Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1544953
MD5: 8f8658063ab24bbbdd7e7bc84e0c1691
SHA1: 3eb229ca08365a5e5b546d76497b044ee37bb65f
SHA256: 69cac707d11d2834fc990cbb7d3f178c9c8396aa42aa1679be46381dd859904a
Tags: exeuser-Bitsight
Infos:

Detection

LummaC
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for sample
PE file contains section with special chars
Sample uses string decryption to hide its real strings
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Detected potential crypto function
Entry point lies outside standard sections
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Found malware configuration
Source: file.exe.4980.0.memstrmin Malware Configuration Extractor: LummaC {"C2 url": ["necklacedmny.store", "presticitpo.store", "crisiwarny.store", "fadehairucw.store", "thumbystriw.store", "founpiuer.store", "scriptyprefej.store", "navygenerayk.store"], "Build id": "4SD0y4--legendaryy"}
Multi AV Scanner detection for submitted file
Source: file.exe ReversingLabs: Detection: 36%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 00000000.00000002.2493062428.0000000000581000.00000040.00000001.01000000.00000003.sdmp String decryptor: scriptyprefej.store
Source: 00000000.00000002.2493062428.0000000000581000.00000040.00000001.01000000.00000003.sdmp String decryptor: navygenerayk.store
Source: 00000000.00000002.2493062428.0000000000581000.00000040.00000001.01000000.00000003.sdmp String decryptor: founpiuer.store
Source: 00000000.00000002.2493062428.0000000000581000.00000040.00000001.01000000.00000003.sdmp String decryptor: necklacedmny.store
Source: 00000000.00000002.2493062428.0000000000581000.00000040.00000001.01000000.00000003.sdmp String decryptor: thumbystriw.store
Source: 00000000.00000002.2493062428.0000000000581000.00000040.00000001.01000000.00000003.sdmp String decryptor: fadehairucw.store
Source: 00000000.00000002.2493062428.0000000000581000.00000040.00000001.01000000.00000003.sdmp String decryptor: crisiwarny.store
Source: 00000000.00000002.2493062428.0000000000581000.00000040.00000001.01000000.00000003.sdmp String decryptor: presticitpo.store
Source: 00000000.00000002.2493062428.0000000000581000.00000040.00000001.01000000.00000003.sdmp String decryptor: presticitpo.store
Source: 00000000.00000002.2493062428.0000000000581000.00000040.00000001.01000000.00000003.sdmp String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.2493062428.0000000000581000.00000040.00000001.01000000.00000003.sdmp String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.2493062428.0000000000581000.00000040.00000001.01000000.00000003.sdmp String decryptor: - Screen Resoluton:
Source: 00000000.00000002.2493062428.0000000000581000.00000040.00000001.01000000.00000003.sdmp String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.2493062428.0000000000581000.00000040.00000001.01000000.00000003.sdmp String decryptor: Workgroup: -
Source: 00000000.00000002.2493062428.0000000000581000.00000040.00000001.01000000.00000003.sdmp String decryptor: 4SD0y4--legendaryy
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49711 version: TLS 1.2
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp ecx 0_2_0059104F
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax-42h] 0_2_0058E1A0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp eax 0_2_005BE210
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx edx, byte ptr [esp+ecx+75E07B5Ch] 0_2_0058EC20
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov edi, esi 0_2_005BBCA9
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax-0000008Ah] 0_2_0058CF90
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx ebx, byte ptr [esi+ecx+38h] 0_2_0059E07E
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov dword ptr [eax+ebx], 30303030h 0_2_00581000
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov dword ptr [eax+ebx], 20202020h 0_2_00581000
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov edx, eax 0_2_005A702F
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx ebx, byte ptr [ecx+edx] 0_2_005BF020
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov esi, dword ptr [esp+1Ch] 0_2_005BF020
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then add ecx, eax 0_2_005AA083
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx esi, byte ptr [esp+eax-6Ch] 0_2_005AA083
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov esi, ecx 0_2_005C2165
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov ecx, dword ptr [005CDCFCh] 0_2_005BC132
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], B62B8D10h 0_2_005AD2FD
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov ebx, dword ptr [esp] 0_2_005AD2FD
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp ecx 0_2_005A8290
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax+29352E8Dh] 0_2_005C5330
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], B62B8D10h 0_2_005AC3A6
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp ecx 0_2_005914CE
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov ebp, edx 0_2_005C24E0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov edx, dword ptr [esp+04h] 0_2_005814A8
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax+58h] 0_2_005A2520
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov edx, dword ptr [esi+64h] 0_2_005B15DC
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp ecx 0_2_005C35F0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx eax, byte ptr [ebp+ecx-14h] 0_2_005C35F0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h 0_2_005A66E0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx ecx, byte ptr [esi+eax] 0_2_005A36AC
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp ecx 0_2_005C3740
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx eax, byte ptr [ebp+ecx-14h] 0_2_005C3740
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov byte ptr [eax], cl 0_2_005AF73A
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 0_2_005AE7B0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx ebx, byte ptr [esp+eax-3ED06EDAh] 0_2_005BC7A0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then add edx, esi 0_2_005A98F2
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx edx, byte ptr [esi+ebx] 0_2_00585890
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov byte ptr [eax], cl 0_2_005B0887
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [eax], cx 0_2_005A6940
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov ecx, eax 0_2_005AF9D0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov dword ptr [esi+10h], edx 0_2_005AF9D0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov byte ptr [edi], cl 0_2_005AF9D0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov byte ptr [edi], al 0_2_005AF9D0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp ecx 0_2_005C39C0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx eax, byte ptr [ebp+ecx-14h] 0_2_005C39C0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx eax, byte ptr [ebp+ecx-14h] 0_2_005C3A90
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx eax, byte ptr [esp+edx+6D44C030h] 0_2_005AAB20
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [edx+ecx*8], 9ABDB589h 0_2_005AAB20
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then and esi, 001FF800h 0_2_00584BA0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov dword ptr [esp+04h], ecx 0_2_0059FBA0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h 0_2_005C4C40
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp byte ptr [esi+eax], 00000000h 0_2_005AECE0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax+6D44C02Ch] 0_2_005BFC90
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx ebx, byte ptr [edx] 0_2_005B8C80
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [ebp+edx*4+00h], ax 0_2_0058BD50
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then add eax, dword ptr [esp+ecx*4+34h] 0_2_0058BD50
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx eax, byte ptr [ebp+ecx-14h] 0_2_005C3D90
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [edx], bp 0_2_005A1EC5
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [ecx], di 0_2_005A1EC5
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp edx 0_2_00588EF0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov byte ptr [eax], cl 0_2_005B0F3E

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49710 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49710 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.6:49711 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49711 -> 188.114.96.3:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: necklacedmny.store
Source: Malware configuration extractor URLs: presticitpo.store
Source: Malware configuration extractor URLs: crisiwarny.store
Source: Malware configuration extractor URLs: fadehairucw.store
Source: Malware configuration extractor URLs: thumbystriw.store
Source: Malware configuration extractor URLs: founpiuer.store
Source: Malware configuration extractor URLs: scriptyprefej.store
Source: Malware configuration extractor URLs: navygenerayk.store
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View IP Address: 188.114.96.3 188.114.96.3
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: necklacedmny.store
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 52Host: necklacedmny.store
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: presticitpo.store
Source: global traffic DNS traffic detected: DNS query: crisiwarny.store
Source: global traffic DNS traffic detected: DNS query: fadehairucw.store
Source: global traffic DNS traffic detected: DNS query: thumbystriw.store
Source: global traffic DNS traffic detected: DNS query: necklacedmny.store
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: necklacedmny.store
Source: file.exe, 00000000.00000003.2492784525.0000000000FBF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.microsoft
Source: file.exe, 00000000.00000003.2492863943.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2494351855.0000000000F0E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2494667507.0000000000FD5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store/
Source: file.exe, 00000000.00000002.2494604705.0000000000FCC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2492784525.0000000000FCC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2494351855.0000000000F46000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store/api
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49711 version: TLS 1.2

System Summary
barindex
PE file contains section with special chars
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0059104F 0_2_0059104F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0058E1A0 0_2_0058E1A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0058F755 0_2_0058F755
