Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1542964
MD5: 89eb026b1e8b37df60728d38b5ba98ba
SHA1: 20bef1ee48878b4b83d805f4b7d4c0b9b493f7d2
SHA256: 7e903a309497439f4842b480e73d0b8c71a01cc597d3127c8869f093465c2317
Tags: exeuser-Bitsight
Infos:

Detection

LummaC
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for sample
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Detected potential crypto function
Entry point lies outside standard sections
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Found malware configuration
Source: file.exe.6636.1.memstrmin Malware Configuration Extractor: LummaC {"C2 url": ["necklacedmny.store", "crisiwarny.store", "thumbystriw.store", "scriptyprefej.store", "fadehairucw.store", "presticitpo.store", "navygenerayk.store", "founpiuer.store"], "Build id": "4SD0y4--legendaryy"}
Multi AV Scanner detection for submitted file
Source: file.exe ReversingLabs: Detection: 42%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 00000001.00000002.1441383982.0000000000471000.00000040.00000001.01000000.00000003.sdmp String decryptor: scriptyprefej.store
Source: 00000001.00000002.1441383982.0000000000471000.00000040.00000001.01000000.00000003.sdmp String decryptor: navygenerayk.store
Source: 00000001.00000002.1441383982.0000000000471000.00000040.00000001.01000000.00000003.sdmp String decryptor: founpiuer.store
Source: 00000001.00000002.1441383982.0000000000471000.00000040.00000001.01000000.00000003.sdmp String decryptor: necklacedmny.store
Source: 00000001.00000002.1441383982.0000000000471000.00000040.00000001.01000000.00000003.sdmp String decryptor: thumbystriw.store
Source: 00000001.00000002.1441383982.0000000000471000.00000040.00000001.01000000.00000003.sdmp String decryptor: fadehairucw.store
Source: 00000001.00000002.1441383982.0000000000471000.00000040.00000001.01000000.00000003.sdmp String decryptor: crisiwarny.store
Source: 00000001.00000002.1441383982.0000000000471000.00000040.00000001.01000000.00000003.sdmp String decryptor: presticitpo.store
Source: 00000001.00000002.1441383982.0000000000471000.00000040.00000001.01000000.00000003.sdmp String decryptor: presticitpo.store
Source: 00000001.00000002.1441383982.0000000000471000.00000040.00000001.01000000.00000003.sdmp String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000001.00000002.1441383982.0000000000471000.00000040.00000001.01000000.00000003.sdmp String decryptor: TeslaBrowser/5.5
Source: 00000001.00000002.1441383982.0000000000471000.00000040.00000001.01000000.00000003.sdmp String decryptor: - Screen Resoluton:
Source: 00000001.00000002.1441383982.0000000000471000.00000040.00000001.01000000.00000003.sdmp String decryptor: - Physical Installed Memory:
Source: 00000001.00000002.1441383982.0000000000471000.00000040.00000001.01000000.00000003.sdmp String decryptor: Workgroup: -
Source: 00000001.00000002.1441383982.0000000000471000.00000040.00000001.01000000.00000003.sdmp String decryptor: 4SD0y4--legendaryy
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0048D7F8 CryptUnprotectData, 1_2_0048D7F8
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 172.67.170.64:443 -> 192.168.2.7:49700 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.170.64:443 -> 192.168.2.7:49701 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.170.64:443 -> 192.168.2.7:49702 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.170.64:443 -> 192.168.2.7:49703 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.170.64:443 -> 192.168.2.7:49705 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.170.64:443 -> 192.168.2.7:49711 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.170.64:443 -> 192.168.2.7:49722 version: TLS 1.2
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp ecx 1_2_0048104F
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax-42h] 1_2_0047E1A0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp eax 1_2_004AE210
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov edx, dword ptr [esi+64h] 1_2_004A15DC
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov ecx, eax 1_2_0049F9D0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov dword ptr [esi+10h], edx 1_2_0049F9D0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov byte ptr [edi], cl 1_2_0049F9D0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov byte ptr [edi], al 1_2_0049F9D0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx eax, byte ptr [esp+edx+6D44C030h] 1_2_0049AB20
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [edx+ecx*8], 9ABDB589h 1_2_0049AB20
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h 1_2_004B4C40
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx edx, byte ptr [esp+ecx+75E07B5Ch] 1_2_0047EC20
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov edi, esi 1_2_004ABCA9
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax-0000008Ah] 1_2_0047CF90
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx ebx, byte ptr [esi+ecx+38h] 1_2_0048E07E
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov dword ptr [eax+ebx], 30303030h 1_2_00471000
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov dword ptr [eax+ebx], 20202020h 1_2_00471000
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov edx, eax 1_2_0049702F
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx ebx, byte ptr [ecx+edx] 1_2_004AF020
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov esi, dword ptr [esp+1Ch] 1_2_004AF020
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then add ecx, eax 1_2_0049A083
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx esi, byte ptr [esp+eax-6Ch] 1_2_0049A083
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov esi, ecx 1_2_004B2165
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov ecx, dword ptr [004BDCFCh] 1_2_004AC132
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], B62B8D10h 1_2_0049D2FD
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov ebx, dword ptr [esp] 1_2_0049D2FD
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp ecx 1_2_00498290
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax+29352E8Dh] 1_2_004B5330
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], B62B8D10h 1_2_0049C3A6
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp ecx 1_2_004814CE
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov ebp, edx 1_2_004B24E0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov edx, dword ptr [esp+04h] 1_2_004714A8
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax+58h] 1_2_00492520
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp ecx 1_2_004B35F0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx eax, byte ptr [ebp+ecx-14h] 1_2_004B35F0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h 1_2_004966E0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx ecx, byte ptr [esi+eax] 1_2_004936AC
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp ecx 1_2_004B3740
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx eax, byte ptr [ebp+ecx-14h] 1_2_004B3740
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov byte ptr [eax], cl 1_2_0049F73A
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx ebx, byte ptr [esp+eax-3ED06EDAh] 1_2_004AC7A0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 1_2_0049E7B0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then add edx, esi 1_2_004998F2
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov byte ptr [eax], cl 1_2_004A0887
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx edx, byte ptr [esi+ebx] 1_2_00475890
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [eax], cx 1_2_00496940
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp ecx 1_2_004B39C0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx eax, byte ptr [ebp+ecx-14h] 1_2_004B39C0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx eax, byte ptr [ebp+ecx-14h] 1_2_004B3A90
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then and esi, 001FF800h 1_2_00474BA0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov dword ptr [esp+04h], ecx 1_2_0048FBA0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp byte ptr [esi+eax], 00000000h 1_2_0049ECE0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx ebx, byte ptr [edx] 1_2_004A8C80
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax+6D44C02Ch] 1_2_004AFC90
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [ebp+edx*4+00h], ax 1_2_0047BD50
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then add eax, dword ptr [esp+ecx*4+34h] 1_2_0047BD50
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx eax, byte ptr [ebp+ecx-14h] 1_2_004B3D90
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [edx], bp 1_2_00491EC5
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [ecx], di 1_2_00491EC5
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp edx 1_2_00478EF0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov byte ptr [eax], cl 1_2_004A0F3E

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49700 -> 172.67.170.64:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49700 -> 172.67.170.64:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.7:49701 -> 172.67.170.64:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49701 -> 172.67.170.64:443
Source: Network traffic Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.7:49703 -> 172.67.170.64:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: necklacedmny.store
Source: Malware configuration extractor URLs: crisiwarny.store
Source: Malware configuration extractor URLs: thumbystriw.store
Source: Malware configuration extractor URLs: scriptyprefej.store
Source: Malware configuration extractor URLs: fadehairucw.store
Source: Malware configuration extractor URLs: presticitpo.store
Source: Malware configuration extractor URLs: navygenerayk.store
Source: Malware configuration extractor URLs: founpiuer.store
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 172.67.170.64 172.67.170.64
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: crisiwarny.store
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 52Host: crisiwarny.store
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12849Host: crisiwarny.store
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15081Host: crisiwarny.store
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20406Host: crisiwarny.store
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1242Host: crisiwarny.store
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 581658Host: crisiwarny.store
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: presticitpo.store
Source: global traffic DNS traffic detected: DNS query: crisiwarny.store
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: crisiwarny.store
Source: file.exe, 00000001.00000003.1349361584.000000000540D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: file.exe, 00000001.00000003.1349361584.000000000540D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: file.exe, 00000001.00000002.1447480635.0000000000B02000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.microsoft
Source: file.exe, 00000001.00000003.1349361584.000000000540D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: file.exe, 00000001.00000003.1349361584.000000000540D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: file.exe, 00000001.00000003.1349361584.000000000540D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: file.exe, 00000001.00000003.1349361584.000000000540D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: file.exe, 00000001.00000003.1349361584.000000000540D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: file.exe, 00000001.00000003.1349361584.000000000540D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: file.exe, 00000001.00000003.1349361584.000000000540D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: file.exe, 00000001.00000003.1349361584.000000000540D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: file.exe, 00000001.00000003.1349361584.000000000540D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: file.exe, 00000001.00000003.1319650588.000000000531E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000001.00000003.1316164190.0000000005336000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: file.exe, 00000001.00000003.1364448809.0000000005325000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696490019400400000.2&ci=1696490019252.
