Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1545849
MD5: 900b4f529c53a8740d16c0372dc2ca9a
SHA1: 342f5cd2f6a7beecca59553f4d970454caa961ca
SHA256: d22ac8685cb5b613bf5b6271239cd4c51b680d06a41f3c4d4d5aaefbf9ad5bc6
Tags: exeuser-Bitsight
Infos:

Detection

LummaC
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for sample
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Detected potential crypto function
Entry point lies outside standard sections
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Found malware configuration
Source: file.exe.6648.0.memstrmin Malware Configuration Extractor: LummaC {"C2 url": ["presticitpo.store", "crisiwarny.store", "thumbystriw.store", "navygenerayk.store", "fadehairucw.store", "founpiuer.store", "scriptyprefej.store", "necklacedmny.store"], "Build id": "4SD0y4--legendaryy"}
Multi AV Scanner detection for domain / URL
Source: necklacedmny.store Virustotal: Detection: 22% Perma Link
Source: thumbystriw.store Virustotal: Detection: 14% Perma Link
Source: presticitpo.store Virustotal: Detection: 11% Perma Link
Multi AV Scanner detection for submitted file
Source: file.exe ReversingLabs: Detection: 39%
Source: file.exe Virustotal: Detection: 51% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 00000000.00000002.2155862356.0000000000601000.00000040.00000001.01000000.00000003.sdmp String decryptor: scriptyprefej.store
Source: 00000000.00000002.2155862356.0000000000601000.00000040.00000001.01000000.00000003.sdmp String decryptor: navygenerayk.store
Source: 00000000.00000002.2155862356.0000000000601000.00000040.00000001.01000000.00000003.sdmp String decryptor: founpiuer.store
Source: 00000000.00000002.2155862356.0000000000601000.00000040.00000001.01000000.00000003.sdmp String decryptor: necklacedmny.store
Source: 00000000.00000002.2155862356.0000000000601000.00000040.00000001.01000000.00000003.sdmp String decryptor: thumbystriw.store
Source: 00000000.00000002.2155862356.0000000000601000.00000040.00000001.01000000.00000003.sdmp String decryptor: fadehairucw.store
Source: 00000000.00000002.2155862356.0000000000601000.00000040.00000001.01000000.00000003.sdmp String decryptor: crisiwarny.store
Source: 00000000.00000002.2155862356.0000000000601000.00000040.00000001.01000000.00000003.sdmp String decryptor: presticitpo.store
Source: 00000000.00000002.2155862356.0000000000601000.00000040.00000001.01000000.00000003.sdmp String decryptor: presticitpo.store
Source: 00000000.00000002.2155862356.0000000000601000.00000040.00000001.01000000.00000003.sdmp String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.2155862356.0000000000601000.00000040.00000001.01000000.00000003.sdmp String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.2155862356.0000000000601000.00000040.00000001.01000000.00000003.sdmp String decryptor: - Screen Resoluton:
Source: 00000000.00000002.2155862356.0000000000601000.00000040.00000001.01000000.00000003.sdmp String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.2155862356.0000000000601000.00000040.00000001.01000000.00000003.sdmp String decryptor: Workgroup: -
Source: 00000000.00000002.2155862356.0000000000601000.00000040.00000001.01000000.00000003.sdmp String decryptor: 4SD0y4--legendaryy
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0061D7F8 CryptUnprotectData, 0_2_0061D7F8
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49710 version: TLS 1.2
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp ecx 0_2_0061104F
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax-42h] 0_2_0060E1A0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp eax 0_2_0063E210
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov edx, dword ptr [esi+64h] 0_2_006315DC
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov ecx, eax 0_2_0062F9D0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov dword ptr [esi+10h], edx 0_2_0062F9D0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov byte ptr [edi], cl 0_2_0062F9D0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov byte ptr [edi], al 0_2_0062F9D0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx eax, byte ptr [esp+edx+6D44C030h] 0_2_0062AB20
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [edx+ecx*8], 9ABDB589h 0_2_0062AB20
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h 0_2_00644C40
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx edx, byte ptr [esp+ecx+75E07B5Ch] 0_2_0060EC20
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov edi, esi 0_2_0063BCA9
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax-0000008Ah] 0_2_0060CF90
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx ebx, byte ptr [esi+ecx+38h] 0_2_0061E07E
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx ebx, byte ptr [ecx+edx] 0_2_0063F020
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov esi, dword ptr [esp+1Ch] 0_2_0063F020
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov edx, eax 0_2_0062702F
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov dword ptr [eax+ebx], 30303030h 0_2_00601000
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov dword ptr [eax+ebx], 20202020h 0_2_00601000
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then add ecx, eax 0_2_0062A083
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx esi, byte ptr [esp+eax-6Ch] 0_2_0062A083
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov esi, ecx 0_2_00642165
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov ecx, dword ptr [0064DCFCh] 0_2_0063C132
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], B62B8D10h 0_2_0062D2FD
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov ebx, dword ptr [esp] 0_2_0062D2FD
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp ecx 0_2_00628290
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax+29352E8Dh] 0_2_00645330
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], B62B8D10h 0_2_0062C3A6
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov ebp, edx 0_2_006424E0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp ecx 0_2_006114CE
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov edx, dword ptr [esp+04h] 0_2_006014A8
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax+58h] 0_2_00622520
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp ecx 0_2_006435F0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx eax, byte ptr [ebp+ecx-14h] 0_2_006435F0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h 0_2_006266E0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx ecx, byte ptr [esi+eax] 0_2_006236AC
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp ecx 0_2_00643740
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx eax, byte ptr [ebp+ecx-14h] 0_2_00643740
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov byte ptr [eax], cl 0_2_0062F73A
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx ebx, byte ptr [esp+eax-3ED06EDAh] 0_2_0063C7A0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 0_2_0062E7B0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then add edx, esi 0_2_006298F2
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov byte ptr [eax], cl 0_2_00630887
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx edx, byte ptr [esi+ebx] 0_2_00605890
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [eax], cx 0_2_00626940
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp ecx 0_2_006439C0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx eax, byte ptr [ebp+ecx-14h] 0_2_006439C0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx eax, byte ptr [ebp+ecx-14h] 0_2_00643A90
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then and esi, 001FF800h 0_2_00604BA0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov dword ptr [esp+04h], ecx 0_2_0061FBA0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp byte ptr [esi+eax], 00000000h 0_2_0062ECE0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx ebx, byte ptr [edx] 0_2_00638C80
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax+6D44C02Ch] 0_2_0063FC90
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [ebp+edx*4+00h], ax 0_2_0060BD50
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then add eax, dword ptr [esp+ecx*4+34h] 0_2_0060BD50
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx eax, byte ptr [ebp+ecx-14h] 0_2_00643D90
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp edx 0_2_00608EF0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [edx], bp 0_2_00621EC5
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [ecx], di 0_2_00621EC5
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov byte ptr [eax], cl 0_2_00630F3E

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2057129 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crisiwarny .store) : 192.168.2.5:49889 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057125 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (thumbystriw .store) : 192.168.2.5:55922 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057131 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (presticitpo .store) : 192.168.2.5:52090 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057123 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (necklacedmny .store) : 192.168.2.5:60107 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.5:49711 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.5:49704 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.5:49710 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.5:49707 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.5:49705 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.5:49709 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.5:49708 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2057127 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fadehairucw .store) : 192.168.2.5:62785 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.5:49706 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:49705 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49705 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.5:49709 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49704 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49704 -> 188.114.96.3:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: presticitpo.store
Source: Malware configuration extractor URLs: crisiwarny.store
Source: Malware configuration extractor URLs: thumbystriw.store
Source: Malware configuration extractor URLs: navygenerayk.store
Source: Malware configuration extractor URLs: fadehairucw.store
Source: Malware configuration extractor URLs: founpiuer.store
Source: Malware configuration extractor URLs: scriptyprefej.store
Source: Malware configuration extractor URLs: necklacedmny.store
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View IP Address: 188.114.96.3 188.114.96.3
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: necklacedmny.store
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 52Host: necklacedmny.store
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12840Host: necklacedmny.store
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15082Host: necklacedmny.store
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20572Host: necklacedmny.store
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1255Host: necklacedmny.store
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 585899Host: necklacedmny.store
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: presticitpo.store
Source: global traffic DNS traffic detected: DNS query: crisiwarny.store
Source: global traffic DNS traffic detected: DNS query: fadehairucw.store
Source: global traffic DNS traffic detected: DNS query: thumbystriw.store
Source: global traffic DNS traffic detected: DNS query: necklacedmny.store
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: necklacedmny.store
Source: file.exe, 00000000.00000003.2087120020.0000000005731000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: file.exe, 00000000.00000003.2087120020.0000000005731000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: file.exe, 00000000.00000003.2087120020.0000000005731000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: file.exe, 00000000.00000003.2087120020.0000000005731000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: file.exe, 00000000.00000003.2087120020.0000000005731000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: file.exe, 00000000.00000003.2087120020.0000000005731000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: file.exe, 00000000.00000003.2087120020.0000000005731000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: file.exe, 00000000.00000003.2087120020.0000000005731000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: file.exe, 00000000.00000003.2087120020.0000000005731000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: file.exe, 00000000.00000003.2087120020.0000000005731000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: file.exe, 00000000.00000003.2087120020.0000000005731000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: file.exe, 00000000.00000003.2062528967.000000000572C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: file.exe, 00000000.00000003.2102002943.000000000570F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2101926012.000000000570E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
Source: file.exe, 00000000.00000003.2102002943.000000000570F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2101926012.000000000570E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