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0058EC20 0_2_0058EC20
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005BBCA9 0_2_005BBCA9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005B5050 0_2_005B5050
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005C5040 0_2_005C5040
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0059E07E 0_2_0059E07E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0059D010 0_2_0059D010
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00581000 0_2_00581000
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00585000 0_2_00585000
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005A702F 0_2_005A702F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005A6022 0_2_005A6022
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005BF020 0_2_005BF020
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005BB0F0 0_2_005BB0F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005A30E0 0_2_005A30E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005C40E0 0_2_005C40E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005870B0 0_2_005870B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005C2165 0_2_005C2165
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005AA112 0_2_005AA112
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00663134 0_2_00663134
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005A1100 0_2_005A1100
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005891E9 0_2_005891E9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0058B240 0_2_0058B240
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0058A260 0_2_0058A260
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00686255 0_2_00686255
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005812D5 0_2_005812D5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005AD2FD 0_2_005AD2FD
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007412DB 0_2_007412DB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006972AC 0_2_006972AC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005C5330 0_2_005C5330
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00581328 0_2_00581328
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005A9328 0_2_005A9328
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005AB3D0 0_2_005AB3D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005A83E2 0_2_005A83E2
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0068439B 0_2_0068439B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005AC3A6 0_2_005AC3A6
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00588460 0_2_00588460
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00590460 0_2_00590460
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005B4461 0_2_005B4461
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00750417 0_2_00750417
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005914CE 0_2_005914CE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005C24E0 0_2_005C24E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005AF570 0_2_005AF570
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005AA510 0_2_005AA510
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005BA523 0_2_005BA523
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005A2520 0_2_005A2520
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005B15DC 0_2_005B15DC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005965D7 0_2_005965D7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005C35F0 0_2_005C35F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00746639 0_2_00746639
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005C3740 0_2_005C3740
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005A3770 0_2_005A3770
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005C2700 0_2_005C2700
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005AF73A 0_2_005AF73A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0058A720 0_2_0058A720
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0059D7F8 0_2_0059D7F8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007447B1 0_2_007447B1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005BB7B0 0_2_005BB7B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005BC7A0 0_2_005BC7A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005BF800 0_2_005BF800
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006AD80D 0_2_006AD80D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0059E837 0_2_0059E837
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007498E5 0_2_007498E5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005A98F2 0_2_005A98F2
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0074E8C2 0_2_0074E8C2
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005B0887 0_2_005B0887
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005B08B1 0_2_005B08B1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005A6940 0_2_005A6940
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00583930 0_2_00583930
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005AF9D0 0_2_005AF9D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0060E9F6 0_2_0060E9F6
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005C39C0 0_2_005C39C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0073A9CC 0_2_0073A9CC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00596997 0_2_00596997
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005A79B0 0_2_005A79B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00594A4C 0_2_00594A4C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0059FA4F 0_2_0059FA4F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00753A2E 0_2_00753A2E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005C3A90 0_2_005C3A90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0058DA80 0_2_0058DA80
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00587AB0 0_2_00587AB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005C2B10 0_2_005C2B10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005AAB20 0_2_005AAB20
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005ACBD0 0_2_005ACBD0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005B4BC7 0_2_005B4BC7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0059FBA0 0_2_0059FBA0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0059CC20 0_2_0059CC20
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005AECE0 0_2_005AECE0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0074BCB3 0_2_0074BCB3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0058BD50 0_2_0058BD50
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006D7D7C 0_2_006D7D7C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0059ED48 0_2_0059ED48
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00586D10 0_2_00586D10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0081ADD4 0_2_0081ADD4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00742D00 0_2_00742D00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005C3D90 0_2_005C3D90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0058ADB0 0_2_0058ADB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00593E45 0_2_00593E45
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00747E5E 0_2_00747E5E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005B3E24 0_2_005B3E24
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005A1EC5 0_2_005A1EC5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00588EF0 0_2_00588EF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005BAE90 0_2_005BAE90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00751E82 0_2_00751E82
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0058DF60 0_2_0058DF60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005B9F61 0_2_005B9F61
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005B0F3E 0_2_005B0F3E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0060FF07 0_2_0060FF07
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006FAFC3 0_2_006FAFC3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00589FF5 0_2_00589FF5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005C2FB0 0_2_005C2FB0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\file.exe Code function: String function: 0058C890 appears 69 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 0058E190 appears 152 times
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exe Static PE information: Section: ZLIB complexity 0.9978019690438872
Source: classification engine Classification label: mal100.troj.evad.winEXE@1/0@5/1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005B2240 CoCreateInstance, 0_2_005B2240
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: file.exe ReversingLabs: Detection: 36%
Source: file.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: file.exe Static file information: File size 2961920 > 1048576
Source: file.exe Static PE information: Raw size of xsruppbo is bigger than: 0x100000 < 0x2a7600

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.580000.0.unpack :EW;.rsrc:W;.idata :W;xsruppbo:EW;tctkamej:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;xsruppbo:EW;tctkamej:EW;.taggant:EW;
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: file.exe Static PE information: real checksum: 0x2e28cf should be: 0x2e2ede
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name: xsruppbo
Source: file.exe Static PE information: section name: tctkamej
Source: file.exe Static PE information: section name: .taggant
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0083432F push 6A90C90Dh; mov dword ptr [esp], ebp 0_2_00834423
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00779023 push ecx; mov dword ptr [esp], ebx 0_2_00779054
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006C600E push ebx; mov dword ptr [esp], 3DBBD12Bh 0_2_006C6044
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006C600E push 61A600DBh; mov dword ptr [esp], edx 0_2_006C60AD
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006C600E push esi; mov dword ptr [esp], ebp 0_2_006C60B6
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006C600E push 66C69C43h; mov dword ptr [esp], eax 0_2_006C60DA
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007C1017 push 1E6D5600h; mov dword ptr [esp], edi 0_2_007C1090
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008241A7 push 73837365h; mov dword ptr [esp], ebp 0_2_0082457F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00663134 push ebx; mov dword ptr [esp], 6EE2058Eh 0_2_006632FD
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007EE10B push 00CBA238h; mov dword ptr [esp], esp 0_2_007EE131
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007EE10B push 377DA217h; mov dword ptr [esp], ebx 0_2_007EE155