Source: file.exe, 00000001.00000003.1364448809.0000000005325000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696490019400400000.1&ci=1696490019252.12791&cta
Source: file.exe, 00000001.00000003.1319650588.000000000531E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000001.00000003.1316164190.0000000005336000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000001.00000003.1319650588.000000000531E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000001.00000003.1316164190.0000000005336000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000001.00000003.1319650588.000000000531E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000001.00000003.1316164190.0000000005336000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: file.exe, 00000001.00000003.1364448809.0000000005325000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
Source: file.exe, 00000001.00000003.1364448809.0000000005325000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: file.exe, 00000001.00000002.1447480635.0000000000AE3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1447480635.0000000000AEE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1447480635.0000000000AAE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1312761325.0000000000B8A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1447480635.0000000000B02000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1312424888.0000000000B7A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1433151385.0000000005301000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000001.00000002.1449178158.0000000005302000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://crisiwarny.store/
Source: file.exe, 00000001.00000002.1447480635.0000000000B02000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://crisiwarny.store/8
Source: file.exe, 00000001.00000002.1447480635.0000000000AAE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://crisiwarny.store/L
Source: file.exe, 00000001.00000002.1447480635.0000000000B02000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://crisiwarny.store/Y
Source: file.exe, 00000001.00000002.1447480635.0000000000B02000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1335230711.0000000000B83000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1348810433.0000000000B83000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1348619405.0000000005305000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://crisiwarny.store/api
Source: file.exe, 00000001.00000002.1447839504.0000000000B9C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1388801349.0000000000B96000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://crisiwarny.store/api(w
Source: file.exe, 00000001.00000002.1447480635.0000000000B02000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://crisiwarny.store/api7AG
Source: file.exe, 00000001.00000002.1447480635.0000000000B02000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://crisiwarny.store/apiT
Source: file.exe, 00000001.00000003.1364471802.0000000000B83000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://crisiwarny.store/apibm
Source: file.exe, 00000001.00000002.1447480635.0000000000B02000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://crisiwarny.store/apiq
Source: file.exe, 00000001.00000003.1348738975.0000000005313000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000001.00000003.1349101168.0000000005313000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://crisiwarny.store/j
Source: file.exe, 00000001.00000002.1447480635.0000000000B02000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://crisiwarny.store/s
Source: file.exe, 00000001.00000003.1319650588.000000000531E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000001.00000003.1316164190.0000000005336000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000001.00000003.1319650588.000000000531E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000001.00000003.1316164190.0000000005336000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: file.exe, 00000001.00000003.1319650588.000000000531E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000001.00000003.1316164190.0000000005336000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: file.exe, 00000001.00000003.1364448809.0000000005325000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqWfpl%2B4pbW4pbWfpbW7ReNxR3UIG8zInwYIFIVs9e
Source: file.exe, 00000001.00000003.1350763874.000000000562E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: file.exe, 00000001.00000003.1350763874.000000000562E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: file.exe, 00000001.00000003.1364448809.0000000005325000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_ef0fa27a12d43fbd45649e195429e8a63ddcad7cf7e128c0
Source: file.exe, 00000001.00000003.1319650588.000000000531E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000001.00000003.1316164190.0000000005336000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: file.exe, 00000001.00000003.1319650588.000000000531E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000001.00000003.1316164190.0000000005336000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: file.exe, 00000001.00000003.1364448809.0000000005325000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
Source: file.exe, 00000001.00000003.1350763874.000000000562E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.jXqaKJMO4ZEP
Source: file.exe, 00000001.00000003.1350763874.000000000562E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.NYz0wxyUaYSW
Source: file.exe, 00000001.00000003.1350763874.000000000562E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/gro.allizom.www.d
Source: file.exe, 00000001.00000003.1350763874.000000000562E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: file.exe, 00000001.00000003.1350763874.000000000562E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49701
Source: unknown HTTPS traffic detected: 172.67.170.64:443 -> 192.168.2.7:49700 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.170.64:443 -> 192.168.2.7:49701 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.170.64:443 -> 192.168.2.7:49702 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.170.64:443 -> 192.168.2.7:49703 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.170.64:443 -> 192.168.2.7:49705 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.170.64:443 -> 192.168.2.7:49711 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.170.64:443 -> 192.168.2.7:49722 version: TLS 1.2

System Summary
barindex
PE file contains section with special chars
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .rsrc
Source: file.exe Static PE information: section name: .idata
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0048104F 1_2_0048104F
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00496022 1_2_00496022
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0047E1A0 1_2_0047E1A0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00480460 1_2_00480460
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_004A15DC 1_2_004A15DC
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0047F755 1_2_0047F755
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0048D7F8 1_2_0048D7F8
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_004AB7B0 1_2_004AB7B0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0049F9D0 1_2_0049F9D0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_004979B0 1_2_004979B0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0049AB20 1_2_0049AB20
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0047EC20 1_2_0047EC20
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_004ABCA9 1_2_004ABCA9
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_004B5040 1_2_004B5040
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_004A5050 1_2_004A5050
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0048E07E 1_2_0048E07E
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00475000 1_2_00475000
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00471000 1_2_00471000
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0048D010 1_2_0048D010
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0049702F 1_2_0049702F
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_004AF020 1_2_004AF020
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_004930E0 1_2_004930E0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_004B40E0 1_2_004B40E0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_004AB0F0 1_2_004AB0F0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_004770B0 1_2_004770B0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_004B2165 1_2_004B2165
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00491100 1_2_00491100
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0049A112 1_2_0049A112
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_004791E9 1_2_004791E9
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0047B240 1_2_0047B240
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0047A260 1_2_0047A260
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_005D4266 1_2_005D4266
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_004712D5 1_2_004712D5
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0053F2F4 1_2_0053F2F4
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0049D2FD 1_2_0049D2FD
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0062029F 1_2_0062029F
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00602355 1_2_00602355
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00499328 1_2_00499328
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00471328 1_2_00471328
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_004B5330 1_2_004B5330
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_005333DB 1_2_005333DB
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0049B3D0 1_2_0049B3D0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_004983E2 1_2_004983E2
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0063A3B6 1_2_0063A3B6
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0049C3A6 1_2_0049C3A6
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00478460 1_2_00478460
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_004A4461 1_2_004A4461
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_004814CE 1_2_004814CE
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_004B24E0 1_2_004B24E0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0049F570 1_2_0049F570
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0063F55D 1_2_0063F55D
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0049A510 1_2_0049A510
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00492520 1_2_00492520
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_004AA523 1_2_004AA523
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_004865D7 1_2_004865D7
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_004B35F0 1_2_004B35F0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_004B3740 1_2_004B3740
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00493770 1_2_00493770
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_004B2700 1_2_004B2700
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0047A720 1_2_0047A720
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0049F73A 1_2_0049F73A
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_004AC7A0 1_2_004AC7A0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_004AF800 1_2_004AF800
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0048E837 1_2_0048E837
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_004998F2 1_2_004998F2
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_004A0887 1_2_004A0887
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_004A08B1 1_2_004A08B1
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00496940 1_2_00496940
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00473930 1_2_00473930
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_004B39C0 1_2_004B39C0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0062A9CC 1_2_0062A9CC
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00486997 1_2_00486997
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00484A4C 1_2_00484A4C
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0048FA4F 1_2_0048FA4F
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0047DA80 1_2_0047DA80
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_004B3A90 1_2_004B3A90
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00477AB0 1_2_00477AB0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_004E3B41 1_2_004E3B41
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_004B2B10 1_2_004B2B10
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00559BDC 1_2_00559BDC
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_004A4BC7 1_2_004A4BC7
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0049CBD0 1_2_0049CBD0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0048FBA0 1_2_0048FBA0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00663C00 1_2_00663C00
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0048CC20 1_2_0048CC20
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00630C13 1_2_00630C13
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0049ECE0 1_2_0049ECE0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_004B9CE0 1_2_004B9CE0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0048ED48 1_2_0048ED48
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0047BD50 1_2_0047BD50
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00476D10 1_2_00476D10
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0051AD2A 1_2_0051AD2A
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00528D98 1_2_00528D98
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_004B3D90 1_2_004B3D90
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0047ADB0 1_2_0047ADB0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00483E45 1_2_00483E45
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_004A3E24 1_2_004A3E24
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00491EC5 1_2_00491EC5
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00478EF0 1_2_00478EF0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0063BEB2 1_2_0063BEB2
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_004AAE90 1_2_004AAE90
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0047DF60 1_2_0047DF60
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_004A9F61 1_2_004A9F61
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_006A7F09 1_2_006A7F09
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_004A0F3E 1_2_004A0F3E
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00625F1B 1_2_00625F1B
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00479FF5 1_2_00479FF5
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_004B2FB0 1_2_004B2FB0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\file.exe Code function: String function: 0047E190 appears 152 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 0047C890 appears 69 times
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exe Static PE information: Section: ZLIB complexity 0.9981081014890282
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@1/0@2/1
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_004A2240 CoCreateInstance, 1_2_004A2240
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: file.exe, 00000001.00000003.1314879408.000000000533B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000001.00000003.1335626324.0000000005337000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000001.00000003.1335495165.0000000005341000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe ReversingLabs: Detection: 42%
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: file.exe Static file information: File size 2939904 > 1048576
Source: file.exe Static PE information: Raw size of fiufktgl is bigger than: 0x100000 < 0x2a2400

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 1.2.file.exe.470000.0.unpack :EW;.rsrc :W;.idata :W;fiufktgl:EW;thfjtvjw:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W;fiufktgl:EW;thfjtvjw:EW;.taggant:EW;