Source: file.exe, 00000000.00000003.2062528967.000000000572C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000000.00000003.2062528967.000000000572C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000003.2062528967.000000000572C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: file.exe, 00000000.00000003.2102002943.000000000570F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2101926012.000000000570E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: file.exe, 00000000.00000003.2102002943.000000000570F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2101926012.000000000570E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
Source: file.exe, 00000000.00000003.2062528967.000000000572C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000000.00000003.2062528967.000000000572C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: file.exe, 00000000.00000003.2062528967.000000000572C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: file.exe, 00000000.00000003.2101926012.000000000570E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: file.exe, file.exe, 00000000.00000003.2150400482.00000000010A8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2124998793.00000000010A8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2156730025.0000000000FCE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store/
Source: file.exe, 00000000.00000003.2155414603.000000000108A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2156988651.000000000108A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store/5
Source: file.exe, 00000000.00000002.2156730025.0000000000FCE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store/C~T
Source: file.exe, 00000000.00000003.2155414603.000000000108A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2156988651.000000000108A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store/E
Source: file.exe, 00000000.00000003.2155745718.00000000056F1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2155625030.0000000001095000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2124998793.0000000001095000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2155717509.000000000109B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2156940751.0000000001024000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2162814769.00000000056F2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2155487590.0000000001021000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2074555367.00000000010A6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2155758852.0000000001023000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075150921.00000000010A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store/api
Source: file.exe, 00000000.00000003.2155745718.00000000056F1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2162814769.00000000056F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store/api.IL
Source: file.exe, 00000000.00000003.2155758852.0000000001031000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2156940751.0000000001031000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store/apiG
Source: file.exe, 00000000.00000003.2155745718.00000000056F1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2162814769.00000000056F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store/apiPI
Source: file.exe, 00000000.00000003.2155745718.00000000056F1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2162814769.00000000056F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store/apiersionnF
Source: file.exe, 00000000.00000003.2155745718.00000000056F1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2162814769.00000000056F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store/apitio
Source: file.exe, 00000000.00000003.2101926012.0000000005703000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2124794270.00000000056F6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2124724016.0000000005704000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2113979900.0000000005703000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2162831044.0000000005704000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store/c
Source: file.exe, 00000000.00000003.2075150921.0000000001095000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2155414603.000000000108A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2074555367.0000000001094000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2156988651.000000000108A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store/m
Source: file.exe, file.exe, 00000000.00000003.2155487590.000000000100E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2156847859.000000000100E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store:443/api
Source: file.exe, 00000000.00000002.2156847859.000000000100E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store:443/apiicrosoft
Source: file.exe, 00000000.00000003.2088361896.0000000005810000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: file.exe, 00000000.00000003.2088361896.0000000005810000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: file.exe, 00000000.00000003.2102002943.000000000570F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2101926012.000000000570E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
Source: file.exe, 00000000.00000003.2102002943.000000000570F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2101926012.000000000570E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
Source: file.exe, 00000000.00000003.2062528967.000000000572C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: file.exe, 00000000.00000003.2062528967.000000000572C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: file.exe, 00000000.00000003.2088361896.0000000005810000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: file.exe, 00000000.00000003.2088361896.0000000005810000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: file.exe, 00000000.00000003.2088361896.0000000005810000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: file.exe, 00000000.00000003.2088361896.0000000005810000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: file.exe, 00000000.00000003.2088361896.0000000005810000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: file.exe, 00000000.00000003.2088361896.0000000005810000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: unknown Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49710 version: TLS 1.2

System Summary
barindex
PE file contains section with special chars
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_01025CF0 0_3_01025CF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_01025CF0 0_3_01025CF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_0104F522 0_3_0104F522
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_0104F522 0_3_0104F522
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_0104F522 0_3_0104F522
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_0104F522 0_3_0104F522
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_01025CF0 0_3_01025CF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_01025CF0 0_3_01025CF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0061104F 0_2_0061104F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00626022 0_2_00626022
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0060E1A0 0_2_0060E1A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00610460 0_2_00610460
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006315DC 0_2_006315DC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0060F755 0_2_0060F755
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0061D7F8 0_2_0061D7F8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0063B7B0 0_2_0063B7B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0062F9D0 0_2_0062F9D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006279B0 0_2_006279B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0062AB20 0_2_0062AB20
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0060EC20 0_2_0060EC20
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0063BCA9 0_2_0063BCA9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0061E07E 0_2_0061E07E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00645040 0_2_00645040
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00635050 0_2_00635050
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0063F020 0_2_0063F020
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0062702F 0_2_0062702F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007E3021 0_2_007E3021
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00601000 0_2_00601000
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00605000 0_2_00605000
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0061D010 0_2_0061D010
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006230E0 0_2_006230E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006440E0 0_2_006440E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0063B0F0 0_2_0063B0F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006070B0 0_2_006070B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00642165 0_2_00642165
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006D712E 0_2_006D712E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00621100 0_2_00621100
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0062A112 0_2_0062A112
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006091E9 0_2_006091E9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0060A260 0_2_0060A260
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00870290 0_2_00870290
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0060B240 0_2_0060B240
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0062D2FD 0_2_0062D2FD
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006012D5 0_2_006012D5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00601328 0_2_00601328
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00629328 0_2_00629328
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00645330 0_2_00645330
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006283E2 0_2_006283E2
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0062B3D0 0_2_0062B3D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0062C3A6 0_2_0062C3A6
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00608460 0_2_00608460
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00634461 0_2_00634461
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007D244A 0_2_007D244A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007CD420 0_2_007CD420
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006424E0 0_2_006424E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006114CE 0_2_006114CE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0062F570 0_2_0062F570
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0063A523 0_2_0063A523
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00622520 0_2_00622520
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007B952F 0_2_007B952F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007E550F 0_2_007E550F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0062A510 0_2_0062A510
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006435F0 0_2_006435F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006165D7 0_2_006165D7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007075BD 0_2_007075BD
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007DC5A9 0_2_007DC5A9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007E664F 0_2_007E664F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00672684 0_2_00672684
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00623770 0_2_00623770
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00643740 0_2_00643740
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0060A720 0_2_0060A720
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0062F73A 0_2_0062F73A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00642700 0_2_00642700
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0063C7A0 0_2_0063C7A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0061E837 0_2_0061E837
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0063F800 0_2_0063F800
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006298F2 0_2_006298F2
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006308B1 0_2_006308B1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00630887 0_2_00630887
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0072E975 0_2_0072E975
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00626940 0_2_00626940
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0074B945 0_2_0074B945
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00603930 0_2_00603930
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006439C0 0_2_006439C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00616997 0_2_00616997
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007D5A73 0_2_007D5A73
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007DAA58 0_2_007DAA58
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00614A4C 0_2_00614A4C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0061FA4F 0_2_0061FA4F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00607AB0 0_2_00607AB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0060DA80 0_2_0060DA80