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0061B1FE push ecx; mov dword ptr [esp], ebp 0_2_0061B250
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007D1196 push ebx; mov dword ptr [esp], esp 0_2_007D11DC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007D1196 push 14B4B0DAh; mov dword ptr [esp], edi 0_2_007D123F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00686255 push esi; mov dword ptr [esp], eax 0_2_00686270
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00686255 push 22DDA2EFh; mov dword ptr [esp], ecx 0_2_0068627B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00686255 push esi; mov dword ptr [esp], edx 0_2_0068641D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007E5229 push 7A425B8Bh; mov dword ptr [esp], ebx 0_2_007E5237
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005CC2F4 push es; retf 0_2_005CC2F5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007412DB push ecx; mov dword ptr [esp], eax 0_2_007412F7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007412DB push esi; mov dword ptr [esp], 6DBF7597h 0_2_00741384
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007412DB push edx; mov dword ptr [esp], ecx 0_2_007413BC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007412DB push esi; mov dword ptr [esp], edi 0_2_007413EF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007412DB push edi; mov dword ptr [esp], ecx 0_2_0074142C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007412DB push 4F691A0Fh; mov dword ptr [esp], eax 0_2_007414B5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007412DB push ebp; mov dword ptr [esp], edx 0_2_007414FF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007412DB push edi; mov dword ptr [esp], eax 0_2_007415A4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007412DB push 3D39E1B4h; mov dword ptr [esp], ebx 0_2_007415AE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007412DB push ebx; mov dword ptr [esp], ecx 0_2_00741633
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007412DB push esi; mov dword ptr [esp], 77FB2EA3h 0_2_0074165B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007412DB push edi; mov dword ptr [esp], eax 0_2_007416C0
Source: file.exe Static PE information: section name: entropy: 7.973529305219434

Boot Survival
barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\file.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 75857D second address: 75859A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8D60DD0459h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 75859A second address: 7585A4 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F8D60D48916h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 757B8B second address: 757B91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 757B91 second address: 757B95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 757B95 second address: 757B9B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 757D16 second address: 757D22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F8D60D48916h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 75B9FE second address: 5DEECE instructions: 0x00000000 rdtsc 0x00000002 jp 00007F8D60DD0448h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c add dword ptr [esp], 6E6680D6h 0x00000013 and ecx, 7B79E40Ch 0x00000019 push dword ptr [ebp+122D16E1h] 0x0000001f call dword ptr [ebp+122D1D3Dh] 0x00000025 pushad 0x00000026 jmp 00007F8D60DD0452h 0x0000002b xor eax, eax 0x0000002d cmc 0x0000002e mov edx, dword ptr [esp+28h] 0x00000032 sub dword ptr [ebp+122D238Ah], esi 0x00000038 clc 0x00000039 mov dword ptr [ebp+122D2E8Dh], eax 0x0000003f sub dword ptr [ebp+122D238Ah], edx 0x00000045 mov esi, 0000003Ch 0x0000004a jmp 00007F8D60DD0456h 0x0000004f add esi, dword ptr [esp+24h] 0x00000053 cld 0x00000054 lodsw 0x00000056 mov dword ptr [ebp+122D238Ah], edi 0x0000005c add eax, dword ptr [esp+24h] 0x00000060 jng 00007F8D60DD044Ch 0x00000066 mov dword ptr [ebp+122D1E8Bh], ebx 0x0000006c mov ebx, dword ptr [esp+24h] 0x00000070 ja 00007F8D60DD044Ch 0x00000076 push eax 0x00000077 push eax 0x00000078 push edx 0x00000079 jns 00007F8D60DD0457h 0x0000007f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 75BA41 second address: 75BA45 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 75BA45 second address: 75BA5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F8D60DD0450h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 75BA5E second address: 75BAE5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8D60D4891Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a jc 00007F8D60D4891Ch 0x00000010 mov dword ptr [ebp+122D2097h], eax 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a push edx 0x0000001b call 00007F8D60D48918h 0x00000020 pop edx 0x00000021 mov dword ptr [esp+04h], edx 0x00000025 add dword ptr [esp+04h], 00000016h 0x0000002d inc edx 0x0000002e push edx 0x0000002f ret 0x00000030 pop edx 0x00000031 ret 0x00000032 mov edx, dword ptr [ebp+122D2F21h] 0x00000038 mov edi, dword ptr [ebp+122D2DBDh] 0x0000003e call 00007F8D60D48919h 0x00000043 jmp 00007F8D60D48926h 0x00000048 push eax 0x00000049 push eax 0x0000004a push edx 0x0000004b pushad 0x0000004c jmp 00007F8D60D48925h 0x00000051 pushad 0x00000052 popad 0x00000053 popad 0x00000054 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 75BAE5 second address: 75BAEB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 75BAEB second address: 75BB35 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8D60D4891Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f push ebx 0x00000010 pushad 0x00000011 jmp 00007F8D60D48929h 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 pop ebx 0x0000001a mov eax, dword ptr [eax] 0x0000001c pushad 0x0000001d jl 00007F8D60D4891Ch 0x00000023 jnp 00007F8D60D48916h 0x00000029 push eax 0x0000002a push edx 0x0000002b push esi 0x0000002c pop esi 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 75BB35 second address: 75BB6A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8D60DD044Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e pushad 0x0000000f jnp 00007F8D60DD0457h 0x00000015 push eax 0x00000016 push edx 0x00000017 jc 00007F8D60DD0446h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 75BB6A second address: 75BBB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pop eax 0x00000008 call 00007F8D60D4891Ch 0x0000000d mov ch, 6Ch 0x0000000f pop ecx 0x00000010 push 00000003h 0x00000012 sub ecx, dword ptr [ebp+122D2E89h] 0x00000018 push 00000000h 0x0000001a pushad 0x0000001b jnl 00007F8D60D48916h 0x00000021 mov ah, 9Ah 0x00000023 popad 0x00000024 push 00000003h 0x00000026 push esi 0x00000027 push eax 0x00000028 mov edx, dword ptr [ebp+122D2E25h] 0x0000002e pop esi 0x0000002f pop esi 0x00000030 push A012D68Bh 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 jc 00007F8D60D48916h 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 75BBB0 second address: 75BBB6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 75BCD5 second address: 75BCE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F8D60D48916h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 75BE51 second address: 75BE55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 75BE55 second address: 75BE5B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 75BE5B second address: 75BE7E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F8D60DD0450h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jno 00007F8D60DD0448h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 75BE7E second address: 75BF61 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F8D60D48918h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e ja 00007F8D60D48931h 0x00000014 mov eax, dword ptr [eax] 0x00000016 push ebx 0x00000017 pushad 0x00000018 push ebx 0x00000019 pop ebx 0x0000001a jmp 00007F8D60D4891Eh 0x0000001f popad 0x00000020 pop ebx 0x00000021 mov dword ptr [esp+04h], eax 0x00000025 jmp 00007F8D60D48929h 0x0000002a pop eax 0x0000002b or ecx, 02E1E635h 0x00000031 movzx edi, dx 0x00000034 push 00000003h 0x00000036 mov dx, 937Ah 0x0000003a mov esi, dword ptr [ebp+122D26CAh] 0x00000040 push 00000000h 0x00000042 pushad 0x00000043 mov ax, B64Bh 0x00000047 adc cx, DA6Ch 0x0000004c popad 0x0000004d stc 0x0000004e push 00000003h 0x00000050 mov edx, dword ptr [ebp+122D3051h] 0x00000056 sbb di, 6761h 0x0000005b push A7C6F61Bh 0x00000060 pushad 0x00000061 ja 00007F8D60D4891Ch 0x00000067 jno 00007F8D60D48916h 0x0000006d jp 00007F8D60D4891Ch 0x00000073 js 00007F8D60D48916h 0x00000079 popad 0x0000007a add dword ptr [esp], 183909E5h 0x00000081 jmp 00007F8D60D48921h 0x00000086 lea ebx, dword ptr [ebp+12450934h] 0x0000008c mov dword ptr [ebp+122D1CFDh], edx 0x00000092 push eax 0x00000093 pushad 0x00000094 pushad 0x00000095 jno 00007F8D60D48916h 0x0000009b push eax 0x0000009c push edx 0x0000009d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 75BF61 second address: 75BF6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 75BF6A second address: 75BF6E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 77AC40 second address: 77AC5E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8D60DD0450h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnc 00007F8D60DD0446h 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 77AC5E second address: 77AC62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 77AC62 second address: 77AC68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 778C97 second address: 778C9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 778C9B second address: 778C9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 778C9F second address: 778CA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 778F63 second address: 778F6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 778F6C second address: 778F70 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7790A3 second address: 7790C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8D60DD044Ah 0x00000009 jng 00007F8D60DD0446h 0x0000000f popad 0x00000010 jmp 00007F8D60DD044Fh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7790C7 second address: 7790D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jbe 00007F8D60D48916h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7790D3 second address: 7790D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 77922A second address: 77925D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007F8D60D48929h 0x0000000a jmp 00007F8D60D48923h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7793A2 second address: 7793A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7794C1 second address: 7794DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F8D60D48916h 0x0000000a pushad 0x0000000b popad 0x0000000c push edx 