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: file.exe Static PE information: real checksum: 0x2d6421 should be: 0x2dc1cb
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .rsrc
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name: fiufktgl
Source: file.exe Static PE information: section name: thfjtvjw
Source: file.exe Static PE information: section name: .taggant
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0076E035 push ecx; mov dword ptr [esp], 4654D9BEh 1_2_0076E150
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0076E035 push ecx; mov dword ptr [esp], 2E385851h 1_2_0076E179
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0076E035 push ecx; mov dword ptr [esp], esi 1_2_0076E18C
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_006C60E5 push edi; mov dword ptr [esp], ebx 1_2_006C613A
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_006C60E5 push ecx; mov dword ptr [esp], 77BB4CFFh 1_2_006C614E
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_006C60E5 push 60AACA7Ah; mov dword ptr [esp], edi 1_2_006C6184
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_006550FF push 0446B500h; mov dword ptr [esp], ebx 1_2_00655152
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_006550FF push 1AE22D4Ah; mov dword ptr [esp], ebx 1_2_006582CA
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_006550FF push 7786B3D4h; mov dword ptr [esp], edi 1_2_006582D7
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0072F17A push 52AFEF72h; mov dword ptr [esp], edx 1_2_0072F214
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0072F17A push edi; mov dword ptr [esp], 1A3234B7h 1_2_0072F29C
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0072F17A push 625E2BBCh; mov dword ptr [esp], ecx 1_2_0072F2DC
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_006C0118 push esi; mov dword ptr [esp], edx 1_2_006C0152
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0055C1C4 push ebx; mov dword ptr [esp], edx 1_2_0055C1CE
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0055C1C4 push ebp; mov dword ptr [esp], 7A7E5413h 1_2_0055C232
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0055C1C4 push esi; mov dword ptr [esp], eax 1_2_0055C2DD
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0055C1C4 push eax; mov dword ptr [esp], 7B335F66h 1_2_0055C2E5
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_006A119F push 3FAF9568h; mov dword ptr [esp], edx 1_2_006A11F4
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_006A119F push ecx; mov dword ptr [esp], ebx 1_2_006A1231
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_005D4266 push 215E1602h; mov dword ptr [esp], eax 1_2_005D42D7
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_005D4266 push ecx; mov dword ptr [esp], eax 1_2_005D4370
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_005D4266 push ebx; mov dword ptr [esp], ebp 1_2_005D43D9
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_005D4266 push ebp; mov dword ptr [esp], ebx 1_2_005D43FC
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0072B23A push 5408B400h; mov dword ptr [esp], ebp 1_2_0072B24E
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_004D32DC push eax; mov dword ptr [esp], edx 1_2_004D5D08
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_004D32DC push edx; mov dword ptr [esp], esi 1_2_004D5D0C
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0053F2F4 push 26705F4Ah; mov dword ptr [esp], eax 1_2_0053F315
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0053F2F4 push ebp; mov dword ptr [esp], 3433377Bh 1_2_0053F407
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0053F2F4 push 04E0DF8Fh; mov dword ptr [esp], eax 1_2_0053F418
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0053F2F4 push 5FF99E66h; mov dword ptr [esp], ebx 1_2_0053F444
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0053F2F4 push 1112FA0Bh; mov dword ptr [esp], ecx 1_2_0053F52D
Source: file.exe Static PE information: section name: entropy: 7.981472592877069

Boot Survival
barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\Desktop\file.exe System information queried: FirmwareTableInformation Jump to behavior
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CF0CB second address: 4CF0CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CF0CF second address: 4CF0D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CF0D3 second address: 4CF0DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CF0DC second address: 4CE9E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 jnp 00007FBBF0E1BFD4h 0x0000000f pushad 0x00000010 jmp 00007FBBF0E1BFC6h 0x00000015 mov eax, dword ptr [ebp+122D2ACFh] 0x0000001b popad 0x0000001c push dword ptr [ebp+122D0A05h] 0x00000022 mov dword ptr [ebp+122D2825h], edx 0x00000028 jmp 00007FBBF0E1BFC8h 0x0000002d call dword ptr [ebp+122D2892h] 0x00000033 pushad 0x00000034 mov dword ptr [ebp+122D285Fh], eax 0x0000003a xor eax, eax 0x0000003c sub dword ptr [ebp+122D285Fh], edx 0x00000042 mov edx, dword ptr [esp+28h] 0x00000046 stc 0x00000047 mov dword ptr [ebp+122D2DDFh], eax 0x0000004d jmp 00007FBBF0E1BFC2h 0x00000052 mov esi, 0000003Ch 0x00000057 sub dword ptr [ebp+122D3825h], eax 0x0000005d add esi, dword ptr [esp+24h] 0x00000061 or dword ptr [ebp+122D3825h], ecx 0x00000067 lodsw 0x00000069 xor dword ptr [ebp+122D285Fh], edi 0x0000006f add eax, dword ptr [esp+24h] 0x00000073 pushad 0x00000074 jg 00007FBBF0E1BFB9h 0x0000007a mov dx, ax 0x0000007d popad 0x0000007e mov ebx, dword ptr [esp+24h] 0x00000082 jmp 00007FBBF0E1BFBDh 0x00000087 nop 0x00000088 push esi 0x00000089 push eax 0x0000008a push edx 0x0000008b jp 00007FBBF0E1BFB6h 0x00000091 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 648D1D second address: 648D23 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 648D23 second address: 648D3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FBBF0E1BFC2h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 648D3B second address: 648D4B instructions: 0x00000000 rdtsc 0x00000002 jl 00007FBBF0BBFDB2h 0x00000008 je 00007FBBF0BBFDA6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 648D4B second address: 648D6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jg 00007FBBF0E1BFB6h 0x00000010 jmp 00007FBBF0E1BFBFh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 648D6A second address: 648D80 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBBF0BBFDB2h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 648D80 second address: 648D86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 648D86 second address: 648D8C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 649352 second address: 64939A instructions: 0x00000000 rdtsc 0x00000002 jns 00007FBBF0E1BFD8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c jmp 00007FBBF0E1BFC8h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 64AF55 second address: 4CE9E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 xor dword ptr [esp], 798D2124h 0x0000000c mov edx, dword ptr [ebp+122D2B83h] 0x00000012 push dword ptr [ebp+122D0A05h] 0x00000018 mov dword ptr [ebp+122D285Fh], ebx 0x0000001e call dword ptr [ebp+122D2892h] 0x00000024 pushad 0x00000025 mov dword ptr [ebp+122D285Fh], eax 0x0000002b xor eax, eax 0x0000002d sub dword ptr [ebp+122D285Fh], edx 0x00000033 mov edx, dword ptr [esp+28h] 0x00000037 stc 0x00000038 mov dword ptr [ebp+122D2DDFh], eax 0x0000003e jmp 00007FBBF0BBFDB2h 0x00000043 mov esi, 0000003Ch 0x00000048 sub dword ptr [ebp+122D3825h], eax 0x0000004e add esi, dword ptr [esp+24h] 0x00000052 or dword ptr [ebp+122D3825h], ecx 0x00000058 lodsw 0x0000005a xor dword ptr [ebp+122D285Fh], edi 0x00000060 add eax, dword ptr [esp+24h] 0x00000064 pushad 0x00000065 jg 00007FBBF0BBFDA9h 0x0000006b mov dx, ax 0x0000006e popad 0x0000006f mov ebx, dword ptr [esp+24h] 0x00000073 jmp 00007FBBF0BBFDADh 0x00000078 nop 0x00000079 push esi 0x0000007a push eax 0x0000007b push edx 0x0000007c jp 00007FBBF0BBFDA6h 0x00000082 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 64AF9C second address: 64AFA6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FBBF10EAAF6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 64AFA6 second address: 64AFF7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jmp 00007FBBF0D5FF5Ch 0x0000000f jl 00007FBBF0D5FF6Ah 0x00000015 jmp 00007FBBF0D5FF64h 0x0000001a popad 0x0000001b nop 0x0000001c and edx, 7D190F53h 0x00000022 jbe 00007FBBF0D5FF57h 0x00000028 push 00000000h 0x0000002a sbb dx, 0CEFh 0x0000002f push 08DF685Bh 0x00000034 push eax 0x00000035 push edx 0x00000036 push ebx 0x00000037 pushad 0x00000038 popad 0x00000039 pop ebx 0x0000003a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 64B0EF second address: 64B106 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jo 00007FBBF10EAAFCh 0x00000011 jnc 00007FBBF10EAAF6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 64B1A5 second address: 64B1AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 64B1AC second address: 64B1CC instructions: 0x00000000 rdtsc 0x00000002 js 00007FBBF10EAAF8h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 jmp 00007FBBF10EAAFFh 0x00000015 pop eax 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 64B1CC second address: 64B1D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 64B2F8 second address: 64B31A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBBF10EAB03h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jl 00007FBBF10EAAFCh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 64B31A second address: 64B31E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 64B31E second address: 64B323 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 64B323 second address: 64B36D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a adc si, F774h 0x0000000f push 00000000h 0x00000011 mov dl, 05h 0x00000013 mov dh, ah 0x00000015 push 737A224Ch 0x0000001a jp 00007FBBF0D5FF5Ah 0x00000020 xor dword ptr [esp], 737A22CCh 0x00000027 push 00000003h 0x00000029 mov dword ptr [ebp+122D38D9h], edi 0x0000002f push 00000000h 0x00000031 adc dh, FFFFFFCBh 0x00000034 push 00000003h 0x00000036 mov dword ptr [ebp+122D2A5Ch], edi 0x0000003c push 627A9B51h 0x00000041 pushad 0x00000042 push eax 0x00000043 push edx 0x00000044 push edi 0x00000045 pop edi 0x00000046 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 64B36D second address: 64B3D8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007FBBF10EAAF8h 0x0000000c popad 0x0000000d add dword ptr [esp], 5D8564AFh 0x00000014 push 00000000h 0x00000016 push ecx 0x00000017 call 00007FBBF10EAAF8h 0x0000001c pop ecx 0x0000001d mov dword ptr [esp+04h], ecx 0x00000021 add dword ptr [esp+04h], 0000001Ch 0x00000029 inc ecx 0x0000002a push ecx 0x0000002b ret 0x0000002c pop ecx 0x0000002d ret 0x0000002e mov edi, 3EC18AF0h 0x00000033 lea ebx, dword ptr [ebp+1244FEBFh] 0x00000039 or esi, dword ptr [ebp+122D2CAFh] 0x0000003f push eax 0x00000040 push eax 0x00000041 push edx 0x00000042 jp 00007FBBF10EAB0Dh 0x00000048 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 66C92E second address: 66C956 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edi 0x00000004 pop edi 0x00000005 jns 00007FBBF0D5FF56h 0x0000000b pop ebx 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 jmp 00007FBBF0D5FF65h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 66C956 second address: 66C972 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBBF10EAB07h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 66AB72 second address: 66AB76 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 66B102 second address: 66B10C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007FBBF10EAAF6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 66B10C second address: 66B110 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 66B110 second address: 66B11B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 66B291 second address: 66B2C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 je 00007FBBF0D5FF56h 0x0000000c jmp 00007FBBF0D5FF67h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 push eax 0x00000018 pop eax 0x00000019 jmp 00007FBBF0D5FF5Bh 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 66B41C second address: 66B428 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jno 00007FBBF10EAAF6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 66B428 second address: 66B42C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 66B42C second address: 66B432 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 66B432 second address: 66B43E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 66B43E second address: 66B442 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 66B80F second address: 66B815 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 66B815 second address: 66B81A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6630A2 second address: 6630A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6630A8 second address: 6630BC instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FBBF10EAAF6h 0x00000008 jp 00007FBBF10EAAF6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6630BC second address: 6630C2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 63EE31 second address: 63EE5A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007FBBF10EAAF8h 0x0000000c jne 00007FBBF10EAAF8h 0x00000012 popad 0x00000013 pushad 0x00000014 jmp 00007FBBF10EAAFBh 0x00000019 push eax 0x0000001a push edx 0x0000001b push edx 0x0000001c pop edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 66BAE1 second address: 66BAE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 66BAE5 second address: 66BAF5 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FBBF10EAAF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d pushad 0x0000000e popad 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 66BAF5 second address: 66BAFB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 66BAFB second address: 66BB05 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FBBF10EAAF6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 66C0B6 second address: 66C0BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 66C0BA second address: 66C0D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBBF10EAAFDh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 66C0D0 second address: 66C0D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 66C386 second address: 66C3BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop ecx 0x00000007 push ecx 0x00000008 ja 00007FBBF10EAAF6h 0x0000000e pushad 0x0000000f popad 0x00000010 pop ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 jmp 00007FBBF10EAAFDh 0x00000019 push eax 0x0000001a pop eax 0x0000001b pop eax 0x0000001c push esi 0x0000001d jo 00007FBBF10EAAF6h 0x00000023 jmp 00007FBBF10EAAFBh 0x00000028 pop esi 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6366CE second address: 636712 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FBBF0D5FF56h 0x0000000a jmp 00007FBBF0D5FF5Bh 0x0000000f popad 0x00000010 pop ecx 0x00000011 pushad 0x00000012 jmp 00007FBBF0D5FF69h 0x00000017 push edi 0x00000018 jmp 00007FBBF0D5FF5Eh 0x0000001d pop edi 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 636712 second address: 636718 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 674009 second address: 674010 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 674010 second address: 674030 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007FBBF10EAAF6h 0x00000009 push eax 0x0000000a pop eax 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 push edi 0x00000011 jnc 00007FBBF10EAAF6h 0x00000017 pop edi 0x00000018 jl 00007FBBF10EAAFCh 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 674162 second address: 674166 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 674166 second address: 67416A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6728C8 second address: 6728DB instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jg 00007FBBF0D5FF58h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6728DB second address: 6728E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6728E1 second address: 6728E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 