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00643A90 0_2_00643A90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00642B10 0_2_00642B10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006B3BE3 0_2_006B3BE3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00634BC7 0_2_00634BC7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0062CBD0 0_2_0062CBD0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0061FBA0 0_2_0061FBA0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0061CC20 0_2_0061CC20
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0062ECE0 0_2_0062ECE0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007E1CD1 0_2_007E1CD1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0061ED48 0_2_0061ED48
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0060BD50 0_2_0060BD50
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00606D10 0_2_00606D10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007D0DC1 0_2_007D0DC1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0060ADB0 0_2_0060ADB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00643D90 0_2_00643D90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00613E45 0_2_00613E45
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00633E24 0_2_00633E24
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00608EF0 0_2_00608EF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006E6EFA 0_2_006E6EFA
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00621EC5 0_2_00621EC5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00763EB7 0_2_00763EB7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0063AE90 0_2_0063AE90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0060DF60 0_2_0060DF60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00639F61 0_2_00639F61
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006D0F55 0_2_006D0F55
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00630F3E 0_2_00630F3E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006DCF15 0_2_006DCF15
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00609FF5 0_2_00609FF5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007D8FAE 0_2_007D8FAE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00642FB0 0_2_00642FB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007D3FA2 0_2_007D3FA2
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\file.exe Code function: String function: 0060E190 appears 152 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 0060C890 appears 69 times
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exe Static PE information: Section: ZLIB complexity 0.998046875
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@1/0@5/1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00632240 CoCreateInstance, 0_2_00632240
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: file.exe, 00000000.00000003.2074641754.000000000572E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2062308476.000000000571A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2062632582.00000000056FB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe ReversingLabs: Detection: 39%
Source: file.exe Virustotal: Detection: 51%
Source: file.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: file.exe String found in binary or memory: N{WRtlAllocateHeap3Cannot find '%s'. Please, re-install this applicationThunRTMain__vbaVarTstNePW
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: file.exe Static file information: File size 3093504 > 1048576
Source: file.exe Static PE information: Raw size of vphonoxp is bigger than: 0x100000 < 0x2c7800

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.600000.0.unpack :EW;.rsrc:W;.idata :W;vphonoxp:EW;aljcmtdz:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;vphonoxp:EW;aljcmtdz:EW;.taggant:EW;
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: file.exe Static PE information: real checksum: 0x2f345e should be: 0x2fc12d
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name: vphonoxp
Source: file.exe Static PE information: section name: aljcmtdz
Source: file.exe Static PE information: section name: .taggant
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_0101E307 push eax; iretd 0_3_0101E308
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_0101E53B push es; ret 0_3_0101E661
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_01037759 push ecx; retn 004Eh 0_3_010377F9
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_01037759 push ecx; retn 004Eh 0_3_010377F9
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_01037759 push ecx; retn 004Eh 0_3_010377F9
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_01037759 push ecx; retn 004Eh 0_3_010377F9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00810098 push 57ECD757h; mov dword ptr [esp], ecx 0_2_0081010C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007E9034 push edx; mov dword ptr [esp], edi 0_2_007E917B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007E3021 push eax; mov dword ptr [esp], ebp 0_2_007E30A4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007E3021 push eax; mov dword ptr [esp], 55CF5A86h 0_2_007E30D7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007E3021 push ecx; mov dword ptr [esp], edx 0_2_007E3144
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007E3021 push ebp; mov dword ptr [esp], eax 0_2_007E315F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007E3021 push eax; mov dword ptr [esp], ecx 0_2_007E31D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007E3021 push edx; mov dword ptr [esp], esi 0_2_007E31E8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007E3021 push 13A07950h; mov dword ptr [esp], esi 0_2_007E3242
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007E3021 push ebx; mov dword ptr [esp], edx 0_2_007E32FD
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007E3021 push 3257F2F7h; mov dword ptr [esp], edi 0_2_007E3311
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007E3021 push ebx; mov dword ptr [esp], eax 0_2_007E33C4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007E3021 push edx; mov dword ptr [esp], 7FC00D93h 0_2_007E33C8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007E3021 push 086EC82Ah; mov dword ptr [esp], ebp 0_2_007E347E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007E3021 push 1134A8E2h; mov dword ptr [esp], eax 0_2_007E34E4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007E3021 push ecx; mov dword ptr [esp], edx 0_2_007E35AF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007E3021 push ebx; mov dword ptr [esp], 1C8FD066h 0_2_007E3656
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007E3021 push ebx; mov dword ptr [esp], edx 0_2_007E3662
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007E3021 push ecx; mov dword ptr [esp], 44EA082Ah 0_2_007E3740
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007E3021 push 7A0B03C0h; mov dword ptr [esp], eax 0_2_007E3772
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007E3021 push 778FA4AAh; mov dword ptr [esp], ebx 0_2_007E377B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007E3021 push eax; mov dword ptr [esp], edx 0_2_007E3838
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007E3021 push 09D06B31h; mov dword ptr [esp], ecx 0_2_007E3873
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007E3021 push edx; mov dword ptr [esp], ebx 0_2_007E38AD
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007E3021 push ebx; mov dword ptr [esp], ecx 0_2_007E3957
Source: file.exe Static PE information: section name: entropy: 7.978424243223096

Boot Survival
barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\Desktop\file.exe System information queried: FirmwareTableInformation Jump to behavior
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7D0489 second address: 7D048F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7D048F second address: 7D0494 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7EB704 second address: 7EB708 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7EB708 second address: 7EB712 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7EB712 second address: 7EB716 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7EB716 second address: 7EB72A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F3D50D0EC66h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jbe 00007F3D50D0EC66h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7EBA4A second address: 7EBA87 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F3D507EA96Ch 0x00000008 pushad 0x00000009 jnl 00007F3D507EA966h 0x0000000f jmp 00007F3D507EA979h 0x00000014 push edi 0x00000015 pop edi 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push ecx 0x0000001a pushad 0x0000001b js 00007F3D507EA966h 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7EBA87 second address: 7EBA8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7EE144 second address: 7EE148 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7EE3EB second address: 7EE42A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jnl 00007F3D50D0EC66h 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 pushad 0x00000011 jmp 00007F3D50D0EC70h 0x00000016 push eax 0x00000017 push eax 0x00000018 pop eax 0x00000019 pop eax 0x0000001a popad 0x0000001b pop eax 0x0000001c xor edx, 2073BCAEh 0x00000022 lea ebx, dword ptr [ebp+12463011h] 0x00000028 mov dword ptr [ebp+122D1DD3h], edx 0x0000002e xchg eax, ebx 0x0000002f pushad 0x00000030 push eax 0x00000031 push edx 0x00000032 pushad 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7EE42A second address: 7EE42E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7EE59A second address: 7EE5C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F3D50D0EC6Bh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F3D50D0EC72h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7EE5C5 second address: 7EE5CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7EE5CB second address: 7EE5CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7EE5CF second address: 7EE62A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push eax 0x0000000b pushad 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push edx 0x0000000f pop edx 0x00000010 popad 0x00000011 pop eax 0x00000012 mov dword ptr [esp+04h], eax 0x00000016 pushad 0x00000017 jmp 00007F3D507EA96Ch 0x0000001c jmp 00007F3D507EA96Bh 0x00000021 popad 0x00000022 pop eax 0x00000023 mov edx, dword ptr [ebp+122D366Dh] 0x00000029 xor ecx, dword ptr [ebp+122D1DBEh] 0x0000002f lea ebx, dword ptr [ebp+1246301Ch] 0x00000035 xchg eax, ebx 0x00000036 push edx 0x00000037 pushad 0x00000038 pushad 0x00000039 popad 0x0000003a push ebx 0x0000003b pop ebx 0x0000003c popad 0x0000003d pop edx 0x0000003e push eax 0x0000003f push eax 0x00000040 push edx 0x00000041 jmp 00007F3D507EA96Dh 0x00000046 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 810327 second address: 81032D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7DA5CB second address: 7DA5D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 80E589 second address: 80E58F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 80E58F second address: 80E594 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 80E709 second address: 80E713 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F3D50D0EC66h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 80E713 second address: 80E76C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007F3D507EA96Bh 0x0000000c pop eax 0x0000000d jp 00007F3D507EA980h 0x00000013 pushad 0x00000014 push esi 0x00000015 pop esi 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 popad 0x0000001a push ecx 0x0000001b push ebx 0x0000001c jmp 00007F3D507EA978h 0x00000021 pop ebx 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 80E8A2 second address: 80E8A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 80E8A6 second address: 80E8DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F3D507EA977h 0x0000000b pushad 0x0000000c jmp 00007F3D507EA976h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 80E8DE second address: 80E8F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3D50D0EC72h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 80E8F4 second address: 80E8F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 80E8F8 second address: 80E906 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 80E906 second address: 80E90A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 80EBC0 second address: 80EBCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 80EBCA second address: 80EBCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 80EBCF second address: 80EBDB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F3D50D0EC66h 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 80EBDB second address: 80EBE5 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F3D507EA966h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 80ED5C second address: 80ED72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3D50D0EC70h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 80F15F second address: 80F165 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 80F165 second address: 80F174 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push edx 0x00000007 pop edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 80F2D7 second address: 80F2DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 80F2DB second address: 80F2DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 80F2DF second address: 80F306 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3D507EA970h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F3D507EA96Eh 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 802317 second address: 