0x0000000d pop edx 0x0000000e popad 0x0000000f jmp 00007F8D60D4891Eh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7794DE second address: 7794E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7794E3 second address: 7794E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7794E9 second address: 7794EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7797A0 second address: 7797AA instructions: 0x00000000 rdtsc 0x00000002 je 00007F8D60D4891Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7797AA second address: 7797B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 push edi 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 772352 second address: 772356 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 772356 second address: 77236F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 pushad 0x00000008 jmp 00007F8D60DD044Dh 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 77236F second address: 77238A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8D60D48927h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 77238A second address: 77238E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 742848 second address: 74284C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 779DE2 second address: 779DFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 je 00007F8D60DD0448h 0x0000000b pushad 0x0000000c js 00007F8D60DD0446h 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 779DFA second address: 779E0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 jng 00007F8D60D48916h 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 77A3EE second address: 77A3F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 77A7EC second address: 77A7F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 77AABD second address: 77AAC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 745CCD second address: 745CD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 745CD3 second address: 745CD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 780D9B second address: 780DB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8D60D48926h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 77F4A4 second address: 77F4A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 77F4A8 second address: 77F4AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 74426D second address: 744298 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8D60DD044Eh 0x00000009 popad 0x0000000a pushad 0x0000000b jmp 00007F8D60DD044Bh 0x00000010 jns 00007F8D60DD0448h 0x00000016 push eax 0x00000017 push edx 0x00000018 push edi 0x00000019 pop edi 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7862BD second address: 7862CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7862CA second address: 7862CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 786446 second address: 78644C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 78644C second address: 786451 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 786451 second address: 786457 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 786457 second address: 786462 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push edi 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 789742 second address: 78974C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 78974C second address: 789750 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7898C7 second address: 7898CC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 789AAB second address: 789AAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 789D75 second address: 789D7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 789E7A second address: 789E7F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 78A2FE second address: 78A307 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 78A307 second address: 78A30B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 78A75B second address: 78A761 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 78A80D second address: 78A813 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 78AD32 second address: 78AD38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 78B5C6 second address: 78B5CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 78D3BF second address: 78D3C9 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F8D60D48916h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 78D3C9 second address: 78D3D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F8D60DD0446h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79008D second address: 7900AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 pushad 0x00000009 jmp 00007F8D60D48925h 0x0000000e push ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 791407 second address: 79140D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79140D second address: 791413 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 791413 second address: 791471 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8D60DD0454h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push esi 0x0000000d push edi 0x0000000e pushad 0x0000000f popad 0x00000010 pop edi 0x00000011 pop esi 0x00000012 nop 0x00000013 mov dword ptr [ebp+1244DD02h], edi 0x00000019 push 00000000h 0x0000001b mov edi, edx 0x0000001d movzx edi, ax 0x00000020 push 00000000h 0x00000022 push 00000000h 0x00000024 push esi 0x00000025 call 00007F8D60DD0448h 0x0000002a pop esi 0x0000002b mov dword ptr [esp+04h], esi 0x0000002f add dword ptr [esp+04h], 00000019h 0x00000037 inc esi 0x00000038 push esi 0x00000039 ret 0x0000003a pop esi 0x0000003b ret 0x0000003c mov esi, dword ptr [ebp+122D26B2h] 0x00000042 push eax 0x00000043 push eax 0x00000044 push edx 0x00000045 pushad 0x00000046 push eax 0x00000047 push edx 0x00000048 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 791471 second address: 79147C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F8D60D48916h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7960AF second address: 7960C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8D60DD0451h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7960C4 second address: 796123 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8D60D48925h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e jnc 00007F8D60D4891Ch 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push edi 0x00000019 call 00007F8D60D48918h 0x0000001e pop edi 0x0000001f mov dword ptr [esp+04h], edi 0x00000023 add dword ptr [esp+04h], 00000018h 0x0000002b inc edi 0x0000002c push edi 0x0000002d ret 0x0000002e pop edi 0x0000002f ret 0x00000030 mov dword ptr [ebp+1244BF1Ch], eax 0x00000036 push 00000000h 0x00000038 sub dword ptr [ebp+12455326h], ebx 0x0000003e xchg eax, esi 0x0000003f push edi 0x00000040 push eax 0x00000041 push eax 0x00000042 push edx 0x00000043 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 791D0B second address: 791D22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8D60DD044Ah 0x00000009 popad 0x0000000a pop edi 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7952F4 second address: 7952F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79721F second address: 797229 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F8D60DD0446h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 799325 second address: 799329 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 791D22 second address: 791D33 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8D60DD044Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79626B second address: 7962CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp], eax 0x00000008 mov dword ptr [ebp+122D2419h], ecx 0x0000000e push dword ptr fs:[00000000h] 0x00000015 mov edi, dword ptr [ebp+122D3029h] 0x0000001b mov dword ptr fs:[00000000h], esp 0x00000022 push 00000000h 0x00000024 push esi 0x00000025 call 00007F8D60D48918h 0x0000002a pop esi 0x0000002b mov dword ptr [esp+04h], esi 0x0000002f add dword ptr [esp+04h], 0000001Dh 0x00000037 inc esi 0x00000038 push esi 0x00000039 ret 0x0000003a pop esi 0x0000003b ret 0x0000003c mov di, 6895h 0x00000040 mov eax, dword ptr [ebp+122D0095h] 0x00000046 mov di, 634Bh 0x0000004a push FFFFFFFFh 0x0000004c mov dword ptr [ebp+122D1EAAh], ecx 0x00000052 push eax 0x00000053 push eax 0x00000054 push edx 0x00000055 push ecx 0x00000056 push edi 0x00000057 pop edi 0x00000058 pop ecx 0x00000059 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79442C second address: 794433 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C007 second address: 79C011 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F8D60D48916h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79A210 second address: 79A214 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79B22C second address: 79B231 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 799329 second address: 79934B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8D60DD0452h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a push eax 0x0000000b jbe 00007F8D60DD0454h 0x00000011 push eax 0x00000012 push edx 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 791D33 second address: 791D39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7962CF second address: 7962D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C011 second address: 79C017 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79A214 second address: 79A218 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79A218 second address: 79A2B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov dword ptr [esp], eax 0x0000000a add edi, 67FF4EE7h 0x00000010 push dword ptr fs:[00000000h] 0x00000017 push 00000000h 0x00000019 push esi 0x0000001a call 00007F8D60D48918h 0x0000001f pop esi 0x00000020 mov dword ptr [esp+04h], esi 0x00000024 add dword ptr [esp+04h], 00000019h 0x0000002c inc esi 0x0000002d push esi 0x0000002e ret 0x0000002f pop esi 0x00000030 ret 0x00000031 mov edi, dword ptr [ebp+1245534Fh] 0x00000037 mov dword ptr fs:[00000000h], esp 0x0000003e push 00000000h 0x00000040 push edx 0x00000041 call 00007F8D60D48918h 0x00000046 pop edx 0x00000047 mov dword ptr [esp+04h], edx 0x0000004b add dword ptr [esp+04h], 00000019h 0x00000053 inc edx 0x00000054 push edx 0x00000055 ret 0x00000056 pop edx 0x00000057 ret 0x00000058 sub dword ptr [ebp+122D2661h], ebx 0x0000005e mov eax, dword ptr [ebp+122D178Dh] 0x00000064 mov di, 7296h 0x00000068 push FFFFFFFFh 0x0000006a call 00007F8D60D48926h 0x0000006f sub dword ptr [ebp+1245F6C5h], edx 0x00000075 pop edi 0x00000076 push eax 0x00000077 push eax 0x00000078 push edx 0x00000079 push eax 0x0000007a push edx 0x0000007b jnp 00007F8D60D48916h 0x00000081 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79A2B8 second address: 79A2D1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8D60DD0455h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79CF0F