674237 second address: 67423C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6743CC second address: 6743D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push edi 0x00000007 pop edi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6743D4 second address: 6743E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 676B18 second address: 676B24 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FBBF0D5FF56h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 676B24 second address: 676B29 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 67AE23 second address: 67AE2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edi 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 63BA30 second address: 63BA34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 63BA34 second address: 63BA55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FBBF0D5FF5Dh 0x0000000f jc 00007FBBF0D5FF5Ah 0x00000015 pushad 0x00000016 popad 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 67A5C8 second address: 67A5CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 67A5CE second address: 67A5F8 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jp 00007FBBF0D5FF56h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ebx 0x0000000d push ebx 0x0000000e jmp 00007FBBF0D5FF64h 0x00000013 jl 00007FBBF0D5FF5Eh 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 67AB6D second address: 67AB7E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007FBBF10EAAF6h 0x00000009 je 00007FBBF10EAAF6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 67CFDA second address: 67CFDE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 67CFDE second address: 67CFE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 67D118 second address: 67D11D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 67D11D second address: 67D123 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 67D24E second address: 67D254 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 67D328 second address: 67D32E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 67D32E second address: 67D332 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 67D8E8 second address: 67D952 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FBBF10EAAF8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007FBBF10EAB05h 0x00000010 xchg eax, ebx 0x00000011 push 00000000h 0x00000013 push ebx 0x00000014 call 00007FBBF10EAAF8h 0x00000019 pop ebx 0x0000001a mov dword ptr [esp+04h], ebx 0x0000001e add dword ptr [esp+04h], 00000014h 0x00000026 inc ebx 0x00000027 push ebx 0x00000028 ret 0x00000029 pop ebx 0x0000002a ret 0x0000002b jns 00007FBBF10EAB0Bh 0x00000031 adc si, 18EDh 0x00000036 push eax 0x00000037 push eax 0x00000038 push edx 0x00000039 jnc 00007FBBF10EAAF8h 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 67DDBD second address: 67DDC3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 67DDC3 second address: 67DDC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 67DEDB second address: 67DEE5 instructions: 0x00000000 rdtsc 0x00000002 js 00007FBBF0D5FF56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 67E3D9 second address: 67E3DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 67E3DF second address: 67E3E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 67FB9F second address: 67FBA6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 67EB0B second address: 67EB12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 67F41C second address: 67F420 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 68069D second address: 6806D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push ebx 0x00000007 jmp 00007FBBF0D5FF5Ah 0x0000000c pop ebx 0x0000000d nop 0x0000000e push 00000000h 0x00000010 sub dword ptr [ebp+122D2A1Eh], esi 0x00000016 mov edi, ebx 0x00000018 push 00000000h 0x0000001a sub dword ptr [ebp+122D3086h], ecx 0x00000020 push eax 0x00000021 pushad 0x00000022 pushad 0x00000023 push ecx 0x00000024 pop ecx 0x00000025 pushad 0x00000026 popad 0x00000027 popad 0x00000028 push eax 0x00000029 push edx 0x0000002a jp 00007FBBF0D5FF56h 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 680434 second address: 680438 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6806D2 second address: 6806D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 681C4F second address: 681C60 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBBF10EAAFDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 680EC3 second address: 680EC9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 681C60 second address: 681CA8 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FBBF10EAAF8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d stc 0x0000000e push 00000000h 0x00000010 mov dword ptr [ebp+122D26DBh], eax 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a push ebx 0x0000001b call 00007FBBF10EAAF8h 0x00000020 pop ebx 0x00000021 mov dword ptr [esp+04h], ebx 0x00000025 add dword ptr [esp+04h], 00000018h 0x0000002d inc ebx 0x0000002e push ebx 0x0000002f ret 0x00000030 pop ebx 0x00000031 ret 0x00000032 mov esi, dword ptr [ebp+122D332Ah] 0x00000038 xchg eax, ebx 0x00000039 push ebx 0x0000003a push eax 0x0000003b push edx 0x0000003c jg 00007FBBF10EAAF6h 0x00000042 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 680EC9 second address: 680ECD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 681CA8 second address: 681CAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 681CAC second address: 681CC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FBBF0D5FF5Ch 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 685A13 second address: 685A1D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007FBBF10EAAF6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 685A1D second address: 685A21 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 686B14 second address: 686B1A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 686B1A second address: 686B24 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FBBF10EEF9Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 686BAC second address: 686BB2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 686BB2 second address: 686BB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 688B74 second address: 688B7E instructions: 0x00000000 rdtsc 0x00000002 jne 00007FBBF0522A56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 689D0A second address: 689D87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop eax 0x00000006 push eax 0x00000007 ja 00007FBBF10EEF9Eh 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push ebp 0x00000011 call 00007FBBF10EEF98h 0x00000016 pop ebp 0x00000017 mov dword ptr [esp+04h], ebp 0x0000001b add dword ptr [esp+04h], 00000016h 0x00000023 inc ebp 0x00000024 push ebp 0x00000025 ret 0x00000026 pop ebp 0x00000027 ret 0x00000028 mov edi, 146855D6h 0x0000002d push 00000000h 0x0000002f mov di, si 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push ecx 0x00000037 call 00007FBBF10EEF98h 0x0000003c pop ecx 0x0000003d mov dword ptr [esp+04h], ecx 0x00000041 add dword ptr [esp+04h], 00000019h 0x00000049 inc ecx 0x0000004a push ecx 0x0000004b ret 0x0000004c pop ecx 0x0000004d ret 0x0000004e sub dword ptr [ebp+122D2E9Bh], ebx 0x00000054 xchg eax, esi 0x00000055 push ecx 0x00000056 push ebx 0x00000057 pushad 0x00000058 popad 0x00000059 pop ebx 0x0000005a pop ecx 0x0000005b push eax 0x0000005c js 00007FBBF10EEFA8h 0x00000062 push eax 0x00000063 push edx 0x00000064 jnc 00007FBBF10EEF96h 0x0000006a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 685C26 second address: 685C30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FBBF0522A56h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 685CE6 second address: 685CEA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 68CF99 second address: 68D032 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FBBF0522A68h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jnl 00007FBBF0522A5Ah 0x00000011 nop 0x00000012 jmp 00007FBBF0522A69h 0x00000017 push 00000000h 0x00000019 mov ebx, eax 0x0000001b push 00000000h 0x0000001d push 00000000h 0x0000001f push ebx 0x00000020 call 00007FBBF0522A58h 0x00000025 pop ebx 0x00000026 mov dword ptr [esp+04h], ebx 0x0000002a add dword ptr [esp+04h], 00000017h 0x00000032 inc ebx 0x00000033 push ebx 0x00000034 ret 0x00000035 pop ebx 0x00000036 ret 0x00000037 push esi 0x00000038 push eax 0x00000039 jmp 00007FBBF0522A5Fh 0x0000003e pop edi 0x0000003f pop ebx 0x00000040 push edx 0x00000041 or dword ptr [ebp+122D21F7h], ecx 0x00000047 pop ebx 0x00000048 xchg eax, esi 0x00000049 jmp 00007FBBF0522A5Ah 0x0000004e push eax 0x0000004f push eax 0x00000050 push edx 0x00000051 jmp 00007FBBF0522A5Ah 0x00000056 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 68DFA5 second address: 68E000 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 nop 0x00000008 sub ebx, dword ptr [ebp+122D29CEh] 0x0000000e push 00000000h 0x00000010 sub ebx, 767091CAh 0x00000016 mov dword ptr [ebp+122D28DEh], edi 0x0000001c push 00000000h 0x0000001e push 00000000h 0x00000020 push esi 0x00000021 call 00007FBBF10EEF98h 0x00000026 pop esi 0x00000027 mov dword ptr [esp+04h], esi 0x0000002b add dword ptr [esp+04h], 0000001Ch 0x00000033 inc esi 0x00000034 push esi 0x00000035 ret 0x00000036 pop esi 0x00000037 ret 0x00000038 jmp 00007FBBF10EEFA1h 0x0000003d movzx ebx, ax 0x00000040 push eax 0x00000041 pushad 0x00000042 pushad 0x00000043 push eax 0x00000044 push edx 0x00000045 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 68E000 second address: 68E01C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBBF0522A63h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 68E01C second address: 68E020 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 686DE4 second address: 686DEA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 688DF1 second address: 688DF5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 692153 second address: 692159 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 692159 second address: 69215D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 693224 second address: 69322D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 689EA3 second address: 689EA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 689EA9 second address: 689F32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 sub edi, dword ptr [ebp+122D2BDFh] 0x0000000f mov ebx, dword ptr [ebp+122D1EA3h] 0x00000015 push dword ptr fs:[00000000h] 0x0000001c push ebx 0x0000001d mov edi, 13FE1D56h 0x00000022 pop ebx 0x00000023 mov dword ptr fs:[00000000h], esp 0x0000002a ja 00007FBBF0522A5Eh 0x00000030 pushad 0x00000031 mov edx, dword ptr [ebp+122D3726h] 0x00000037 popad 0x00000038 mov dword ptr [ebp+122D2834h], edx 0x0000003e mov eax, dword ptr [ebp+122D0191h] 0x00000044 push FFFFFFFFh 0x00000046 push 00000000h 0x00000048 push esi 0x00000049 call 00007FBBF0522A58h 0x0000004e pop esi 0x0000004f mov dword ptr [esp+04h], esi 0x00000053 add dword ptr [esp+04h], 00000017h 0x0000005b inc esi 0x0000005c push esi 0x0000005d ret 0x0000005e pop esi 0x0000005f ret 0x00000060 pushad 0x00000061 mov cx, 1BA8h 0x00000065 mov dx, ax 0x00000068 popad 0x00000069 jno 00007FBBF0522A62h 0x0000006f nop 0x00000070 push eax 0x00000071 push edx 0x00000072 pushad 0x00000073 pushad 0x00000074 popad 0x00000075 push edi 0x00000076 pop edi 0x00000077 popad 0x00000078 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 68AF6D second address: 68AF88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 pushad 0x00000007 jo 00007FBBF10EEF9Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f je 00007FBBF10EEF96h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 68B06F second address: 68B074 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6987D5 second address: 6987E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FBBF10EEF96h 0x0000000a pop esi 0x0000000b popad 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 68F251 second address: 68F255 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 68F255 second address: 68F2E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push ecx 0x00000008 jmp 00007FBBF10EEFA0h 0x0000000d pop ecx 0x0000000e nop 0x0000000f mov dword ptr [ebp+1246A66Eh], esi 0x00000015 mov bx, 7F03h 0x00000019 push dword ptr fs:[00000000h] 0x00000020 add di, 2D9Bh 0x00000025 xor edi, 1C7F6C46h 0x0000002b mov dword ptr fs:[00000000h], esp 0x00000032 jng 00007FBBF10EEF9Ch 0x00000038 sub dword ptr [ebp+122D28DEh], ecx 0x0000003e mov eax, dword ptr [ebp+122D07A9h] 0x00000044 push 00000000h 0x00000046 push edx 0x00000047 call 00007FBBF10EEF98h 0x0000004c pop edx 0x0000004d mov dword ptr [esp+04h], edx 0x00000051 add dword ptr [esp+04h], 0000001Ch 0x00000059 inc edx 0x0000005a push edx 0x0000005b ret 0x0000005c pop edx 0x0000005d ret 0x0000005e mov dword ptr [ebp+1246A66Eh], edi 0x00000064 mov di, F23Ah 0x00000068 push FFFFFFFFh 0x0000006a mov bh, dh 0x0000006c nop 0x0000006d push eax 0x0000006e push edx 0x0000006f jmp 00007FBBF10EEF9Ch 0x00000074 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 68F2E5 second address: 68F303 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FBBF0522A58h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FBBF0522A5Fh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 68F303 second address: 68F315 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBBF10EEF9Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6913A8 second address: 6913AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6913AE second address: 6913B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6922A5 second address: 6922AB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6922AB second address: 6922B0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6945CE second address: 6945D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 695561 second address: 695577 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBBF10EEFA2h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 69E7B0 second address: 69E7E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FBBF0522A67h 0x0000000a jmp 00007FBBF0522A65h 0x0000000f jo 00007FBBF0522A5Eh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6A40E7 second address: 6A40ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6A7A6B second address: 6A7A6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6A7A6F second address: 6A7A7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6A85E9 second address: 6A860C instructions: 0x00000000 rdtsc 0x00000002 jno 00007FBBF0522A56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b jnp 00007FBBF0522A56h 0x00000011 pop edi 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 push edi 0x00000016 jnp 00007FBBF0522A56h 0x0000001c jnp 00007FBBF0522A56h 0x00000022 pop edi 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6A87A4 second address: 6A87AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007FBBF10EEF96h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6A87AE second address: 6A87C7 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007FBBF0522A60h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6A87C7 second address: 6A87CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6A87CD second address: 6A87D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6AE394 second address: 6AE3B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FBBF10EEFA3h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jp 00007FBBF10EEF98h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6AE3B5 second address: 6AE3BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6AE3BB second address: 6AE3BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6AE3BF second address: 6AE3C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6AE3C3 second address: 6AE3E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FBBF10EEF96h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FBBF10EEFA0h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6AE3E1 second address: 6AE3E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6AD045 second address: 6AD066 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 push ebx 