80231E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CE95B second address: 7CE960 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CE960 second address: 7CE966 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CE966 second address: 7CE96C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CE96C second address: 7CE974 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 80FD05 second address: 80FD0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 80FD0D second address: 80FD26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007F3D50D0EC71h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 80FE97 second address: 80FEB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F3D507EA977h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 80FEB4 second address: 80FEC6 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F3D50D0EC66h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 80FEC6 second address: 80FECA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 80FECA second address: 80FECE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8186E5 second address: 8186EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8189C2 second address: 8189CC instructions: 0x00000000 rdtsc 0x00000002 jl 00007F3D50D0EC66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 81B6A1 second address: 81B6A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 81B6A5 second address: 81B6AB instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 81B6AB second address: 81B6DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 pushad 0x00000008 jmp 00007F3D507EA96Fh 0x0000000d push ebx 0x0000000e jmp 00007F3D507EA972h 0x00000013 pop ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 je 00007F3D507EA966h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 81B957 second address: 81B95B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 81B95B second address: 81B95F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 81B95F second address: 81B968 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 81B968 second address: 81B96E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 81DBE0 second address: 81DBE4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 81DC3B second address: 81DC75 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F3D507EA97Ah 0x00000008 jmp 00007F3D507EA974h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f xor dword ptr [esp], 07BA3006h 0x00000016 sub esi, dword ptr [ebp+122D37B9h] 0x0000001c push 65EE4410h 0x00000021 jbe 00007F3D507EA974h 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 81DC75 second address: 81DC79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 81EBF3 second address: 81EBF7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 81EC94 second address: 81EC9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 81EC9A second address: 81EC9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 81EC9E second address: 81ECB5 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F3D50D0EC6Ah 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 81ECB5 second address: 81ECBB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 81ECBB second address: 81ECD8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D50D0EC6Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a sub esi, 4771C7B8h 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push edx 0x00000016 pop edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 81ECD8 second address: 81ECE2 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F3D507EA966h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 81F1DC second address: 81F1E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 81F1E5 second address: 81F1E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 81F1E9 second address: 81F1F5 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 81F1F5 second address: 81F228 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop eax 0x00000008 nop 0x00000009 mov dword ptr [ebp+12485B8Fh], edi 0x0000000f push 00000000h 0x00000011 push ebx 0x00000012 mov si, C061h 0x00000016 pop edi 0x00000017 push 00000000h 0x00000019 mov si, D4A1h 0x0000001d xchg eax, ebx 0x0000001e jmp 00007F3D507EA96Bh 0x00000023 push eax 0x00000024 push edi 0x00000025 je 00007F3D507EA96Ch 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 820450 second address: 82045F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D50D0EC6Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 822354 second address: 822374 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F3D507EA979h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 82391B second address: 82391F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 822121 second address: 82213E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3D507EA979h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 822BAF second address: 822BBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jnc 00007F3D50D0EC66h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 82213E second address: 822155 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F3D507EA966h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jc 00007F3D507EA968h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 822155 second address: 82215A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 826119 second address: 826121 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 826121 second address: 826129 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 826129 second address: 826135 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 pushad 0x00000007 pushad 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7D7001 second address: 7D703A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D50D0EC6Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007F3D50D0EC6Ah 0x00000011 popad 0x00000012 pop ecx 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F3D50D0EC79h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7D703A second address: 7D703E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 829CC8 second address: 829CD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 82AEE8 second address: 82AEEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 82CF22 second address: 82CF2C instructions: 0x00000000 rdtsc 0x00000002 jno 00007F3D50D0EC66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 82C030 second address: 82C038 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 82C038 second address: 82C0F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 push eax 0x00000007 jmp 00007F3D50D0EC76h 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push ebx 0x00000010 call 00007F3D50D0EC68h 0x00000015 pop ebx 0x00000016 mov dword ptr [esp+04h], ebx 0x0000001a add dword ptr [esp+04h], 00000014h 0x00000022 inc ebx 0x00000023 push ebx 0x00000024 ret 0x00000025 pop ebx 0x00000026 ret 0x00000027 js 00007F3D50D0EC6Ch 0x0000002d mov edi, dword ptr [ebp+122D1F76h] 0x00000033 push dword ptr fs:[00000000h] 0x0000003a mov edi, dword ptr [ebp+122D35ADh] 0x00000040 mov dword ptr fs:[00000000h], esp 0x00000047 sub dword ptr [ebp+122D55A7h], ebx 0x0000004d mov eax, dword ptr [ebp+122D0481h] 0x00000053 push 00000000h 0x00000055 push ecx 0x00000056 call 00007F3D50D0EC68h 0x0000005b pop ecx 0x0000005c mov dword ptr [esp+04h], ecx 0x00000060 add dword ptr [esp+04h], 00000017h 0x00000068 inc ecx 0x00000069 push ecx 0x0000006a ret 0x0000006b pop ecx 0x0000006c ret 0x0000006d xor di, F400h 0x00000072 push FFFFFFFFh 0x00000074 call 00007F3D50D0EC72h 0x00000079 pop edi 0x0000007a mov ebx, edx 0x0000007c nop 0x0000007d pushad 0x0000007e jmp 00007F3D50D0EC71h 0x00000083 push eax 0x00000084 push edx 0x00000085 push ecx 0x00000086 pop ecx 0x00000087 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 82C0F0 second address: 82C107 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F3D507EA966h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c jnl 00007F3D507EA970h 0x00000012 pushad 0x00000013 push esi 0x00000014 pop esi 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7D8B52 second address: 7D8B58 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8306AA second address: 8306C1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D507EA970h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8317B9 second address: 8317DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F3D50D0EC78h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8326CA second address: 8326CF instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8317DA second address: 8317F8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3D50D0EC79h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8343EE second address: 8343FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F3D507EA966h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8326CF second address: 83275D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push edi 0x0000000d call 00007F3D50D0EC68h 0x00000012 pop edi 0x00000013 mov dword ptr [esp+04h], edi 0x00000017 add dword ptr [esp+04h], 00000016h 0x0000001f inc edi 0x00000020 push edi 0x00000021 ret 0x00000022 pop edi 0x00000023 ret 0x00000024 jmp 00007F3D50D0EC76h 0x00000029 mov ebx, esi 0x0000002b push dword ptr fs:[00000000h] 0x00000032 jmp 00007F3D50D0EC79h 0x00000037 mov dword ptr fs:[00000000h], esp 0x0000003e jmp 00007F3D50D0EC6Fh 0x00000043 mov eax, dword ptr [ebp+122D08EDh] 0x00000049 mov bh, 6Eh 0x0000004b push FFFFFFFFh 0x0000004d push ecx 0x0000004e movsx ebx, bx 0x00000051 pop ebx 0x00000052 push eax 0x00000053 push eax 0x00000054 push edx 0x00000055 pushad 0x00000056 pushad 0x00000057 popad 0x00000058 push edx 0x00000059 pop edx 0x0000005a popad 0x0000005b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8343FA second address: 8343FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8343FE second address: 834402 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8349B6 second address: 8349BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8349BE second address: 834A06 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F3D50D0EC66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c mov ebx, 3DB58F0Eh 0x00000011 push 00000000h 0x00000013 or edi, 4117D899h 0x00000019 push 00000000h 0x0000001b mov dword ptr [ebp+1247040Ch], esi 0x00000021 xchg eax, esi 0x00000022 jmp 00007F3D50D0EC77h 0x00000027 push eax 0x00000028 jnl 00007F3D50D0EC74h 0x0000002e push eax 0x0000002f push edx 0x00000030 jp 00007F3D50D0EC66h 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 838A14 second address: 838A38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3D507EA972h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F3D507EA96Bh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 83C0C4 second address: 83C0C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 83C0C8 second address: 83C0CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 837BB3 second address: 837BC0 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 838B4F second address: 838B64 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push ebx 0x0000000a jnl 00007F3D507EA966h 0x00000010 pop ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 push edx 0x00000014 pop edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 839C50 second address: 839C56 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 839C56 second address: 839C6A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jc 00007F3D507EA966h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 839C6A second address: 839C6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 839D29 second address: 839D2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 839D2E second address: 839D34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 839D34 second address: 839D38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 844F18 second address: 844F2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F3D50D0EC6Dh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 844F2C second address: 844F30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CCFA4 second address: 7CCFFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jo 00007F3D50D0EC7Bh 0x0000000b push edx 0x0000000c pop edx 0x0000000d jmp 00007F3D50D0EC73h 0x00000012 popad 0x00000013 jbe 00007F3D50D0ECA5h 0x00000019 jmp 00007F3D50D0EC79h 0x0000001e pushad 0x0000001f jmp 00007F3D50D0EC76h 0x00000024 pushad 0x00000025 popad 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CCFFF second address: 7CD005 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 84492F second address: 844933 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 844A92 second address: 844AA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F3D507EA96Bh 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 844AA4 second address: 844ADA instructions: 0x00000000 rdtsc 0x00000002 jne 00007F3D50D0EC8Ch 0x00000008 jmp 00007F3D50D0EC70h 0x0000000d jmp 00007F3D50D0EC76h 0x00000012 push eax 0x00000013 push edx 0x00000014 jc 00007F3D50D0EC66h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 849829 second address: 84982E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 84F62A second address: 84F659 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F3D50D0EC78h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F3D50D0EC71h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 84F659 second address: 84F663 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F3D507EA96Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 84F663 second address: 84F68F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F3D50D0EC77h 