second address: 79CF5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 nop 0x00000007 sbb bl, 00000028h 0x0000000a push 00000000h 0x0000000c mov bh, ah 0x0000000e push 00000000h 0x00000010 push 00000000h 0x00000012 push esi 0x00000013 call 00007F8D60D48918h 0x00000018 pop esi 0x00000019 mov dword ptr [esp+04h], esi 0x0000001d add dword ptr [esp+04h], 0000001Dh 0x00000025 inc esi 0x00000026 push esi 0x00000027 ret 0x00000028 pop esi 0x00000029 ret 0x0000002a mov dword ptr [ebp+122D20A1h], edi 0x00000030 push eax 0x00000031 pushad 0x00000032 jmp 00007F8D60D4891Ah 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a popad 0x0000003b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79CF5A second address: 79CF5E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79DE0E second address: 79DE12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79DE12 second address: 79DE18 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79DE18 second address: 79DE1E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A0035 second address: 7A00AE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jnp 00007F8D60DD0446h 0x0000000d pop ebx 0x0000000e popad 0x0000000f mov dword ptr [esp], eax 0x00000012 push 00000000h 0x00000014 push edi 0x00000015 call 00007F8D60DD0448h 0x0000001a pop edi 0x0000001b mov dword ptr [esp+04h], edi 0x0000001f add dword ptr [esp+04h], 00000017h 0x00000027 inc edi 0x00000028 push edi 0x00000029 ret 0x0000002a pop edi 0x0000002b ret 0x0000002c mov bl, dh 0x0000002e push 00000000h 0x00000030 push edx 0x00000031 jg 00007F8D60DD044Ch 0x00000037 pop edi 0x00000038 push 00000000h 0x0000003a push 00000000h 0x0000003c push ecx 0x0000003d call 00007F8D60DD0448h 0x00000042 pop ecx 0x00000043 mov dword ptr [esp+04h], ecx 0x00000047 add dword ptr [esp+04h], 00000017h 0x0000004f inc ecx 0x00000050 push ecx 0x00000051 ret 0x00000052 pop ecx 0x00000053 ret 0x00000054 mov edi, dword ptr [ebp+122D1DE9h] 0x0000005a xchg eax, esi 0x0000005b push eax 0x0000005c push edx 0x0000005d jmp 00007F8D60DD044Ch 0x00000062 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C289 second address: 79C28F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A10E4 second address: 7A10EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A10EA second address: 7A10F9 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A10F9 second address: 7A10FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A10FD second address: 7A1107 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F8D60D48916h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A1107 second address: 7A1188 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8D60DD044Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push edx 0x0000000d call 00007F8D60DD0448h 0x00000012 pop edx 0x00000013 mov dword ptr [esp+04h], edx 0x00000017 add dword ptr [esp+04h], 00000017h 0x0000001f inc edx 0x00000020 push edx 0x00000021 ret 0x00000022 pop edx 0x00000023 ret 0x00000024 jg 00007F8D60DD044Eh 0x0000002a jo 00007F8D60DD044Ch 0x00000030 sub dword ptr [ebp+122D5C27h], esi 0x00000036 push 00000000h 0x00000038 jo 00007F8D60DD044Ch 0x0000003e mov dword ptr [ebp+122D326Dh], eax 0x00000044 push 00000000h 0x00000046 jo 00007F8D60DD0447h 0x0000004c cld 0x0000004d xchg eax, esi 0x0000004e jmp 00007F8D60DD0453h 0x00000053 push eax 0x00000054 jns 00007F8D60DD0454h 0x0000005a push eax 0x0000005b push edx 0x0000005c push esi 0x0000005d pop esi 0x0000005e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A1188 second address: 7A118C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A2E7C second address: 7A2ECB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 nop 0x00000006 cmc 0x00000007 push 00000000h 0x00000009 mov ebx, 454187FBh 0x0000000e push 00000000h 0x00000010 push 00000000h 0x00000012 push edx 0x00000013 call 00007F8D60DD0448h 0x00000018 pop edx 0x00000019 mov dword ptr [esp+04h], edx 0x0000001d add dword ptr [esp+04h], 00000017h 0x00000025 inc edx 0x00000026 push edx 0x00000027 ret 0x00000028 pop edx 0x00000029 ret 0x0000002a xchg eax, esi 0x0000002b push eax 0x0000002c push edx 0x0000002d jne 00007F8D60DD045Dh 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A30F5 second address: 7A30FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A6513 second address: 7A6517 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7AFD62 second address: 7AFD68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7AFD68 second address: 7AFD7C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 74E3E6 second address: 74E3EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 74E3EC second address: 74E3F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7B4542 second address: 7B4548 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7B4548 second address: 7B4565 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8D60DD0459h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7B4565 second address: 7B458E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 ja 00007F8D60D48916h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F8D60D48929h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7B4B3A second address: 7B4B40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7B4B40 second address: 7B4B49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push edx 0x00000007 pop edx 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7B52D9 second address: 7B52DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7B546C second address: 7B54BA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8D60D48929h 0x00000007 jmp 00007F8D60D48928h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F8D60D48925h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7B54BA second address: 7B54BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7B54BE second address: 7B54C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7B5639 second address: 7B564D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8D60DD044Eh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7B564D second address: 7B5652 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7B5652 second address: 7B565C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F8D60DD0446h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7B565C second address: 7B5688 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F8D60D48921h 0x00000010 ja 00007F8D60D48918h 0x00000016 pushad 0x00000017 popad 0x00000018 ja 00007F8D60D48931h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7B5688 second address: 7B56C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8D60DD0455h 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F8D60DD044Ah 0x00000010 jmp 00007F8D60DD0456h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7B5844 second address: 7B585E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007F8D60D48924h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7B585E second address: 7B5862 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7B903C second address: 7B9046 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F8D60D48916h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7B9046 second address: 7B904C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 747900 second address: 74790C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F8D60D48916h 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7BD575 second address: 7BD592 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F8D60DD0454h 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 787DD1 second address: 787DD5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 787DD5 second address: 787DE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a je 00007F8D60DD0448h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 787DE7 second address: 772352 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F8D60D48918h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b or edx, 36C88224h 0x00000011 lea eax, dword ptr [ebp+1247CAF3h] 0x00000017 push eax 0x00000018 mov dword ptr [ebp+1244BED3h], edi 0x0000001e pop edi 0x0000001f push eax 0x00000020 pushad 0x00000021 pushad 0x00000022 je 00007F8D60D48916h 0x00000028 jnc 00007F8D60D48916h 0x0000002e popad 0x0000002f ja 00007F8D60D48922h 0x00000035 popad 0x00000036 mov dword ptr [esp], eax 0x00000039 pushad 0x0000003a mov dword ptr [ebp+1244BF1Ch], edx 0x00000040 je 00007F8D60D4891Ch 0x00000046 jp 00007F8D60D48916h 0x0000004c popad 0x0000004d call dword ptr [ebp+122D1D87h] 0x00000053 push ecx 0x00000054 push eax 0x00000055 push edx 0x00000056 push eax 0x00000057 pop eax 0x00000058 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 78834B second address: 78834F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 78834F second address: 788353 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 788353 second address: 788364 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jp 00007F8D60DD0446h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 788364 second address: 5DEECE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8D60D48923h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push esi 0x0000000e call 00007F8D60D48918h 0x00000013 pop esi 0x00000014 mov dword ptr [esp+04h], esi 0x00000018 add dword ptr [esp+04h], 00000014h 0x00000020 inc esi 0x00000021 push esi 0x00000022 ret 0x00000023 pop esi 0x00000024 ret 0x00000025 jmp 00007F8D60D48924h 0x0000002a push dword ptr [ebp+122D16E1h] 0x00000030 mov ecx, dword ptr [ebp+1245054Dh] 0x00000036 call dword ptr [ebp+122D1D3Dh] 0x0000003c pushad 0x0000003d jmp 00007F8D60D48922h 0x00000042 xor eax, eax 0x00000044 cmc 0x00000045 mov edx, dword ptr [esp+28h] 0x00000049 sub dword ptr [ebp+122D238Ah], esi 0x0000004f clc 0x00000050 mov dword ptr [ebp+122D2E8Dh], eax 0x00000056 sub dword ptr [ebp+122D238Ah], edx 0x0000005c mov esi, 0000003Ch 0x00000061 jmp 00007F8D60D48926h 0x00000066 add esi, dword ptr [esp+24h] 0x0000006a cld 0x0000006b lodsw 0x0000006d mov dword ptr [ebp+122D238Ah], edi 0x00000073 add eax, dword ptr [esp+24h] 0x00000077 jng 00007F8D60D4891Ch 0x0000007d mov dword ptr [ebp+122D1E8Bh], ebx 0x00000083 mov ebx, dword ptr [esp+24h] 0x00000087 ja 00007F8D60D4891Ch 0x0000008d push eax 0x0000008e push eax 0x0000008f push edx 0x00000090 jns 00007F8D60D48927h 0x00000096 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 788566 second address: 78857B instructions: 0x00000000 rdtsc 0x00000002 jno 00007F8D60DD0446h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f ja 00007F8D60DD0446h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 78857B second address: 78858C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 pop ebx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 78858C second address: 7885C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8D60DD044Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b