0x00000007 pushad 0x00000008 push edx 0x00000009 pop edx 0x0000000a jmp 00007FBBF10EEFA5h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6AD1B6 second address: 6AD1CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007FBBF0522A56h 0x00000009 jnp 00007FBBF0522A56h 0x0000000f popad 0x00000010 jg 00007FBBF0522A5Ch 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6AD83C second address: 6AD84A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jns 00007FBBF10EEF96h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6ADAE1 second address: 6ADAF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jc 00007FBBF0522A5Eh 0x0000000b push edx 0x0000000c pop edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 67B6CF second address: 67B6D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 67BA45 second address: 67BA64 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FBBF0522A61h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 67BA64 second address: 67BA69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 67BA69 second address: 4CE9E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007FBBF0522A56h 0x00000009 jmp 00007FBBF0522A65h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 nop 0x00000012 or dh, FFFFFFEEh 0x00000015 push dword ptr [ebp+122D0A05h] 0x0000001b push 00000000h 0x0000001d push esi 0x0000001e call 00007FBBF0522A58h 0x00000023 pop esi 0x00000024 mov dword ptr [esp+04h], esi 0x00000028 add dword ptr [esp+04h], 0000001Bh 0x00000030 inc esi 0x00000031 push esi 0x00000032 ret 0x00000033 pop esi 0x00000034 ret 0x00000035 xor dword ptr [ebp+122D337Ch], edi 0x0000003b call dword ptr [ebp+122D2892h] 0x00000041 pushad 0x00000042 mov dword ptr [ebp+122D285Fh], eax 0x00000048 xor eax, eax 0x0000004a sub dword ptr [ebp+122D285Fh], edx 0x00000050 mov edx, dword ptr [esp+28h] 0x00000054 stc 0x00000055 mov dword ptr [ebp+122D2DDFh], eax 0x0000005b jmp 00007FBBF0522A62h 0x00000060 mov esi, 0000003Ch 0x00000065 sub dword ptr [ebp+122D3825h], eax 0x0000006b add esi, dword ptr [esp+24h] 0x0000006f or dword ptr [ebp+122D3825h], ecx 0x00000075 lodsw 0x00000077 xor dword ptr [ebp+122D285Fh], edi 0x0000007d add eax, dword ptr [esp+24h] 0x00000081 pushad 0x00000082 jg 00007FBBF0522A59h 0x00000088 mov dx, ax 0x0000008b popad 0x0000008c mov ebx, dword ptr [esp+24h] 0x00000090 jmp 00007FBBF0522A5Dh 0x00000095 nop 0x00000096 push esi 0x00000097 push eax 0x00000098 push edx 0x00000099 jp 00007FBBF0522A56h 0x0000009f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 67BB45 second address: 67BB4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 67BB4A second address: 67BB50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 67BB50 second address: 4CE9E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBBF10EEF9Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c mov ecx, 678B611Ah 0x00000011 push dword ptr [ebp+122D0A05h] 0x00000017 push 00000000h 0x00000019 push edx 0x0000001a call 00007FBBF10EEF98h 0x0000001f pop edx 0x00000020 mov dword ptr [esp+04h], edx 0x00000024 add dword ptr [esp+04h], 0000001Dh 0x0000002c inc edx 0x0000002d push edx 0x0000002e ret 0x0000002f pop edx 0x00000030 ret 0x00000031 mov edi, dword ptr [ebp+122D2D77h] 0x00000037 call dword ptr [ebp+122D2892h] 0x0000003d pushad 0x0000003e mov dword ptr [ebp+122D285Fh], eax 0x00000044 xor eax, eax 0x00000046 sub dword ptr [ebp+122D285Fh], edx 0x0000004c mov edx, dword ptr [esp+28h] 0x00000050 stc 0x00000051 mov dword ptr [ebp+122D2DDFh], eax 0x00000057 jmp 00007FBBF10EEFA2h 0x0000005c mov esi, 0000003Ch 0x00000061 sub dword ptr [ebp+122D3825h], eax 0x00000067 add esi, dword ptr [esp+24h] 0x0000006b or dword ptr [ebp+122D3825h], ecx 0x00000071 lodsw 0x00000073 xor dword ptr [ebp+122D285Fh], edi 0x00000079 add eax, dword ptr [esp+24h] 0x0000007d pushad 0x0000007e jg 00007FBBF10EEF99h 0x00000084 mov dx, ax 0x00000087 popad 0x00000088 mov ebx, dword ptr [esp+24h] 0x0000008c jmp 00007FBBF10EEF9Dh 0x00000091 nop 0x00000092 push esi 0x00000093 push eax 0x00000094 push edx 0x00000095 jp 00007FBBF10EEF96h 0x0000009b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 67BD3F second address: 67BD5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBBF0522A69h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 67BDE6 second address: 67BDF9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBBF10EEF9Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 67BF40 second address: 67BF46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 67BF46 second address: 67BF4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 67BF4E second address: 67BF54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 67C52D second address: 67C588 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FBBF10EEF96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jc 00007FBBF10EEF98h 0x00000010 push esi 0x00000011 pop esi 0x00000012 popad 0x00000013 mov dword ptr [esp], eax 0x00000016 mov dword ptr [ebp+122D21E2h], ecx 0x0000001c push 0000001Eh 0x0000001e push 00000000h 0x00000020 push ecx 0x00000021 call 00007FBBF10EEF98h 0x00000026 pop ecx 0x00000027 mov dword ptr [esp+04h], ecx 0x0000002b add dword ptr [esp+04h], 00000015h 0x00000033 inc ecx 0x00000034 push ecx 0x00000035 ret 0x00000036 pop ecx 0x00000037 ret 0x00000038 jmp 00007FBBF10EEFA3h 0x0000003d push eax 0x0000003e push eax 0x0000003f push edx 0x00000040 pushad 0x00000041 jnp 00007FBBF10EEF96h 0x00000047 push ecx 0x00000048 pop ecx 0x00000049 popad 0x0000004a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 67C6CE second address: 67C6D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 67C6D4 second address: 67C6D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 67C9EB second address: 67C9FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c jl 00007FBBF0522A56h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 67C9FD second address: 67CA01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 67CA01 second address: 663B98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 nop 0x00000008 mov edi, 4BD7094Fh 0x0000000d call dword ptr [ebp+122D23CAh] 0x00000013 jbe 00007FBBF0522A6Ah 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 663B98 second address: 663B9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 663B9E second address: 663BC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FBBF0522A56h 0x0000000a popad 0x0000000b pushad 0x0000000c jc 00007FBBF0522A70h 0x00000012 jmp 00007FBBF0522A64h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6B1DBA second address: 6B1DD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBBF10EEFA4h 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6B1DD3 second address: 6B1DD9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6B1DD9 second address: 6B1DDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6B2202 second address: 6B2206 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6B266F second address: 6B2674 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6B27CA second address: 6B27D3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6B4401 second address: 6B4405 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6B8963 second address: 6B8969 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6BBC82 second address: 6BBC8E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6BBC8E second address: 6BBC92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6BBC92 second address: 6BBC96 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6C0FB5 second address: 6C0FBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6C0FBF second address: 6C0FC3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6BFDB9 second address: 6BFDBF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6C003A second address: 6C0064 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FBBF10EEF96h 0x0000000a jmp 00007FBBF10EEFA9h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6C042A second address: 6C042E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6C042E second address: 6C0432 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6C0432 second address: 6C043A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6BFAF4 second address: 6BFB16 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBBF10EEFA4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d jo 00007FBBF10EEF96h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6BFB16 second address: 6BFB1C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6BFB1C second address: 6BFB21 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6BFB21 second address: 6BFB27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6BFB27 second address: 6BFB2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6C0743 second address: 6C0749 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6C0749 second address: 6C0753 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FBBF10EEF96h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6C0C9A second address: 6C0C9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6C0C9E second address: 6C0CA2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6C0CA2 second address: 6C0CA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6C0CA8 second address: 6C0CB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 pushad 0x00000008 popad 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6C0CB6 second address: 6C0CBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6C3A9E second address: 6C3AAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push esi 0x00000007 pop esi 0x00000008 popad 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6C3AAE second address: 6C3AD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push ebx 0x00000007 push esi 0x00000008 pop esi 0x00000009 js 00007FBBF0522A56h 0x0000000f pop ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FBBF0522A69h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6CC692 second address: 6CC69D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FBBF10EEF96h 0x0000000a pop edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6CC69D second address: 6CC6B3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBBF0522A60h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6CB2D1 second address: 6CB2D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6CB2D7 second address: 6CB2DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6CB2DB second address: 6CB2DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6CB2DF second address: 6CB2E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6CB2E5 second address: 6CB2EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6CB2EF second address: 6CB2F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6CB5D0 second address: 6CB629 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FBBF10EEF96h 0x0000000a popad 0x0000000b push eax 0x0000000c jmp 00007FBBF10EEFA9h 0x00000011 pop eax 0x00000012 popad 0x00000013 push edi 0x00000014 push edx 0x00000015 jmp 00007FBBF10EEFA6h 0x0000001a pop edx 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007FBBF10EEFA7h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6CB629 second address: 6CB62D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 67C3D3 second address: 67C3F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBBF10EEFA9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6D0E59 second address: 6D0E5D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6D0E5D second address: 6D0E63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6D07C1 second address: 6D07C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6D07C5 second address: 6D07CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6D07CB second address: 6D07DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBBF0522A60h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6D3D4C second address: 6D3D69 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBBF10EEFA9h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6D340A second address: 6D342C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBBF0522A60h 0x00000007 jl 00007FBBF0522A58h 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6D342C second address: 6D3436 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FBBF10EEF96h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6D3436 second address: 6D3465 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBBF0522A63h 0x00000007 jmp 00007FBBF0522A62h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push ecx 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 push eax 0x00000012 pop eax 0x00000013 pop ecx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6D35C1 second address: 6D35C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6D35C7 second address: 6D35CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6D372E second address: 6D373E instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FBBF10EEF96h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6D373E second address: 6D3742 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6D3742 second address: 6D375D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FBBF10EEF9Fh 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6D375D second address: 6D3761 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6D3761 second address: 6D3765 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6DBCD6 second address: 6DBCE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jnl 00007FBBF0522A56h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6DA571 second address: 6DA57B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FBBF10EEF96h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6DA57B second address: 6DA5A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FBBF0522A64h 0x0000000f jmp 00007FBBF0522A5Ch 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6DAB56 second address: 6DAB5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6DAB5C second address: 6DAB79 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 je 00007FBBF0522A5Ah 0x0000000f push eax 0x00000010 pop eax 0x00000011 push edi 0x00000012 pop edi 0x00000013 push eax 0x00000014 push edx 0x00000015 jp 00007FBBF0522A56h 0x0000001b push edi 0x0000001c pop edi 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6DB153 second address: 6DB15D instructions: 0x00000000 rdtsc 0x00000002 jno 00007FBBF10EEF96h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6DB43C second address: 6DB446 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FBBF0522A56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6DB6C9 second address: 6DB6CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6DB6CF second address: 6DB6DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FBBF0522A56h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6DB974 second address: 6DB9A6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FBBF10EEF9Fh 0x0000000f jmp 00007FBBF10EEFA9h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6DEE48 second address: 6DEE64 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FBBF0522A67h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6DEF93 second address: 6DEFC5 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 pushad 0x00000008 pushad 0x00000009 jmp 00007FBBF10EEFA7h 0x0000000e jnl 00007FBBF10EEF96h 0x00000014 jno 00007FBBF10EEF96h 0x0000001a popad 0x0000001b pushad 0x0000001c push ecx 0x0000001d pop ecx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6DEFC5 second address: 6DEFCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6DEFCB second address: 6DEFD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push esi 0x00000007 pop esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6DEFD5 second address: 6DEFDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6DF29A second address: 6DF2BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 jmp 00007FBBF10EEF9Dh 0x0000000b pop edx 0x0000000c popad 0x0000000d pushad 0x0000000e jmp 00007FBBF10EEF9Ah 0x00000013 push ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6EFE91 second address: 6EFE95 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6EE0B1 second address: 