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F3D50D0EC6Ch 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7D3A47 second address: 7D3A4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7D3A4E second address: 7D3A61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3D50D0EC6Eh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 84EAAB second address: 84EAB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 84EAB0 second address: 84EAB5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 84EAB5 second address: 84EACE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3D507EA96Ch 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push edx 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 84EACE second address: 84EAD2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 84EAD2 second address: 84EAED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F3D507EA975h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 84F04C second address: 84F06C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D50D0EC78h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 84F06C second address: 84F080 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3D507EA970h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 84F080 second address: 84F091 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 je 00007F3D50D0EC66h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 84F091 second address: 84F0B5 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007F3D507EA974h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f jno 00007F3D507EA966h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 84F0B5 second address: 84F0B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 84F4A2 second address: 84F4A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 84F4A6 second address: 84F4B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007F3D50D0EC68h 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 84F4B8 second address: 84F4BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8542C0 second address: 854318 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D50D0EC6Fh 0x00000007 js 00007F3D50D0EC68h 0x0000000d pushad 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push esi 0x00000012 push edx 0x00000013 jmp 00007F3D50D0EC6Bh 0x00000018 jmp 00007F3D50D0EC74h 0x0000001d pop edx 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F3D50D0EC73h 0x00000025 jne 00007F3D50D0EC66h 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 854450 second address: 854459 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 854CB5 second address: 854CB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 854CB9 second address: 854CC2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 858476 second address: 85847E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85847E second address: 858490 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D507EA96Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85CDE3 second address: 85CE09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jl 00007F3D50D0EC7Fh 0x0000000d jmp 00007F3D50D0EC79h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85CE09 second address: 85CE1F instructions: 0x00000000 rdtsc 0x00000002 je 00007F3D507EA968h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jl 00007F3D507EA972h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85CE1F second address: 85CE29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F3D50D0EC66h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85CE29 second address: 85CE3B instructions: 0x00000000 rdtsc 0x00000002 jp 00007F3D507EA96Ah 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85CE3B second address: 85CE3F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85CE3F second address: 85CE45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7DC0F8 second address: 7DC0FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7DC0FC second address: 7DC105 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7DC105 second address: 7DC10B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 826A68 second address: 802317 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push esi 0x00000007 jmp 00007F3D507EA972h 0x0000000c pop esi 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push eax 0x00000011 call 00007F3D507EA968h 0x00000016 pop eax 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b add dword ptr [esp+04h], 00000015h 0x00000023 inc eax 0x00000024 push eax 0x00000025 ret 0x00000026 pop eax 0x00000027 ret 0x00000028 jc 00007F3D507EA976h 0x0000002e jmp 00007F3D507EA970h 0x00000033 call dword ptr [ebp+122D2706h] 0x00000039 push esi 0x0000003a push ebx 0x0000003b pushad 0x0000003c popad 0x0000003d pop ebx 0x0000003e pop esi 0x0000003f push eax 0x00000040 push edx 0x00000041 jnp 00007F3D507EA968h 0x00000047 push ecx 0x00000048 push eax 0x00000049 push edx 0x0000004a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 827230 second address: 827236 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8273D3 second address: 8273E1 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F3D507EA966h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8273E1 second address: 827400 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D50D0EC6Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F3D50D0EC6Ch 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 827598 second address: 82759D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8278F9 second address: 827943 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a movsx edx, di 0x0000000d push 0000001Eh 0x0000000f push 00000000h 0x00000011 push ecx 0x00000012 call 00007F3D50D0EC68h 0x00000017 pop ecx 0x00000018 mov dword ptr [esp+04h], ecx 0x0000001c add dword ptr [esp+04h], 00000019h 0x00000024 inc ecx 0x00000025 push ecx 0x00000026 ret 0x00000027 pop ecx 0x00000028 ret 0x00000029 mov dl, FBh 0x0000002b nop 0x0000002c pushad 0x0000002d pushad 0x0000002e jmp 00007F3D50D0EC73h 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 827943 second address: 827964 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 jmp 00007F3D507EA972h 0x0000000b pop esi 0x0000000c popad 0x0000000d push eax 0x0000000e push esi 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 827594 second address: 827598 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85BF24 second address: 85BF5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3D507EA974h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F3D507EA976h 0x00000011 jp 00007F3D507EA966h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85BF5B second address: 85BF68 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85BF68 second address: 85BF77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3D507EA96Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85BF77 second address: 85BF81 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F3D50D0EC66h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85BF81 second address: 85BF95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F3D507EA96Ch 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85BF95 second address: 85BF9F instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F3D50D0EC66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85BF9F second address: 85BFB9 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F3D507EA96Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a jl 00007F3D507EA966h 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85BFB9 second address: 85BFBF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85C112 second address: 85C12D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3D507EA976h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85C2B9 second address: 85C2BE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85C474 second address: 85C478 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85C478 second address: 85C47C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85C982 second address: 85C986 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85C986 second address: 85C98A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85C98A second address: 85C990 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 862B58 second address: 862B7B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007F3D50D0EC7Dh 0x0000000c jmp 00007F3D50D0EC77h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 862B7B second address: 862B8B instructions: 0x00000000 rdtsc 0x00000002 jng 00007F3D507EA968h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 861590 second address: 86159C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F3D50D0EC66h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 86159C second address: 8615A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8615A1 second address: 8615D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edi 0x00000006 pop edi 0x00000007 jnc 00007F3D50D0EC66h 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 push esi 0x00000011 jmp 00007F3D50D0EC73h 0x00000016 jo 00007F3D50D0EC66h 0x0000001c pop esi 0x0000001d pop edx 0x0000001e pop eax 0x0000001f jo 00007F3D50D0EC84h 0x00000025 pushad 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8615D7 second address: 8615DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 86170A second address: 861713 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 861B7D second address: 861B87 instructions: 0x00000000 rdtsc 0x00000002 js 00007F3D507EA966h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 861CC2 second address: 861CDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3D50D0EC6Eh 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 pop edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 861CDE second address: 861CED instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 jp 00007F3D507EA966h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 861FE8 second address: 861FEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 86211F second address: 862127 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 862127 second address: 86214F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 pushad 0x00000007 popad 0x00000008 pop ecx 0x00000009 jmp 00007F3D50D0EC79h 0x0000000e push eax 0x0000000f push edx 0x00000010 push edi 0x00000011 pop edi 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 86214F second address: 862173 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F3D507EA966h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F3D507EA976h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8622C4 second address: 8622CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 865DAC second address: 865DC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3D507EA970h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E4662 second address: 7E4668 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 86CA3A second address: 86CA43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 86F880 second address: 86F8A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D50D0EC70h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a pushad 0x0000000b popad 0x0000000c pop esi 0x0000000d jo 00007F3D50D0EC6Ch 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 86F9EC second address: 86FA01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3D507EA96Ah 0x00000009 jnp 00007F3D507EA966h 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 86FB6E second address: 86FB7C instructions: 0x00000000 rdtsc 0x00000002 jl 00007F3D50D0EC66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 86FB7C second address: 86FB94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3D507EA974h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 874308 second address: 87430D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 87430D second address: 87431B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F3D507EA966h 0x0000000a push edx 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 874738 second address: 87474B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 jbe 00007F3D50D0EC6Ch 0x0000000d jbe 00007F3D50D0EC66h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 87474B second address: 874752 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8749AC second address: 8749B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8782E5 second address: 8782EF instructions: 0x00000000 rdtsc 0x00000002 ja 00007F3D507EA972h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8782EF second address: 8782F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 87E8CC second address: 87E8F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D507EA970h 0x00000007 jmp 00007F3D507EA977h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 87D1F7 second address: 87D219 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 jmp 00007F3D50D0EC6Eh 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 pop edx 0x00000011 pop edx 0x00000012 pop eax 0x00000013 pushad 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 87D3F4 second address: 87D3FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 87D666 second address: 87D682 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D50D0EC76h 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 87D943 second address: 87D947 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 87D947 second address: 87D951 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F3D50D0EC6Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 827793 second address: 827797 