push esi 0x0000000c jmp 00007F8D60DD0450h 0x00000011 pop esi 0x00000012 mov dword ptr [esp+04h], eax 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a ja 00007F8D60DD0446h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7885C0 second address: 7885D0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8D60D4891Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 788732 second address: 78873B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 788866 second address: 78889F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007F8D60D48916h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov eax, dword ptr [eax] 0x00000010 jmp 00007F8D60D48922h 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 push eax 0x0000001a push edx 0x0000001b jnc 00007F8D60D48921h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 788DF7 second address: 788E2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 mov dword ptr [esp], eax 0x00000009 mov dx, B31Fh 0x0000000d push 0000001Eh 0x0000000f xor dx, 1189h 0x00000014 mov edx, dword ptr [ebp+122D20A1h] 0x0000001a push eax 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F8D60DD0458h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7891D4 second address: 7891DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7891DA second address: 789239 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push ebx 0x0000000c call 00007F8D60DD0448h 0x00000011 pop ebx 0x00000012 mov dword ptr [esp+04h], ebx 0x00000016 add dword ptr [esp+04h], 0000001Ch 0x0000001e inc ebx 0x0000001f push ebx 0x00000020 ret 0x00000021 pop ebx 0x00000022 ret 0x00000023 lea eax, dword ptr [ebp+1247CB37h] 0x00000029 mov edx, dword ptr [ebp+122D207Ch] 0x0000002f nop 0x00000030 jbe 00007F8D60DD0452h 0x00000036 jnp 00007F8D60DD044Ch 0x0000003c push eax 0x0000003d pushad 0x0000003e jmp 00007F8D60DD044Dh 0x00000043 push eax 0x00000044 push edx 0x00000045 push eax 0x00000046 push edx 0x00000047 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 789239 second address: 78923D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 78923D second address: 789294 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ecx 0x0000000b call 00007F8D60DD0448h 0x00000010 pop ecx 0x00000011 mov dword ptr [esp+04h], ecx 0x00000015 add dword ptr [esp+04h], 00000017h 0x0000001d inc ecx 0x0000001e push ecx 0x0000001f ret 0x00000020 pop ecx 0x00000021 ret 0x00000022 mov dword ptr [ebp+122D2682h], esi 0x00000028 and dx, 3B24h 0x0000002d lea eax, dword ptr [ebp+1247CAF3h] 0x00000033 mov edi, dword ptr [ebp+122D302Dh] 0x00000039 nop 0x0000003a push eax 0x0000003b push edx 0x0000003c jng 00007F8D60DD0456h 0x00000042 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 789294 second address: 772E60 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8D60D4891Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F8D60D48929h 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push esi 0x00000013 call 00007F8D60D48918h 0x00000018 pop esi 0x00000019 mov dword ptr [esp+04h], esi 0x0000001d add dword ptr [esp+04h], 0000001Dh 0x00000025 inc esi 0x00000026 push esi 0x00000027 ret 0x00000028 pop esi 0x00000029 ret 0x0000002a mov edx, esi 0x0000002c call dword ptr [ebp+122D1E7Ch] 0x00000032 push edi 0x00000033 push eax 0x00000034 push edx 0x00000035 pushad 0x00000036 popad 0x00000037 pushad 0x00000038 popad 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 772E60 second address: 772E71 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 pushad 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b pop edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 772E71 second address: 772E85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F8D60D4891Bh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7BC5DC second address: 7BC5E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7BC5E2 second address: 7BC5E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7BC95E second address: 7BC962 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7BCC01 second address: 7BCC05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7BCC05 second address: 7BCC12 instructions: 0x00000000 rdtsc 0x00000002 js 00007F8D60DD0446h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7BCC12 second address: 7BCC1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F8D60D48916h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7BCDB8 second address: 7BCDBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7BCDBE second address: 7BCDDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8D60D48921h 0x00000009 popad 0x0000000a pushad 0x0000000b jl 00007F8D60D48916h 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7C68C6 second address: 7C68D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8D60DD044Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7C551B second address: 7C5533 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F8D60D48923h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7C5533 second address: 7C553D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7C569A second address: 7C56B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8D60D4891Fh 0x00000009 pop ecx 0x0000000a pushad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7C56B4 second address: 7C56D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 jnl 00007F8D60DD0452h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7C56D3 second address: 7C56DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F8D60D48916h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7C5B6B second address: 7C5B75 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F8D60DD0446h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7C5CB9 second address: 7C5CBF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7C5CBF second address: 7C5CD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F8D60DD044Dh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7C5CD4 second address: 7C5CDA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7C5CDA second address: 7C5CEC instructions: 0x00000000 rdtsc 0x00000002 jg 00007F8D60DD0448h 0x00000008 pushad 0x00000009 popad 0x0000000a js 00007F8D60DD044Eh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7C51F6 second address: 7C5213 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8D60D48929h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7C5FAF second address: 7C5FB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7C5FB5 second address: 7C5FBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push edx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 pop edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7C62B1 second address: 7C62DC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop ecx 0x00000006 jnc 00007F8D60DD045Fh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7C62DC second address: 7C62E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CBE15 second address: 7CBE31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F8D60DD044Eh 0x0000000a pushad 0x0000000b popad 0x0000000c jc 00007F8D60DD0446h 0x00000012 pop ebx 0x00000013 je 00007F8D60DD0477h 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CA8C0 second address: 7CA8C6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CAB4D second address: 7CAB53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CAB53 second address: 7CAB68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8D60D4891Ah 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CAB68 second address: 7CAB6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CAB6C second address: 7CAB91 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8D60D48927h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c pop edi 0x0000000d jbe 00007F8D60D48916h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CAB91 second address: 7CAB95 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CAE50 second address: 7CAE56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CAF96 second address: 7CAF9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CAF9C second address: 7CAFBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F8D60D48929h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CAFBC second address: 7CAFC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CB148 second address: 7CB14E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CB14E second address: 7CB154 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CB154 second address: 7CB16C instructions: 0x00000000 rdtsc 0x00000002 jg 00007F8D60D48916h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push edi 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CB16C second address: 7CB172 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CB172 second address: 7CB17E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 popad 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CB17E second address: 7CB184 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CB70A second address: 7CB70E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CB70E second address: 7CB718 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F8D60DD0446h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CB718 second address: 7CB722 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CB722 second address: 7CB726 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CB726 second address: 7CB72A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CB825 second address: 7CB82B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CB82B second address: 7CB83D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jo 00007F8D60D48918h 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CB83D second address: 7CB845 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CB845 second address: 7CB84B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CB84B second address: 7CB862 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8D60DD0451h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CBCDA second address: 7CBCE4 instructions: 0x00000000 rdtsc 0x00000002 js 00007F8D60D48922h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CA5C5 second address: 7CA5F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007F8D60DD0452h 0x0000000d jmp 00007F8D60DD0450h 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CA5F2 second address: 7CA621 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007F8D60D48916h 0x00000009 jmp 00007F8D60D48929h 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push edx 0x00000014 pop edx 0x00000015 jns 00007F8D60D48916h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7D0AF2 second address: 7D0AFC instructions: 0x00000000 rdtsc 0x00000002 jp 00007F8D60DD0446h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7D0C24 second address: 