6EE0C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBBF10EEFA1h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6EE0C8 second address: 6EE0CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6EE0CC second address: 6EE0D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6EE0D0 second address: 6EE0E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007FBBF0522A5Ah 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6EE0E5 second address: 6EE114 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 js 00007FBBF10EEF98h 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007FBBF10EEFA9h 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6EE114 second address: 6EE118 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6EE3DF second address: 6EE3E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6EE3E4 second address: 6EE3FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FBBF0522A66h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6EE555 second address: 6EE569 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBBF10EEF9Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 jg 00007FBBF10EEF96h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6EE569 second address: 6EE56D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6EE6FE second address: 6EE708 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push edx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6EEB75 second address: 6EEB7D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6EEB7D second address: 6EEB96 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBBF10EEFA1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6EEB96 second address: 6EEB9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6F2520 second address: 6F2527 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6F2527 second address: 6F2568 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007FBBF0522A63h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007FBBF0522A5Ch 0x00000012 jmp 00007FBBF0522A5Ch 0x00000017 jng 00007FBBF0522A62h 0x0000001d jne 00007FBBF0522A56h 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6F714A second address: 6F714E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6F714E second address: 6F715A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6F715A second address: 6F715E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6F715E second address: 6F7164 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6F7164 second address: 6F7182 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBBF10EEFA8h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 704555 second address: 704571 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FBBF0522A66h 0x00000008 jmp 00007FBBF0522A5Ah 0x0000000d jo 00007FBBF0522A56h 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 704571 second address: 704575 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 704575 second address: 704579 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 706FB7 second address: 706FBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 706FBB second address: 706FC1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 706BFB second address: 706BFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 71B09D second address: 71B0C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FBBF0522A56h 0x0000000a popad 0x0000000b jbe 00007FBBF0522A5Eh 0x00000011 pop edx 0x00000012 push edi 0x00000013 push eax 0x00000014 push edx 0x00000015 jbe 00007FBBF0522A56h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 71B372 second address: 71B380 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 71B380 second address: 71B384 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 71B384 second address: 71B388 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 71B388 second address: 71B3B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007FBBF0522A78h 0x0000000c jmp 00007FBBF0522A5Eh 0x00000011 jmp 00007FBBF0522A64h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 71B3B6 second address: 71B3DA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBBF10EEFA8h 0x00000007 jc 00007FBBF10EEF9Eh 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 71B7E9 second address: 71B816 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007FBBF0522A56h 0x00000009 jmp 00007FBBF0522A67h 0x0000000e jc 00007FBBF0522A56h 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 71B816 second address: 71B81C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 71FDB0 second address: 71FDB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 723891 second address: 7238A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBBF10EEFA0h 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7238A9 second address: 7238AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72C473 second address: 72C480 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72C480 second address: 72C494 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBBF0522A60h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 730F4D second address: 730F5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jng 00007FBBF10EEF96h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 730F5E second address: 730F62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72EE51 second address: 72EE58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72EE58 second address: 72EE80 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FBBF0522A68h 0x00000008 jns 00007FBBF0522A56h 0x0000000e push esi 0x0000000f pop esi 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 73DDF5 second address: 73DE13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBBF10EEF9Dh 0x00000009 jmp 00007FBBF10EEF9Dh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 73DE13 second address: 73DE38 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jg 00007FBBF0522A56h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d jmp 00007FBBF0522A66h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 73F48F second address: 73F495 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 73F495 second address: 73F49D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 741694 second address: 7416A6 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FBBF10EEF9Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7416A6 second address: 7416B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FBBF0522A56h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7416B0 second address: 7416B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 74406D second address: 744071 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 744071 second address: 7440A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBBF10EEFA5h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007FBBF10EEFA2h 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7440A2 second address: 7440AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7440AA second address: 7440AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 75BD27 second address: 75BD46 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007FBBF0522A62h 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 pop eax 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 75C089 second address: 75C08F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 75C08F second address: 75C093 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 75C1EE second address: 75C1F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 75C1F3 second address: 75C207 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FBBF0522A5Eh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 75C4BC second address: 75C4C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FBBF10EEF96h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 75C635 second address: 75C63B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 75CA55 second address: 75CA64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FBBF10EEF9Ah 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 75CA64 second address: 75CA6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 75CA6C second address: 75CA70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 75FCF3 second address: 75FCF8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 762A21 second address: 762A27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 764328 second address: 764333 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 764333 second address: 76435E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FBBF10EEF96h 0x0000000a jmp 00007FBBF10EEFA6h 0x0000000f jo 00007FBBF10EEF96h 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 pop eax 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 76435E second address: 764379 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jg 00007FBBF0522A62h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 764379 second address: 764385 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 jc 00007FBBF10EEF96h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 67F829 second address: 67F845 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBBF0522A61h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 497034E second address: 4970352 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4970352 second address: 4970358 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49A05DB second address: 49A05F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBBF10EEFA4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49A063E second address: 49A0644 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49A0644 second address: 49A0668 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBBF10EEFA7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, esi 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49A0668 second address: 49A067E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBBF0522A61h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49A067E second address: 4990236 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 54CC2572h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pop esi 0x0000000e pushad 0x0000000f mov cx, bx 0x00000012 jmp 00007FBBF10EEFA1h 0x00000017 popad 0x00000018 leave 0x00000019 jmp 00007FBBF10EEF9Eh 0x0000001e retn 0004h 0x00000021 nop 0x00000022 cmp eax, 00000000h 0x00000025 setne al 0x00000028 xor ebx, ebx 0x0000002a test al, 01h 0x0000002c jne 00007FBBF10EEF97h 0x0000002e xor eax, eax 0x00000030 sub esp, 08h 0x00000033 mov dword ptr [esp], 00000000h 0x0000003a mov dword ptr [esp+04h], 00000000h 0x00000042 call 00007FBBF55D85FFh 0x00000047 mov edi, edi 0x00000049 pushad 0x0000004a mov di, cx 0x0000004d push eax 0x0000004e push edx 0x0000004f mov edi, eax 0x00000051 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4990236 second address: 49902BE instructions: 0x00000000 rdtsc 0x00000002 call 00007FBBF0522A64h 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push ebx 0x0000000c jmp 00007FBBF0522A5Eh 0x00000011 mov dword ptr [esp], ebp 0x00000014 jmp 00007FBBF0522A60h 0x00000019 mov ebp, esp 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007FBBF0522A5Eh 0x00000022 sbb esi, 41D64978h 0x00000028 jmp 00007FBBF0522A5Bh 0x0000002d popfd 0x0000002e push eax 0x0000002f push edx 0x00000030 pushfd 0x00000031 jmp 00007FBBF0522A66h 0x00000036 or cl, FFFFFFD8h 0x00000039 jmp 00007FBBF0522A5Bh 0x0000003e popfd 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49902BE second address: 49902F2 instructions: 0x00000000 rdtsc 0x00000002 mov cx, 2A8Fh 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push FFFFFFFEh 0x0000000b jmp 00007FBBF10EEFA2h 0x00000010 call 00007FBBF10EEF99h 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 mov ebx, 2AAC8C50h 0x0000001d mov edi, 6F561D7Ch 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49902F2 second address: 4990343 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBBF0522A62h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007FBBF0522A61h 0x00000011 sbb ax, 7786h 0x00000016 jmp 00007FBBF0522A61h 0x0000001b popfd 0x0000001c mov esi, 60D77137h 0x00000021 popad 0x00000022 mov eax, dword ptr [esp+04h] 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4990343 second address: 4990349 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4990349 second address: 4990366 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBBF0522A61h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4990366 second address: 4990380 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBBF10EEFA6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4990380 second address: 4990386 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4990386 second address: 4990419 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBBF10EEF9Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f pushad 0x00000010 call 00007FBBF10EEFA7h 0x00000015 jmp 00007FBBF10EEFA8h 0x0000001a pop esi 0x0000001b mov esi, edi 0x0000001d popad 0x0000001e pop eax 0x0000001f jmp 00007FBBF10EEF9Dh 0x00000024 push 101CACAFh 0x00000029 jmp 00007FBBF10EEFA7h 0x0000002e add dword ptr [esp], 65887EC1h 0x00000035 push eax 0x00000036 push edx 0x00000037 jmp 00007FBBF10EEFA5h 0x0000003c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4990419 second address: 4990458 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cl, dl 0x00000005 jmp 00007FBBF0522A68h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr fs:[00000000h] 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FBBF0522A67h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4990458 second address: 499045E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 499045E second address: 4990462 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4990462 second address: 49904AE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBBF10EEF9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c jmp 00007FBBF10EEFA6h 0x00000011 push eax 0x00000012 jmp 00007FBBF10EEF9Bh 0x00000017 nop 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FBBF10EEFA5h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49904AE second address: 4990526 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBBF0522A61h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub esp, 18h 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FBBF0522A5Ch 0x00000013 and si, 8518h 0x00000018 jmp 00007FBBF0522A5Bh 0x0000001d popfd 0x0000001e pushfd 0x0000001f jmp 00007FBBF0522A68h 0x00000024 sub ah, 00000078h 0x00000027 jmp 00007FBBF0522A5Bh 0x0000002c popfd 0x0000002d popad 0x0000002e xchg eax, ebx 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007FBBF0522A65h 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4990526 second address: 499052C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 499052C second address: 4990530 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4990530 second address: 49905AB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov bx, AAC6h 0x0000000e popad 0x0000000f xchg eax, ebx 0x00000010 pushad 0x00000011 mov esi, ebx 0x00000013 push ebx 0x00000014 mov ebx, eax 0x00000016 pop esi 0x00000017 popad 0x00000018 push esi 0x00000019 jmp 00007FBBF10EEF9Ah 0x0000001e mov dword ptr [esp], esi 0x00000021 pushad 0x00000022 mov bx, si 0x00000025 mov ecx, 5BA1C9B9h 0x0000002a popad 0x0000002b xchg eax, edi 0x0000002c jmp 00007FBBF10EEFA4h 0x00000031 push eax 0x00000032 jmp 00007FBBF10EEF9Bh 0x00000037 xchg eax, edi 0x00000038 push eax 0x00000039 push edx 0x0000003a pushad 0x0000003b pushfd 0x0000003c jmp 00007FBBF10EEF9Bh 0x00000041 jmp 00007FBBF10EEFA3h 0x00000046 popfd 0x00000047 mov ecx, 5FE4C11Fh 0x0000004c popad 0x0000004d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49905AB second address: 49905B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49905B1 second address: 49905EA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBBF10EEFA7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [75AB4538h] 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FBBF10EEFA5h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49905EA second address: 4990675 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 4AC05A32h 0x00000008 call 00007FBBF0522A63h 0x0000000d pop ecx 