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 827797 second address: 8277A1 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F3D50D0EC66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 87DA7E second address: 87DA87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 87DA87 second address: 87DA8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 87DA8B second address: 87DA8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 87E5C6 second address: 87E5DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007F3D50D0EC6Fh 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 87E5DD second address: 87E5F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jnp 00007F3D507EA972h 0x0000000b jnp 00007F3D507EA966h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 886355 second address: 88635A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8849E0 second address: 8849EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F3D507EA966h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8849EC second address: 8849F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8849F0 second address: 8849F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 88558D second address: 885593 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 885593 second address: 885599 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 885599 second address: 88559D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 888756 second address: 88875A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 891CD9 second address: 891CDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 891E1A second address: 891E20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 891E20 second address: 891E3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jno 00007F3D50D0EC66h 0x0000000e jo 00007F3D50D0EC66h 0x00000014 popad 0x00000015 popad 0x00000016 push edi 0x00000017 push ebx 0x00000018 pushad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 891FBD second address: 891FC5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 892127 second address: 89214A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D50D0EC72h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F3D50D0EC6Dh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 89214A second address: 89218C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D507EA979h 0x00000007 push edx 0x00000008 jnp 00007F3D507EA966h 0x0000000e pop edx 0x0000000f pop edx 0x00000010 pop eax 0x00000011 je 00007F3D507EA98Bh 0x00000017 push eax 0x00000018 push edx 0x00000019 jl 00007F3D507EA966h 0x0000001f jmp 00007F3D507EA96Fh 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 89241D second address: 892428 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F3D50D0EC66h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 89258A second address: 89258E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 89258E second address: 8925A7 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F3D50D0EC66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b jng 00007F3D50D0EC81h 0x00000011 je 00007F3D50D0EC7Bh 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 898F3D second address: 898F44 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 898F44 second address: 898F57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 js 00007F3D50D0EC66h 0x0000000d jno 00007F3D50D0EC66h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8993A5 second address: 8993DE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D507EA979h 0x00000007 jmp 00007F3D507EA978h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8993DE second address: 8993E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8993E4 second address: 8993E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8993E8 second address: 899426 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3D50D0EC74h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b js 00007F3D50D0EC7Ch 0x00000011 jmp 00007F3D50D0EC76h 0x00000016 push eax 0x00000017 push edx 0x00000018 jp 00007F3D50D0EC66h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 899426 second address: 89945E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D507EA974h 0x00000007 jnc 00007F3D507EA966h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f popad 0x00000010 push ecx 0x00000011 jmp 00007F3D507EA96Eh 0x00000016 push eax 0x00000017 push edx 0x00000018 js 00007F3D507EA966h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 89945E second address: 899462 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 899846 second address: 899864 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 jmp 00007F3D507EA96Dh 0x0000000b push esi 0x0000000c pop esi 0x0000000d pushad 0x0000000e popad 0x0000000f jc 00007F3D507EA966h 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8999F9 second address: 8999FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 899B9C second address: 899BC6 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push edi 0x0000000a jmp 00007F3D507EA977h 0x0000000f pop edi 0x00000010 jnp 00007F3D507EA972h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8A2114 second address: 8A2119 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8A2119 second address: 8A2120 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8A1B14 second address: 8A1B48 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F3D50D0EC71h 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F3D50D0EC74h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8A1B48 second address: 8A1B4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8A1B4C second address: 8A1B58 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jp 00007F3D50D0EC66h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8A1CA7 second address: 8A1CB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3D507EA96Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8A1CB5 second address: 8A1CB9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8A1E32 second address: 8A1E3C instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F3D507EA966h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8ADDE9 second address: 8ADDED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8ADDED second address: 8ADE18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007F3D507EA968h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jbe 00007F3D507EA97Ah 0x00000015 jmp 00007F3D507EA974h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8ADE18 second address: 8ADE30 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3D50D0EC73h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8ADE30 second address: 8ADE36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8ADF96 second address: 8ADFC5 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F3D50D0EC66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F3D50D0EC6Fh 0x0000000f pushad 0x00000010 jns 00007F3D50D0EC66h 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 jng 00007F3D50D0EC66h 0x0000001e popad 0x0000001f popad 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8ADFC5 second address: 8ADFD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3D507EA96Eh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8ADFD8 second address: 8ADFE3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007F3D50D0EC66h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8AFB5E second address: 8AFB8B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3D507EA96Ah 0x00000008 jmp 00007F3D507EA973h 0x0000000d pushad 0x0000000e popad 0x0000000f jne 00007F3D507EA966h 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8AFB8B second address: 8AFB9F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d ja 00007F3D50D0EC66h 0x00000013 pop edi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8AFB9F second address: 8AFBB5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D507EA96Ch 0x00000007 jnc 00007F3D507EA96Eh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7D1F4B second address: 7D1F55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8B4FC8 second address: 8B4FCC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8B4FCC second address: 8B4FD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8B4FD6 second address: 8B4FDA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8B4FDA second address: 8B4FE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8B4FE2 second address: 8B4FEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jbe 00007F3D507EA966h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8B6AC5 second address: 8B6AC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8B85C1 second address: 8B85CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F3D507EA966h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8B85CB second address: 8B85DD instructions: 0x00000000 rdtsc 0x00000002 jno 00007F3D50D0EC66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c ja 00007F3D50D0EC66h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8C1CAD second address: 8C1CB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8C1B3C second address: 8C1B62 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F3D50D0EC76h 0x0000000c push edi 0x0000000d pop edi 0x0000000e jng 00007F3D50D0EC66h 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8CB0DF second address: 8CB10F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D507EA96Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jng 00007F3D507EA966h 0x00000012 jmp 00007F3D507EA975h 0x00000017 pushad 0x00000018 popad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8CD0C6 second address: 8CD0CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D02BD second address: 8D02D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007F3D507EA96Bh 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E6193 second address: 7E61B5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D50D0EC6Ch 0x00000007 jmp 00007F3D50D0EC6Ch 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push ecx 0x00000011 push edx 0x00000012 pop edx 0x00000013 pop ecx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D5F58 second address: 8D5F5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D5F5C second address: 8D5F7D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D50D0EC77h 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D5F7D second address: 8D5F83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D5F83 second address: 8D5F87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D5F87 second address: 8D5FAB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D507EA96Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jnp 00007F3D507EA966h 0x00000014 jc 00007F3D507EA966h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D5FAB second address: 8D5FC1 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F3D50D0EC66h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jno 00007F3D50D0EC66h 0x00000013 push edi 0x00000014 pop edi 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D4FCB second address: 8D4FE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop eax 0x00000006 jg 00007F3D507EA980h 0x0000000c push eax 0x0000000d push edx 0x0000000e je 00007F3D507EA966h 0x00000014 jne 00007F3D507EA966h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D4FE5 second address: 8D4FEB instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D5C7B second address: 8D5C7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D5C7F second address: 8D5C87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8D5C87 second address: 8D5C98 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D507EA96Ch 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8DBE10 second address: 8DBE14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8DBE14 second address: 8DBE24 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F3D507EA966h 0x00000008 jl 00007F3D507EA966h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8DBE24 second address: 8DBE5D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D50D0EC73h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F3D50D0EC78h 0x0000000e jmp 00007F3D50D0EC6Ah 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8DBE5D second address: 8DBE61 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8DBF9B second address: 8DBFA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8DBFA2 second address: 8DBFC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push esi 0x00000004 pop esi 0x00000005 jmp 00007F3D507EA975h 0x0000000a pop eax 0x0000000b jne 00007F3D507EA96Eh 0x00000011 push esi 0x00000012 pop esi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8EAAE9 second address: 8EAAF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F3D50D0EC66h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8EAAF3 second address: 8EAB24 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop ebx 0x0000000a jmp 00007F3D507EA974h 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F3D507EA971h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8EAB24 second address: 8EAB28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8F8915 second address: 8F8919 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8F8919 second address: 8F8923 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F3D50D0EC66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8F8923 second address: 8F892E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007F3D507EA966h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E10A9 second address: 7E10B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E10B0 second