7D0C35 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F8D60D48916h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7D0C35 second address: 7D0C41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 popad 0x00000008 pushad 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7D0DDE second address: 7D0DE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7D0F37 second address: 7D0F5A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F8D60DD0455h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jnp 00007F8D60DD0461h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7D0F5A second address: 7D0F77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8D60D48925h 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7D0F77 second address: 7D0F7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7D5573 second address: 7D5577 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7D8ED6 second address: 7D8EDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7DD65E second address: 7DD664 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7DD7B5 second address: 7DD7BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7DD7BA second address: 7DD7D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8D60D48923h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7DD7D2 second address: 7DD7E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F8D60DD0446h 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jp 00007F8D60DD0446h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7DDAA5 second address: 7DDAE8 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F8D60D48916h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F8D60D48924h 0x0000000f pop ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 jnp 00007F8D60D48916h 0x00000019 push edx 0x0000001a pop edx 0x0000001b pushad 0x0000001c popad 0x0000001d popad 0x0000001e jmp 00007F8D60D48926h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 788C14 second address: 788C18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 788C18 second address: 788C1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 788C1E second address: 788C3E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8D60DD0457h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push esi 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7DFFF1 second address: 7E000B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a jnc 00007F8D60D48916h 0x00000010 popad 0x00000011 pushad 0x00000012 jno 00007F8D60D48916h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E516D second address: 7E5172 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E59F2 second address: 7E5A04 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8D60D4891Ch 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E5A04 second address: 7E5A08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E5C93 second address: 7E5C97 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E5C97 second address: 7E5CAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jg 00007F8D60DD044Ch 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E5F77 second address: 7E5F7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E6512 second address: 7E6517 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E6806 second address: 7E680A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E6AA3 second address: 7E6AC3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ecx 0x00000009 pushad 0x0000000a push edi 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d pop edi 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F8D60DD044Ah 0x00000015 jnc 00007F8D60DD0446h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E6AC3 second address: 7E6AD9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8D60D4891Ch 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E6AD9 second address: 7E6AEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8D60DD044Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E6D61 second address: 7E6D70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F8D60D48916h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E6D70 second address: 7E6D74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E6D74 second address: 7E6D78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E6D78 second address: 7E6D84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E6D84 second address: 7E6D88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E92CB second address: 7E92DB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 ja 00007F8D60DD0448h 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E92DB second address: 7E92E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E92E1 second address: 7E92E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E92E7 second address: 7E92EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7EA8F4 second address: 7EA91C instructions: 0x00000000 rdtsc 0x00000002 ja 00007F8D60DD044Eh 0x00000008 je 00007F8D60DD0448h 0x0000000e push eax 0x0000000f pop eax 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 js 00007F8D60DD044Ah 0x00000019 pushad 0x0000001a popad 0x0000001b pushad 0x0000001c popad 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7ED712 second address: 7ED764 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8D60D48925h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b js 00007F8D60D4891Ch 0x00000011 jng 00007F8D60D48916h 0x00000017 jmp 00007F8D60D48920h 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f push ebx 0x00000020 jnl 00007F8D60D48916h 0x00000026 jnp 00007F8D60D48916h 0x0000002c pop ebx 0x0000002d push edi 0x0000002e pushad 0x0000002f popad 0x00000030 jnc 00007F8D60D48916h 0x00000036 pop edi 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7ED764 second address: 7ED774 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 jng 00007F8D60DD0446h 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7ED774 second address: 7ED778 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7EE00C second address: 7EE014 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7EE014 second address: 7EE022 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8D60D4891Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7EE022 second address: 7EE043 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F8D60DD0455h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 740DFB second address: 740E05 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 740E05 second address: 740E09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 740E09 second address: 740E0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F3FF4 second address: 7F401B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F8D60DD0446h 0x0000000a pop esi 0x0000000b push ecx 0x0000000c pushad 0x0000000d popad 0x0000000e pop ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 je 00007F8D60DD044Eh 0x00000017 jno 00007F8D60DD0446h 0x0000001d pushad 0x0000001e popad 0x0000001f pushad 0x00000020 pushad 0x00000021 popad 0x00000022 pushad 0x00000023 popad 0x00000024 push ecx 0x00000025 pop ecx 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7FB2D0 second address: 7FB2E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jns 00007F8D60D48916h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7FB2E1 second address: 7FB2E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7FB2E7 second address: 7FB311 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8D60D4891Dh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F8D60D4891Bh 0x00000013 pop esi 0x00000014 js 00007F8D60D4891Eh 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7FB311 second address: 7FB32E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 je 00007F8D60DD045Eh 0x0000000d jng 00007F8D60DD0448h 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 jp 00007F8D60DD0446h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7FB670 second address: 7FB67C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7FB67C second address: 7FB69D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push edi 0x00000007 pop edi 0x00000008 popad 0x00000009 jmp 00007F8D60DD0458h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7FB7F6 second address: 7FB7FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7FB7FB second address: 7FB815 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8D60DD0455h 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7FB966 second address: 7FB96B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7FB96B second address: 7FB98C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007F8D60DD0457h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7FBABB second address: 7FBAC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F8D60D4891Ch 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7FC70D second address: 7FC71C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007F8D60DD0446h 0x00000009 push edi 0x0000000a pop edi 0x0000000b popad 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7FAD56 second address: 7FAD5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 800E10 second address: 800E15 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 803E09 second address: 803E13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F8D60D48916h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 803E13 second address: 803E17 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 803802 second address: 803806 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 80397D second address: 803981 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 80E81C second address: 80E820 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 80E820 second address: 80E837 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8D60DD044Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 80E837 second address: 80E852 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F8D60D48925h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 744261 second address: 74426D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F8D60DD045Ah 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 81AA73 second address: 81AA90 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8D60D48926h 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8224E7 second address: 8224EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8224EB second address: 8224F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F8D60D48916h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 822308 second address: 82232F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jo 00007F8D60DD045Fh 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F8D60DD0457h 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 82232F second address: 82235B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jo 