\MsMpeng.exe
          Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

          Stealing of Sensitive Information

          barindex
          Yara detected LummaC Stealer
          Source: Yara matchFile source: Process Memory Space: file.exe PID: 5580, type: MEMORYSTR
          Source: Yara matchFile source: 0.2.file.exe.4a0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.1348888936.00000000004A1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
          Found many strings related to Crypto-Wallets (likely being stolen)
          Source: file.exeString found in binary or memory: Wallets/Electrum
          Source: file.exeString found in binary or memory: Wallets/ElectronCash
          Source: file.exeString found in binary or memory: window-state.json
          Source: file.exeString found in binary or memory: \??\C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
          Source: file.exeString found in binary or memory: %appdata%\Exodus\exodus.wallet
          Source: file.exeString found in binary or memory: ExodusWeb3
          Source: file.exeString found in binary or memory: %appdata%\Ethereum
          Source: file.exe, 00000000.00000003.1169252310.0000000001201000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
          Source: file.exeString found in binary or memory: keystore
          Tries to harvest and steal browser information (history, passwords, etc)
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\formhistory.sqliteJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\prefs.jsJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cert9.dbJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqliteJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\logins.jsonJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqliteJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\key4.dbJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
          Tries to harvest and steal ftp login credentials
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
          Tries to steal Crypto Currency Wallets
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
          Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
          Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
          Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
          Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\PALRGUCVEHJump to behavior
          Source: C:\Users\user\Desktop\file.exeDirectory queried: C:\Users\user\Documents\PALRGUCVEHJump to behavior
          Source: Yara matchFile source: Process Memory Space: file.exe PID: 5580, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Yara detected LummaC Stealer
          Source: Yara matchFile source: Process Memory Space: file.exe PID: 5580, type: MEMORYSTR
          Source: Yara matchFile source: 0.2.file.exe.4a0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.1348888936.00000000004A1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
          Windows Management Instrumentation          		1
          DLL Side-Loading          		1
          Process Injection          		44
          Virtualization/Sandbox Evasion          		2
          OS Credential Dumping          		851
          Security Software Discovery          		Remote Services1
          Archive Collected Data          		11
          Encrypted Channel          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
          DLL Side-Loading          		1
          Process Injection          		LSASS Memory44
          Virtualization/Sandbox Evasion          		Remote Desktop Protocol41
          Data from Local System          		1
          Ingress Tool Transfer          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)3
          Obfuscated Files or Information          		Security Account Manager2
          Process Discovery          		SMB/Windows Admin SharesData from Network Shared Drive3
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
          Software Packing          		NTDS1
          File and Directory Discovery          		Distributed Component Object ModelInput Capture114
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          DLL Side-Loading          		LSA Secrets223
          System Information Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.