address: 7E10B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8F8546 second address: 8F854A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8F854A second address: 8F8558 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F3D507EA966h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8F869A second address: 8F86A6 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F3D50D0EC66h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9119E7 second address: 9119F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop ebx 0x00000007 jc 00007F3D507EA96Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9119F6 second address: 911A2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007F3D50D0EC6Eh 0x0000000a jp 00007F3D50D0EC66h 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 popad 0x00000013 jng 00007F3D50D0EC6Ch 0x00000019 js 00007F3D50D0EC66h 0x0000001f popad 0x00000020 jc 00007F3D50D0EC7Ah 0x00000026 jo 00007F3D50D0EC6Ch 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9108C3 second address: 9108F1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3D507EA974h 0x00000008 push edi 0x00000009 pop edi 0x0000000a jg 00007F3D507EA966h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jc 00007F3D507EA966h 0x00000019 js 00007F3D507EA966h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 910A1C second address: 910A4C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3D50D0EC78h 0x00000009 jmp 00007F3D50D0EC74h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 91115B second address: 91117D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F3D507EA966h 0x0000000a popad 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F3D507EA974h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 91129F second address: 9112A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9112A6 second address: 9112AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9112AC second address: 9112B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F3D50D0EC66h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 911422 second address: 91142E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 ja 00007F3D507EA966h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 91142E second address: 911441 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007F3D50D0EC66h 0x00000009 push esi 0x0000000a pop esi 0x0000000b js 00007F3D50D0EC66h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9115B2 second address: 9115DD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D507EA977h 0x00000007 jbe 00007F3D507EA966h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007F3D507EA96Ah 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 91173F second address: 911752 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007F3D50D0EC6Eh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 911752 second address: 91175B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 91175B second address: 911763 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 915A88 second address: 915A8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 915A8D second address: 915A92 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 915A92 second address: 915AB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F3D507EA977h 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 915D6D second address: 915D71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 915D71 second address: 915D7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 915D7B second address: 915D7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 915D7F second address: 915D83 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 91761D second address: 917621 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D703A9 second address: 4D703AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D703AD second address: 4D703B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D703B3 second address: 4D703EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3D507EA978h 0x00000008 mov ax, 3B61h 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f xchg eax, ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F3D507EA973h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D703EB second address: 4D703F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D703F1 second address: 4D703F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D703F5 second address: 4D7041D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D50D0EC6Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F3D50D0EC74h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D7041D second address: 4D70423 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D70423 second address: 4D70442 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D50D0EC6Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov ebx, 12BE07CEh 0x00000014 mov dl, D2h 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DA041E second address: 4DA045B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, 6182h 0x00000007 pushfd 0x00000008 jmp 00007F3D507EA973h 0x0000000d jmp 00007F3D507EA973h 0x00000012 popfd 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 xchg eax, ebp 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a movsx edi, si 0x0000001d mov dx, cx 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DA045B second address: 4DA04D0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D50D0EC79h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b movzx esi, bx 0x0000000e popad 0x0000000f xchg eax, ebp 0x00000010 jmp 00007F3D50D0EC75h 0x00000015 mov ebp, esp 0x00000017 jmp 00007F3D50D0EC6Eh 0x0000001c xchg eax, ecx 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007F3D50D0EC6Eh 0x00000024 sbb cl, 00000068h 0x00000027 jmp 00007F3D50D0EC6Bh 0x0000002c popfd 0x0000002d mov esi, 0E90ED5Fh 0x00000032 popad 0x00000033 push eax 0x00000034 push eax 0x00000035 push edx 0x00000036 pushad 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DA04D0 second address: 4DA04F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F3D507EA96Ch 0x0000000a and esi, 76E91DC8h 0x00000010 jmp 00007F3D507EA96Bh 0x00000015 popfd 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DA04F4 second address: 4DA0539 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D50D0EC79h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a pushad 0x0000000b jmp 00007F3D50D0EC6Ch 0x00000010 jmp 00007F3D50D0EC72h 0x00000015 popad 0x00000016 xchg eax, esi 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DA0539 second address: 4DA0556 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D507EA979h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DA0556 second address: 4DA059E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D50D0EC71h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F3D50D0EC71h 0x0000000f xchg eax, esi 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushfd 0x00000014 jmp 00007F3D50D0EC6Ah 0x00000019 xor ecx, 2B1D1278h 0x0000001f jmp 00007F3D50D0EC6Bh 0x00000024 popfd 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DA059E second address: 4DA05F9 instructions: 0x00000000 rdtsc 0x00000002 mov cx, 65AFh 0x00000006 pop edx 0x00000007 pop eax 0x00000008 call 00007F3D507EA974h 0x0000000d pushfd 0x0000000e jmp 00007F3D507EA972h 0x00000013 add ecx, 2D577C08h 0x00000019 jmp 00007F3D507EA96Bh 0x0000001e popfd 0x0000001f pop ecx 0x00000020 popad 0x00000021 lea eax, dword ptr [ebp-04h] 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007F3D507EA971h 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DA05F9 second address: 4DA05FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DA05FF second address: 4DA0616 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3D507EA973h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DA0616 second address: 4DA0679 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D50D0EC79h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c jmp 00007F3D50D0EC6Eh 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 mov ecx, 5F9B1AC3h 0x0000001a pushfd 0x0000001b jmp 00007F3D50D0EC78h 0x00000020 add eax, 1BE42588h 0x00000026 jmp 00007F3D50D0EC6Bh 0x0000002b popfd 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DA0679 second address: 4DA06C1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D507EA979h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a jmp 00007F3D507EA96Eh 0x0000000f push dword ptr [ebp+08h] 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F3D507EA977h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DA0700 second address: 4DA0704 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DA0704 second address: 4DA070A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DA070A second address: 4DA0739 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D50D0EC6Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp dword ptr [ebp-04h], 00000000h 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F3D50D0EC77h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DA0739 second address: 4DA0767 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D507EA979h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F3D507EA96Dh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DA0767 second address: 4DA076D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DA076D second address: 4DA07A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D507EA973h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007F3D507EA9CDh 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F3D507EA970h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DA07A0 second address: 4DA07AF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D50D0EC6Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DA07AF second address: 4DA07C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3D507EA974h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DA0807 second address: 4DA081F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3D50D0EC74h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DA081F second address: 4D90007 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D507EA96Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b leave 0x0000000c jmp 00007F3D507EA976h 0x00000011 retn 0004h 0x00000014 nop 0x00000015 cmp eax, 00000000h 0x00000018 setne al 0x0000001b xor ebx, ebx 0x0000001d test al, 01h 0x0000001f jne 00007F3D507EA967h 0x00000021 xor eax, eax 0x00000023 sub esp, 08h 0x00000026 mov dword ptr [esp], 00000000h 0x0000002d mov dword ptr [esp+04h], 00000000h 0x00000035 call 00007F3D54F43DA3h 0x0000003a mov edi, edi 0x0000003c pushad 0x0000003d push eax 0x0000003e push edx 0x0000003f pushad 0x00000040 popad 0x00000041 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D90007 second address: 4D9003B instructions: 0x00000000 rdtsc 0x00000002 movsx edx, si 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push ecx 0x00000008 pushad 0x00000009 popad 0x0000000a pop edi 0x0000000b popad 0x0000000c xchg eax, ebp 0x0000000d pushad 0x0000000e mov edx, ecx 0x00000010 pushad 0x00000011 mov dl, ah 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 popad 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F3D50D0EC78h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D9003B second address: 4D9004A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D507EA96Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D9004A second address: 4D9005F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 741A0CCAh 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov cx, bx 0x00000012 mov eax, ebx 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D9005F second address: 4D90070 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3D507EA96Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D90070 second address: 4D900AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov ebp, esp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c call 00007F3D50D0EC73h 0x00000011 pop ecx 0x00000012 jmp 00007F3D50D0EC79h 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D902AA second address: 4D902BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3D507EA96Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D902BC second address: 4D90360 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D50D0EC6Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, esi 0x0000000c pushad 0x0000000d call 00007F3D50D0EC74h 0x00000012 pushfd 0x00000013 jmp 00007F3D50D0EC72h 0x00000018 and si, C418h 0x0000001d jmp 00007F3D50D0EC6Bh 0x00000022 popfd 0x00000023 pop eax 0x00000024 push edi 0x00000025 mov eax, 7D3AE9EBh 0x0000002a pop esi 0x0000002b popad 0x0000002c push eax 0x0000002d pushad 0x0000002e mov cl, ABh 0x00000030 pushfd 0x00000031 jmp 00007F3D50D0EC79h 0x00000036 or ecx, 7E6E9866h 0x0000003c jmp 00007F3D50D0EC71h 0x00000041 popfd 0x00000042 popad 0x00000043 xchg eax, esi 0x00000044 push eax 0x00000045 push edx 0x00000046 pushad 0x00000047 jmp 00007F3D50D0EC73h 0x0000004c push eax 0x0000004d push edx 0x0000004e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D90360 second address: 4D90365 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D90365 second address: 4D9037B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3D50D0EC72h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D9037B second address: 4D9037F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D9037F second address: 4D903E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 jmp 00007F3D50D0EC6Ch 0x0000000e mov dword ptr [esp], edi 0x00000011 jmp 00007F3D50D0EC70h 0x00000016 mov eax, dword