00007F8D60D48916h 0x0000000c jmp 00007F8D60D48929h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 push edx 0x00000017 pop edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 823A48 second address: 823A4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 823A4E second address: 823A52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 82949D second address: 8294A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8294A1 second address: 8294A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8295ED second address: 8295F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8295F1 second address: 8295F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8295F5 second address: 8295FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 82A87F second address: 82A883 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 82A883 second address: 82A899 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jc 00007F8D60DD0446h 0x0000000d pop ebx 0x0000000e jl 00007F8D60DD044Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 82C17F second address: 82C188 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push esi 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 82F1FC second address: 82F20D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 je 00007F8D60DD044Eh 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 82F20D second address: 82F211 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 82F211 second address: 82F221 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F8D60DD0452h 0x00000008 jno 00007F8D60DD0446h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 82F221 second address: 82F22E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 pushad 0x00000008 popad 0x00000009 push edi 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 83F3B9 second address: 83F3CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 pop eax 0x00000008 popad 0x00000009 popad 0x0000000a pushad 0x0000000b pushad 0x0000000c jl 00007F8D60DD0446h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 842EAF second address: 842EB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 842EB3 second address: 842EC1 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F8D60DD0446h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 842EC1 second address: 842EE4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8D60D48925h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jns 00007F8D60D48916h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 84F033 second address: 84F039 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 84F039 second address: 84F089 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F8D60D48923h 0x0000000e je 00007F8D60D48916h 0x00000014 popad 0x00000015 jmp 00007F8D60D48929h 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F8D60D48920h 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 84F089 second address: 84F08D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 84F08D second address: 84F0A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push ecx 0x00000008 jc 00007F8D60D48918h 0x0000000e push edx 0x0000000f pop edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 84F0A1 second address: 84F0A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 84F0A5 second address: 84F0A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8505F3 second address: 8505F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8505F7 second address: 85060B instructions: 0x00000000 rdtsc 0x00000002 jl 00007F8D60D48916h 0x00000008 jp 00007F8D60D48916h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push esi 0x00000013 pop esi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85060B second address: 85061B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a jg 00007F8D60DD0446h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 853FAB second address: 853FB9 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F8D60D48916h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 853FB9 second address: 853FBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 853FBD second address: 853FF2 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F8D60D48916h 0x00000008 jno 00007F8D60D48916h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pop ecx 0x00000011 je 00007F8D60D4893Bh 0x00000017 pushad 0x00000018 pushad 0x00000019 popad 0x0000001a jmp 00007F8D60D48929h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 855585 second address: 85558D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85558D second address: 85559B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85559B second address: 8555AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8D60DD044Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8555AE second address: 8555DC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8D60D48920h 0x00000007 jmp 00007F8D60D48922h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 ja 00007F8D60D48916h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 857C62 second address: 857C6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F8D60DD0446h 0x0000000a pop esi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 857C6D second address: 857C84 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F8D60D48922h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 871CA3 second address: 871CC1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push esi 0x00000008 pop esi 0x00000009 jmp 00007F8D60DD0450h 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 871CC1 second address: 871CC6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 871CC6 second address: 871CCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 870C4E second address: 870C62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8D60D4891Eh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 870C62 second address: 870C66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8713EF second address: 871426 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 jng 00007F8D60D48916h 0x0000000c jmp 00007F8D60D48925h 0x00000011 pop esi 0x00000012 pushad 0x00000013 jmp 00007F8D60D48922h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8716C2 second address: 8716CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007F8D60DD0446h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8716CD second address: 8716D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8719A2 second address: 8719A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 87794E second address: 877958 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F8D60D48916h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 877958 second address: 87795C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 78C1E5 second address: 78C1E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 78C3E0 second address: 78C3E6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 78C3E6 second address: 78C3EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 5DEF24 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 77F654 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 5DC16A instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 7A6571 instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\file.exe TID: 7120 Thread sleep time: -36018s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 2136 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 6452 Thread sleep time: -38019s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 2136 Thread sleep time: -30000s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\file.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: file.exe, 00000000.00000002.2493299209.000000000075F000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.2494536419.0000000000F68000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2492894965.0000000000F67000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2494351855.0000000000F0E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000002.2493299209.000000000075F000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\file.exe Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\Desktop\file.exe File opened: NTICE
Source: C:\Users\user\Desktop\file.exe File opened: SICE
Source: C:\Users\user\Desktop\file.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005C0F10 LdrInitializeThunk, 0_2_005C0F10

HIPS / PFW / Operating System Protection Evasion
barindex
LummaC encrypted strings found
Source: file.exe String found in binary or memory: scriptyprefej.store
Source: file.exe String found in binary or memory: navygenerayk.store
Source: file.exe String found in binary or memory: founpiuer.store
Source: file.exe String found in binary or memory: necklacedmny.store
Source: file.exe String found in binary or memory: thumbystriw.store
Source: file.exe String found in binary or memory: fadehairucw.store
Source: file.exe String found in binary or memory: crisiwarny.store
Source: file.exe String found in binary or memory: presticitpo.store
Source: file.exe, 00000000.00000002.2493562034.00000000007A4000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Program Manager
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1544953 Sample: file.exe Startdate: 29/10/2024 Architecture: WINDOWS Score: 100 10 thumbystriw.store 2->10 12 presticitpo.store 2->12 14 3 other IPs or domains 2->14 18 Suricata IDS alerts for network traffic 2->18 20 Found malware configuration 2->20 22 Antivirus / Scanner detection for submitted sample 2->22 24 8 other signatures 2->24 6 file.exe 2->6         started        signatures3 process4 dnsIp5 16 necklacedmny.store 188.114.96.3, 443, 49710, 49711 CLOUDFLARENETUS European Union 6->16 26 Detected unpacking (changes PE section rights) 6->26 28 Tries to detect sandboxes and other dynamic analysis tools (window names) 6->28 30 Tries to evade debugger and weak emulator (self modifying code) 6->30 32 4 other signatures 6->32 signatures6
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
188.114.96.3
 necklacedmny.store European Union
13335 CLOUDFLARENETUS true

Contacted Domains

Name IP Active
necklacedmny.store 188.114.96.3 true
presticitpo.store unknown unknown
thumbystriw.store unknown unknown
crisiwarny.store unknown unknown
fadehairucw.store unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
presticitpo.store true
    		unknown
    founpiuer.store true
      		unknown
      scriptyprefej.store true
        		unknown
        https://necklacedmny.store/api true
          		unknown
          thumbystriw.store true
            		unknown
            necklacedmny.store true
              		unknown
              crisiwarny.store true
                		unknown
                fadehairucw.store true
                  		unknown
                  navygenerayk.store true
                    		unknown