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 xor dword ptr [ebp-08h], eax 0x00000014 pushad 0x00000015 pushfd 0x00000016 jmp 00007FBBF0522A65h 0x0000001b add si, C9B6h 0x00000020 jmp 00007FBBF0522A61h 0x00000025 popfd 0x00000026 call 00007FBBF0522A60h 0x0000002b mov di, cx 0x0000002e pop esi 0x0000002f popad 0x00000030 xor eax, ebp 0x00000032 jmp 00007FBBF0522A5Ah 0x00000037 nop 0x00000038 push eax 0x00000039 push edx 0x0000003a jmp 00007FBBF0522A67h 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4990675 second address: 49906A4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBBF10EEFA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d call 00007FBBF10EEF9Ah 0x00000012 pop ecx 0x00000013 mov dh, 98h 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49906A4 second address: 49906C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBBF0522A68h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49906C0 second address: 4990729 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBBF10EEF9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c jmp 00007FBBF10EEFA6h 0x00000011 lea eax, dword ptr [ebp-10h] 0x00000014 pushad 0x00000015 mov ecx, 30B5785Dh 0x0000001a pushfd 0x0000001b jmp 00007FBBF10EEF9Ah 0x00000020 sub al, FFFFFFB8h 0x00000023 jmp 00007FBBF10EEF9Bh 0x00000028 popfd 0x00000029 popad 0x0000002a mov dword ptr fs:[00000000h], eax 0x00000030 pushad 0x00000031 call 00007FBBF10EEFA4h 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4990729 second address: 499074F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 mov edi, 584060C4h 0x0000000a popad 0x0000000b mov dword ptr [ebp-18h], esp 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FBBF0522A66h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 499074F second address: 4990836 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 33639124h 0x00000008 pushfd 0x00000009 jmp 00007FBBF10EEF9Dh 0x0000000e add esi, 69B69766h 0x00000014 jmp 00007FBBF10EEFA1h 0x00000019 popfd 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d mov eax, dword ptr fs:[00000018h] 0x00000023 jmp 00007FBBF10EEF9Eh 0x00000028 mov ecx, dword ptr [eax+00000FDCh] 0x0000002e jmp 00007FBBF10EEFA0h 0x00000033 test ecx, ecx 0x00000035 jmp 00007FBBF10EEFA0h 0x0000003a jns 00007FBBF10EEFDEh 0x00000040 pushad 0x00000041 push esi 0x00000042 pushfd 0x00000043 jmp 00007FBBF10EEF9Dh 0x00000048 sub cl, FFFFFFD6h 0x0000004b jmp 00007FBBF10EEFA1h 0x00000050 popfd 0x00000051 pop esi 0x00000052 jmp 00007FBBF10EEFA1h 0x00000057 popad 0x00000058 add eax, ecx 0x0000005a jmp 00007FBBF10EEF9Eh 0x0000005f mov ecx, dword ptr [ebp+08h] 0x00000062 pushad 0x00000063 pushfd 0x00000064 jmp 00007FBBF10EEF9Eh 0x00000069 jmp 00007FBBF10EEFA5h 0x0000006e popfd 0x0000006f pushad 0x00000070 push eax 0x00000071 push edx 0x00000072 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4990836 second address: 4990846 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 test ecx, ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4990846 second address: 499084A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 499084A second address: 499084E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 499084E second address: 4990854 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49803F9 second address: 49803FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49803FD second address: 4980412 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBBF10EEFA1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4980412 second address: 498043B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, cx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c jmp 00007FBBF0522A65h 0x00000011 mov ebp, esp 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 498043B second address: 498044E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBBF10EEF9Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 498044E second address: 49804C5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBBF0522A69h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub esp, 2Ch 0x0000000c pushad 0x0000000d jmp 00007FBBF0522A5Ch 0x00000012 pushfd 0x00000013 jmp 00007FBBF0522A62h 0x00000018 jmp 00007FBBF0522A65h 0x0000001d popfd 0x0000001e popad 0x0000001f xchg eax, ebx 0x00000020 jmp 00007FBBF0522A5Eh 0x00000025 push eax 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007FBBF0522A5Eh 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49804C5 second address: 49804D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBBF10EEF9Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49804D7 second address: 49804DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49804DB second address: 49804EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49804EA second address: 49804EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49804EE second address: 49804F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49804F4 second address: 4980591 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FBBF0522A61h 0x00000009 and al, FFFFFFF6h 0x0000000c jmp 00007FBBF0522A61h 0x00000011 popfd 0x00000012 pushfd 0x00000013 jmp 00007FBBF0522A60h 0x00000018 xor ecx, 251A3418h 0x0000001e jmp 00007FBBF0522A5Bh 0x00000023 popfd 0x00000024 popad 0x00000025 pop edx 0x00000026 pop eax 0x00000027 xchg eax, edi 0x00000028 jmp 00007FBBF0522A66h 0x0000002d push eax 0x0000002e jmp 00007FBBF0522A5Bh 0x00000033 xchg eax, edi 0x00000034 pushad 0x00000035 pushad 0x00000036 pushfd 0x00000037 jmp 00007FBBF0522A62h 0x0000003c and eax, 0DADB8D8h 0x00000042 jmp 00007FBBF0522A5Bh 0x00000047 popfd 0x00000048 push eax 0x00000049 push edx 0x0000004a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49805B6 second address: 49805BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49805BC second address: 49805C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49805C2 second address: 49805C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49805C6 second address: 498064E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBBF0522A5Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b sub ebx, ebx 0x0000000d jmp 00007FBBF0522A61h 0x00000012 sub edi, edi 0x00000014 jmp 00007FBBF0522A67h 0x00000019 inc ebx 0x0000001a jmp 00007FBBF0522A66h 0x0000001f test al, al 0x00000021 jmp 00007FBBF0522A60h 0x00000026 je 00007FBBF0522CE7h 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007FBBF0522A67h 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 498064E second address: 4980654 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4980654 second address: 4980658 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4980658 second address: 498066B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 lea ecx, dword ptr [ebp-14h] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 mov bl, ah 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 498066B second address: 49806BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FBBF0522A5Eh 0x00000009 adc esi, 32582648h 0x0000000f jmp 00007FBBF0522A5Bh 0x00000014 popfd 0x00000015 call 00007FBBF0522A68h 0x0000001a pop esi 0x0000001b popad 0x0000001c pop edx 0x0000001d pop eax 0x0000001e mov dword ptr [ebp-14h], edi 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007FBBF0522A5Ch 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49806BC second address: 49806C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49806C2 second address: 49806C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49806FC second address: 498074E instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FBBF10EEFA2h 0x00000008 adc si, 9098h 0x0000000d jmp 00007FBBF10EEF9Bh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 popad 0x00000016 nop 0x00000017 pushad 0x00000018 mov ecx, 3F3CB86Bh 0x0000001d mov dx, si 0x00000020 popad 0x00000021 push eax 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 call 00007FBBF10EEFA6h 0x0000002a pop esi 0x0000002b pushad 0x0000002c popad 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 498074E second address: 4980754 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4980754 second address: 4980758 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49807ED second address: 498083E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 test eax, eax 0x00000009 jmp 00007FBBF0522A64h 0x0000000e jg 00007FBC616006D8h 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007FBBF0522A5Dh 0x0000001d sbb ax, 47C6h 0x00000022 jmp 00007FBBF0522A61h 0x00000027 popfd 0x00000028 mov esi, 7558EC77h 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 498083E second address: 498087F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBBF10EEF9Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 js 00007FBBF10EF007h 0x0000000f jmp 00007FBBF10EEF9Eh 0x00000014 cmp dword ptr [ebp-14h], edi 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FBBF10EEFA7h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 498087F second address: 49808B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, 086Ah 0x00000007 jmp 00007FBBF0522A5Bh 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jne 00007FBC6160065Dh 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FBBF0522A65h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49808B1 second address: 49808E6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBBF10EEFA1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebx, dword ptr [ebp+08h] 0x0000000c pushad 0x0000000d movzx esi, dx 0x00000010 mov bx, 05CCh 0x00000014 popad 0x00000015 lea eax, dword ptr [ebp-2Ch] 0x00000018 jmp 00007FBBF10EEF9Bh 0x0000001d xchg eax, esi 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49808E6 second address: 49808EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov di, 0C94h 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49808EF second address: 498094B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBBF10EEF9Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov bh, C2h 0x0000000d call 00007FBBF10EEF9Ah 0x00000012 mov esi, 121B1AE1h 0x00000017 pop eax 0x00000018 popad 0x00000019 xchg eax, esi 0x0000001a pushad 0x0000001b call 00007FBBF10EEFA3h 0x00000020 mov dx, ax 0x00000023 pop esi 0x00000024 mov di, 0EA8h 0x00000028 popad 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007FBBF10EEFA6h 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 498094B second address: 498095A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBBF0522A5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 498095A second address: 49809A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBBF10EEFA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c jmp 00007FBBF10EEF9Eh 0x00000011 xchg eax, ebx 0x00000012 jmp 00007FBBF10EEFA0h 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49809A0 second address: 49809A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49809A4 second address: 49809A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49809A8 second address: 49809AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4980010 second address: 4980049 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBBF10EEF9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FBBF10EEFA6h 0x0000000f push eax 0x00000010 jmp 00007FBBF10EEF9Bh 0x00000015 xchg eax, ebp 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4980049 second address: 498004D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 498004D second address: 4980051 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4980051 second address: 4980057 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4980057 second address: 498008A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ah, 34h 0x00000005 movsx ebx, si 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d jmp 00007FBBF10EEF9Ch 0x00000012 xchg eax, ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FBBF10EEFA7h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 498008A second address: 4980100 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBBF0522A69h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FBBF0522A61h 0x0000000f xchg eax, ecx 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007FBBF0522A5Ch 0x00000017 jmp 00007FBBF0522A65h 0x0000001c popfd 0x0000001d mov ah, C7h 0x0000001f popad 0x00000020 mov dword ptr [ebp-04h], 55534552h 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a mov cl, 3Fh 0x0000002c call 00007FBBF0522A61h 0x00000031 pop ecx 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4980D90 second address: 4980D96 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4980D96 second address: 4980D9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4980D9A second address: 4980D9E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4990008 second address: 499000C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 499000C second address: 4990010 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4990010 second address: 4990016 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4990016 second address: 4990033 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBBF10EEFA9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4990033 second address: 49900E0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBBF0522A61h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b call 00007FBBF0522A59h 0x00000010 pushad 0x00000011 jmp 00007FBBF0522A5Ch 0x00000016 pushad 0x00000017 call 00007FBBF0522A60h 0x0000001c pop ecx 0x0000001d movsx ebx, ax 0x00000020 popad 0x00000021 popad 0x00000022 push eax 0x00000023 jmp 00007FBBF0522A5Dh 0x00000028 mov eax, dword ptr [esp+04h] 0x0000002c pushad 0x0000002d pushfd 0x0000002e jmp 00007FBBF0522A67h 0x00000033 xor si, 1B5Eh 0x00000038 jmp 00007FBBF0522A69h 0x0000003d popfd 0x0000003e mov edx, ecx 0x00000040 popad 0x00000041 mov eax, dword ptr [eax] 0x00000043 push eax 0x00000044 push edx 0x00000045 jmp 00007FBBF0522A68h 0x0000004a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49900E0 second address: 499010E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBBF10EEF9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d pushad 0x0000000e jmp 00007FBBF10EEF9Fh 0x00000013 mov bx, si 0x00000016 popad 0x00000017 pop eax 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 499010E second address: 4990114 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4990114 second address: 499015F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBBF10EEFA6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 call 00007FBC621B49DAh 0x0000000e push 75A52B70h 0x00000013 push dword ptr fs:[00000000h] 0x0000001a mov eax, dword ptr [esp+10h] 0x0000001e mov dword ptr [esp+10h], ebp 0x00000022 lea ebp, dword ptr [esp+10h] 0x00000026 sub esp, eax 0x00000028 push ebx 0x00000029 push esi 0x0000002a push edi 0x0000002b mov eax, dword ptr [75AB4538h] 0x00000030 xor dword ptr [ebp-04h], eax 0x00000033 xor eax, ebp 0x00000035 push eax 0x00000036 mov dword ptr [ebp-18h], esp 0x00000039 push dword ptr [ebp-08h] 0x0000003c mov eax, dword ptr [ebp-04h] 0x0000003f mov dword ptr [ebp-04h], FFFFFFFEh 0x00000046 mov dword ptr [ebp-08h], eax 0x00000049 lea eax, dword ptr [ebp-10h] 0x0000004c mov dword ptr fs:[00000000h], eax 0x00000052 ret 0x00000053 jmp 00007FBBF10EEFA0h 0x00000058 sub esi, esi 0x0000005a jmp 00007FBBF10EEFA1h 0x0000005f mov dword ptr [ebp-1Ch], esi 0x00000062 push eax 0x00000063 push edx 0x00000064 push eax 0x00000065 push edx 0x00000066 pushad 0x00000067 popad 0x00000068 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 499015F second address: 4990165 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4990165 second address: 499016B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 499016B second address: 499016F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 499016F second address: 4990173 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49A06CF second address: 49A0726 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBBF0522A69h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FBBF0522A5Eh 0x0000000f push eax 0x00000010 pushad 0x00000011 mov ax, 0953h 0x00000015 popad 0x00000016 xchg eax, ebp 0x00000017 pushad 0x00000018 mov ebx, 2F4BA666h 0x0000001d popad 0x0000001e mov ebp, esp 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007FBBF0522A68h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49A0726 second address: 49A072C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49A072C second address: 49A0746 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBBF0522A5Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, esi 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49A0746 second address: 49A074C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49A074C second address: 49A076D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FBBF0522A5Eh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 mov esi, 49CA44F3h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49A076D second address: 49A0772 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49A0772 second address: 49A083A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FBBF0522A65h 0x00000008 mov esi, 7C4DD037h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 xchg eax, esi 0x00000011 jmp 00007FBBF0522A5Ah 0x00000016 mov esi, dword ptr [ebp+0Ch] 0x00000019 jmp 00007FBBF0522A60h 0x0000001e test esi, esi 0x00000020 jmp 00007FBBF0522A60h 0x00000025 je 00007FBC615D064Bh 0x0000002b pushad 0x0000002c mov ax, di 0x0000002f popad 0x00000030 cmp dword ptr [75AB459Ch], 05h 0x00000037 pushad 0x00000038 call 00007FBBF0522A65h 0x0000003d mov cx, E0E7h 0x00000041 pop ecx 0x00000042 pushfd 0x00000043 jmp 00007FBBF0522A5Dh 0x00000048 or si, CD56h 0x0000004d jmp 00007FBBF0522A61h 0x00000052 popfd 0x00000053 popad 0x00000054 je 00007FBC615E86D8h 0x0000005a pushad 0x0000005b push eax 0x0000005c push edx 0x0000005d pushfd 0x0000005e jmp 00007FBBF0522A5Ah 0x00000063 xor ax, 9F78h 0x00000068 jmp 00007FBBF0522A5Bh 0x0000006d popfd 0x0000006e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49A083A second address: 49A086E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushfd 0x00000007 jmp 00007FBBF10EEFA4h 0x0000000c add eax, 22C439D8h 0x00000012 jmp 00007FBBF10EEF9Bh 0x00000017 popfd 0x00000018 popad 0x00000019 xchg eax, esi 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d mov edx, eax 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49A08E7 second address: 49A0929 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FBBF0522A62h 0x00000008 add esi, 0FD58358h 0x0000000e jmp 00007FBBF0522A5Bh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 popad 0x00000017 xchg eax, esi 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FBBF0522A65h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49A0929 second address: 49A0963 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBBF10EEFA1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FBBF10EEF9Ah 0x00000013 or ecx, 4BEA4818h 0x00000019 jmp 00007FBBF10EEF9Bh 0x0000001e popfd 0x0000001f movzx eax, bx 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49A0963 second address: 49A0969 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49A0969 second address: 49A096D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49A096D second address: 49A0971 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49A0971 second address: 49A098B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, esi 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FBBF10EEF9Fh 0x00000010 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 4CE9A4 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 4CEA29 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 6740B7 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 69AC99 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 67B768 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 4CE96E instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 6FC95D instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\file.exe TID: 1468 Thread sleep time: -150000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1468 Thread sleep time: -30000s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\file.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: file.exe, file.exe, 00000001.00000002.1446848944.0000000000650000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000001.00000003.1336079000.000000000535C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: file.exe, 00000001.00000003.1336079000.000000000535C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: file.exe, 00000001.00000003.1336079000.000000000535C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: file.exe, 00000001.00000003.1336079000.000000000535C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: file.exe, 00000001.00000003.1336079000.000000000535C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: file.exe, 00000001.00000003.1336079000.000000000535C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696492231s
Source: file.exe, 00000001.00000002.1447480635.0000000000B02000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW1
Source: file.exe, 00000001.00000003.1336079000.000000000535C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: file.exe, 00000001.00000003.1336079000.000000000535C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696492231
Source: file.exe, 00000001.00000003.1336079000.000000000535C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: file.exe, 00000001.00000003.1336079000.000000000535C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: file.exe, 00000001.00000002.1447480635.0000000000AAE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1447480635.0000000000B02000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: file.exe, 00000001.00000003.1336079000.000000000535C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: file.exe, 00000001.00000003.1336079000.000000000535C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: file.exe, 00000001.00000003.1336079000.000000000535C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: file.exe, 00000001.00000003.1336079000.000000000535C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: file.exe, 00000001.00000003.1335719740.000000000536A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: - GDCDYNVMware20,11696492231p
Source: file.exe, 00000001.00000003.1336079000.000000000535C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: file.exe, 00000001.00000003.1336079000.000000000535C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696492231f
Source: file.exe, 00000001.00000003.1336079000.000000000535C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696492231
Source: file.exe, 00000001.00000003.1336079000.000000000535C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696492231j
Source: file.exe, 00000001.00000003.1336079000.000000000535C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: file.exe, 00000001.00000003.1336079000.000000000535C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: file.exe, 00000001.00000003.1336079000.000000000535C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: file.exe, 00000001.00000003.1336079000.000000000535C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: file.exe, 00000001.00000003.1336079000.000000000535C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696492231o
Source: file.exe, 00000001.00000003.1336079000.000000000535C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: file.exe, 00000001.00000003.1336079000.000000000535C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: file.exe, 00000001.00000003.1336079000.000000000535C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: file.exe, 00000001.00000003.1336079000.000000000535C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: file.exe, 00000001.00000002.1446848944.0000000000650000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: file.exe, 00000001.00000003.1336079000.000000000535C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: file.exe, 00000001.00000003.1336079000.000000000535C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
Source: file.exe, 00000001.00000003.1336079000.000000000535C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: file.exe, 00000001.00000003.1336079000.000000000535C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696492231]
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\file.exe Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\Desktop\file.exe File opened: NTICE
Source: C:\Users\user\Desktop\file.exe File opened: SICE
Source: C:\Users\user\Desktop\file.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_004B0F10 LdrInitializeThunk, 1_2_004B0F10

HIPS / PFW / Operating System Protection Evasion
barindex
LummaC encrypted strings found
Source: file.exe String found in binary or memory: scriptyprefej.store
Source: file.exe String found in binary or memory: navygenerayk.store
Source: file.exe String found in binary or memory: founpiuer.store
Source: file.exe String found in binary or memory: necklacedmny.store
Source: file.exe String found in binary or memory: thumbystriw.store
Source: file.exe String found in binary or memory: fadehairucw.store
Source: file.exe String found in binary or memory: crisiwarny.store
Source: file.exe String found in binary or memory: presticitpo.store
Source: file.exe, 00000001.00000002.1447005302.0000000000696000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: vProgram Manager
Source: file.exe Binary or memory string: yvProgram Manager
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: file.exe, 00000001.00000002.1447480635.0000000000B02000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1433134397.0000000000B83000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1447480635.0000000000B83000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1382385573.0000000000B81000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\Desktop\file.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: file.exe PID: 6636, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Found many strings related to Crypto-Wallets (likely being stolen)
Source: file.exe, 00000001.00000002.1447480635.0000000000B02000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Wallets/Electrum
Source: file.exe, 00000001.00000003.1312488858.0000000000B8E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %appdata%\ElectronCash\wallets
Source: file.exe String found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
Source: file.exe, 00000001.00000002.1447480635.0000000000AAE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: window-state.json
Source: file.exe, 00000001.00000003.1335200391.0000000000B80000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ata%\\Exodus\\exodus
Source: file.exe String found in binary or memory: Wallets/Exodus
Source: file.exe, 00000001.00000003.1312424888.0000000000B7A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Binance
Source: file.exe, 00000001.00000002.1447480635.0000000000AAE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %appdata%\Ethereum
Source: file.exe String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: file.exe String found in binary or memory: keystore
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\formhistory.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\prefs.js Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cert9.db Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\logins.json Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\key4.db Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\FTPbox Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\FTPRush Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\FTPGetter Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\FTPInfo Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\ProgramData\SiteDesigner\3D-FTP Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB Jump to behavior
Searches for user specific document files
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\AQRFEVRTGL Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\DQOFHVHTMG Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\ERWQDBYZVW Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\AQRFEVRTGL Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\BUFZSQPCOH Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\CZQKSDDMWR Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\ERWQDBYZVW Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\LFOPODGVOH Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\LIJDSFKJZG Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\LIJDSFKJZG Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\AQRFEVRTGL Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\BUFZSQPCOH Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\CZQKSDDMWR Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\CZQKSDDMWR Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\DQOFHVHTMG Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\DUKNXICOZT Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\DUKNXICOZT Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\ERWQDBYZVW Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\ERWQDBYZVW Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\LFOPODGVOH Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\LIJDSFKJZG Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\LIJDSFKJZG Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\PWZOQIFCAN Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\UNKRLCVOHV Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\UNKRLCVOHV Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\VWDFPKGDUF Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\WHZAGPPPLA Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000001.00000003.1367227452.0000000000B8F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.1312488858.0000000000B8E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.1335200391.0000000000B80000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.1364978590.0000000000B8E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.1348830892.0000000000B8E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.1336432602.0000000000B83000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.1349179623.0000000000B8F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.1349466810.0000000000B8E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.1312424888.0000000000B7A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.1364471802.0000000000B83000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.1335230711.0000000000B83000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.1348810433.0000000000B83000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 6636, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: file.exe PID: 6636, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1542964 Sample: file.exe Startdate: 27/10/2024 Architecture: WINDOWS Score: 100 10 presticitpo.store 2->10 12 crisiwarny.store 2->12 16 Suricata IDS alerts for network traffic 2->16 18 Found malware configuration 2->18 20 Antivirus / Scanner detection for submitted sample 2->20 22 9 other signatures 2->22 6 file.exe 2->6         started        signatures3 process4 dnsIp5 14 crisiwarny.store 172.67.170.64, 443, 49700, 49701 CLOUDFLARENETUS United States 6->14 24 Detected unpacking (changes PE section rights) 6->24 26 Query firmware table information (likely to detect VMs) 6->26 28 Tries to detect sandboxes and other dynamic analysis tools (window names) 6->28 30 9 other signatures 6->30 signatures6
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
172.67.170.64
 crisiwarny.store United States
13335 CLOUDFLARENETUS true

Contacted Domains

Name IP Active
crisiwarny.store 172.67.170.64 true
presticitpo.store unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
presticitpo.store true
    		unknown
    scriptyprefej.store true
      		unknown
      https://crisiwarny.store/api true
        		unknown
        necklacedmny.store true
          		unknown
          fadehairucw.store true
            		unknown
            navygenerayk.store true
              		unknown
              founpiuer.store true
                		unknown
                thumbystriw.store true
                  		unknown
                  crisiwarny.store true
                    		unknown