ptr [75AF4538h] 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007F3D50D0EC6Dh 0x00000024 jmp 00007F3D50D0EC6Bh 0x00000029 popfd 0x0000002a call 00007F3D50D0EC78h 0x0000002f pop eax 0x00000030 popad 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D903E3 second address: 4D903E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D903E9 second address: 4D90413 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D50D0EC6Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xor dword ptr [ebp-08h], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 call 00007F3D50D0EC6Dh 0x00000016 pop esi 0x00000017 mov edx, 40414C64h 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D90413 second address: 4D9047C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ah, 4Ch 0x00000005 mov ax, dx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xor eax, ebp 0x0000000d jmp 00007F3D507EA96Ch 0x00000012 nop 0x00000013 jmp 00007F3D507EA970h 0x00000018 push eax 0x00000019 jmp 00007F3D507EA96Bh 0x0000001e nop 0x0000001f jmp 00007F3D507EA976h 0x00000024 lea eax, dword ptr [ebp-10h] 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007F3D507EA977h 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D9047C second address: 4D90521 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, si 0x00000006 pushfd 0x00000007 jmp 00007F3D50D0EC70h 0x0000000c add eax, 14A82638h 0x00000012 jmp 00007F3D50D0EC6Bh 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b mov dword ptr fs:[00000000h], eax 0x00000021 pushad 0x00000022 pushfd 0x00000023 jmp 00007F3D50D0EC74h 0x00000028 add esi, 35F32098h 0x0000002e jmp 00007F3D50D0EC6Bh 0x00000033 popfd 0x00000034 popad 0x00000035 mov dword ptr [ebp-18h], esp 0x00000038 pushad 0x00000039 pushad 0x0000003a push ebx 0x0000003b pop esi 0x0000003c pushad 0x0000003d popad 0x0000003e popad 0x0000003f mov ax, dx 0x00000042 popad 0x00000043 mov eax, dword ptr fs:[00000018h] 0x00000049 jmp 00007F3D50D0EC75h 0x0000004e mov ecx, dword ptr [eax+00000FDCh] 0x00000054 pushad 0x00000055 mov esi, 1416C5C3h 0x0000005a mov edx, ecx 0x0000005c popad 0x0000005d test ecx, ecx 0x0000005f push eax 0x00000060 push edx 0x00000061 push eax 0x00000062 push edx 0x00000063 jmp 00007F3D50D0EC6Ch 0x00000068 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D90521 second address: 4D90527 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D90527 second address: 4D90577 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, 352261A3h 0x00000008 mov ebx, esi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d jns 00007F3D50D0ECC2h 0x00000013 pushad 0x00000014 pushfd 0x00000015 jmp 00007F3D50D0EC70h 0x0000001a add cx, F6E8h 0x0000001f jmp 00007F3D50D0EC6Bh 0x00000024 popfd 0x00000025 pushad 0x00000026 call 00007F3D50D0EC76h 0x0000002b pop ecx 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D90577 second address: 4D9059F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 add eax, ecx 0x00000008 jmp 00007F3D507EA977h 0x0000000d mov ecx, dword ptr [ebp+08h] 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D9059F second address: 4D905BA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D50D0EC77h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D905BA second address: 4D905C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D905C0 second address: 4D905D6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test ecx, ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F3D50D0EC6Ah 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D905D6 second address: 4D905DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D905DC second address: 4D905E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D905E0 second address: 4D905E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D802DD second address: 4D802F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D50D0EC77h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D802F8 second address: 4D8033B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bl, 53h 0x00000005 pushfd 0x00000006 jmp 00007F3D507EA970h 0x0000000b or ecx, 302012B8h 0x00000011 jmp 00007F3D507EA96Bh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebp 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F3D507EA975h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D8033B second address: 4D80374 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D50D0EC71h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F3D50D0EC71h 0x0000000f xchg eax, ebp 0x00000010 pushad 0x00000011 movzx esi, di 0x00000014 push edi 0x00000015 mov cl, 86h 0x00000017 pop ebx 0x00000018 popad 0x00000019 mov ebp, esp 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D80374 second address: 4D80378 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D80378 second address: 4D8037E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D8037E second address: 4D803B2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F3D507EA96Eh 0x00000008 pop ecx 0x00000009 push edx 0x0000000a pop ecx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e sub esp, 2Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F3D507EA978h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D803B2 second address: 4D8044A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D50D0EC6Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F3D50D0EC74h 0x00000011 sbb ah, FFFFFFC8h 0x00000014 jmp 00007F3D50D0EC6Bh 0x00000019 popfd 0x0000001a pushfd 0x0000001b jmp 00007F3D50D0EC78h 0x00000020 sub eax, 43A35828h 0x00000026 jmp 00007F3D50D0EC6Bh 0x0000002b popfd 0x0000002c popad 0x0000002d push eax 0x0000002e jmp 00007F3D50D0EC79h 0x00000033 xchg eax, ebx 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 push edx 0x00000038 jmp 00007F3D50D0EC78h 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D8044A second address: 4D80459 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D507EA96Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D80459 second address: 4D80497 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D50D0EC79h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F3D50D0EC6Ch 0x00000011 sbb cl, 00000078h 0x00000014 jmp 00007F3D50D0EC6Bh 0x00000019 popfd 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D80497 second address: 4D8049D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D8049D second address: 4D804B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 mov ecx, edi 0x0000000a mov edx, 31819DC0h 0x0000000f popad 0x00000010 xchg eax, edi 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 mov edi, eax 0x00000016 mov bx, cx 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D804DB second address: 4D804DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D804DF second address: 4D804E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D805F8 second address: 4D80665 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 call 00007F3D507EA978h 0x0000000a pop esi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp], eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 pushfd 0x00000015 jmp 00007F3D507EA96Ah 0x0000001a xor eax, 2F1BFBC8h 0x00000020 jmp 00007F3D507EA96Bh 0x00000025 popfd 0x00000026 pushfd 0x00000027 jmp 00007F3D507EA978h 0x0000002c sbb ch, 00000028h 0x0000002f jmp 00007F3D507EA96Bh 0x00000034 popfd 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D80725 second address: 4D80746 instructions: 0x00000000 rdtsc 0x00000002 mov bx, 6220h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 mov ebx, dword ptr [ebp+08h] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F3D50D0EC71h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D80746 second address: 4D8074C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D8074C second address: 4D80752 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D80752 second address: 4D807D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 lea eax, dword ptr [ebp-2Ch] 0x0000000b jmp 00007F3D507EA972h 0x00000010 xchg eax, esi 0x00000011 jmp 00007F3D507EA970h 0x00000016 push eax 0x00000017 pushad 0x00000018 mov dx, BDA4h 0x0000001c jmp 00007F3D507EA96Dh 0x00000021 popad 0x00000022 xchg eax, esi 0x00000023 pushad 0x00000024 push ecx 0x00000025 pushfd 0x00000026 jmp 00007F3D507EA973h 0x0000002b sbb esi, 51FB6A6Eh 0x00000031 jmp 00007F3D507EA979h 0x00000036 popfd 0x00000037 pop eax 0x00000038 push eax 0x00000039 push edx 0x0000003a mov ah, dh 0x0000003c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D807D0 second address: 4D80804 instructions: 0x00000000 rdtsc 0x00000002 mov dh, ah 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push ebx 0x00000008 jmp 00007F3D50D0EC70h 0x0000000d mov dword ptr [esp], eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F3D50D0EC77h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D80804 second address: 4D8081C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3D507EA974h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D8081C second address: 4D8084D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 jmp 00007F3D50D0EC6Ch 0x0000000e mov dword ptr [esp], ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F3D50D0EC77h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D8084D second address: 4D80853 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D808AA second address: 4D808B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D808B0 second address: 4D808B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D808B4 second address: 4D808C8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test esi, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov ecx, 63339827h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D808C8 second address: 4D808CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D808CD second address: 4D808D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D808D3 second address: 4D80056 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F3DC15086E0h 0x0000000e xor eax, eax 0x00000010 jmp 00007F3D507C409Ah 0x00000015 pop esi 0x00000016 pop edi 0x00000017 pop ebx 0x00000018 leave 0x00000019 retn 0004h 0x0000001c nop 0x0000001d cmp eax, 00000000h 0x00000020 setne cl 0x00000023 xor ebx, ebx 0x00000025 test cl, 00000001h 0x00000028 jne 00007F3D507EA967h 0x0000002a jmp 00007F3D507EAADBh 0x0000002f call 00007F3D54F33C05h 0x00000034 mov edi, edi 0x00000036 pushad 0x00000037 jmp 00007F3D507EA96Dh 0x0000003c call 00007F3D507EA970h 0x00000041 jmp 00007F3D507EA972h 0x00000046 pop esi 0x00000047 popad 0x00000048 push esi 0x00000049 pushad 0x0000004a mov cx, CF03h 0x0000004e mov ecx, 2C0C585Fh 0x00000053 popad 0x00000054 mov dword ptr [esp], ebp 0x00000057 push eax 0x00000058 push edx 0x00000059 jmp 00007F3D507EA971h 0x0000005e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D80056 second address: 4D80078 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 call 00007F3D50D0EC6Dh 0x0000000a pop eax 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov ebp, esp 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 mov ax, 80C5h 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D80136 second address: 4D80CFC instructions: 0x00000000 rdtsc 0x00000002 call 00007F3D507EA978h 0x00000007 pop ecx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov edx, 3B14C376h 0x0000000f popad 0x00000010 ret 0x00000011 nop 0x00000012 and bl, 00000001h 0x00000015 movzx eax, bl 0x00000018 lea esp, dword ptr [ebp-0Ch] 0x0000001b pop esi 0x0000001c pop edi 0x0000001d pop ebx 0x0000001e pop ebp 0x0000001f ret 0x00000020 add esp, 04h 0x00000023 jmp dword ptr [0064A41Ch+ebx*4] 0x0000002a push edi 0x0000002b call 00007F3D50810367h 0x00000030 push ebp 0x00000031 push ebx 0x00000032 push edi 0x00000033 push esi 0x00000034 sub esp, 000001D0h 0x0000003a mov dword ptr [esp+000001B4h], 0064CB10h 0x00000045 mov dword ptr [esp+000001B0h], 000000D0h 0x00000050 mov dword ptr [esp], 00000000h 0x00000057 mov eax, dword ptr [006481DCh] 0x0000005c call eax 0x0000005e mov edi, edi 0x00000060 pushad 0x00000061 pushfd 0x00000062 jmp 00007F3D507EA96Eh 0x00000067 sbb cx, 31E8h 0x0000006c jmp 00007F3D507EA96Bh 0x00000071 popfd 0x00000072 mov ch, F5h 0x00000074 popad 0x00000075 push ecx 0x00000076 push eax 0x00000077 push edx 0x00000078 jmp 00007F3D507EA977h 0x0000007d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D80CFC second address: 4D80D02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D80D02 second address: 4D80D06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D80D06 second address: 4D80D31 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D50D0EC6Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F3D50D0EC75h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D80D31 second address: 4D80D71 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007F3D507EA976h 0x0000000f cmp dword ptr [75AF459Ch], 05h 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F3D507EA977h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D80D71 second address: 4D80DAB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D50D0EC79h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F3DC1A1C8D7h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 mov si, dx 0x00000015 call 00007F3D50D0EC6Fh 0x0000001a pop ecx 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D80DAB second address: 4D80DB5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, 76301E4Bh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D80DB5 second address: 4D80DC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pop ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D80DC3 second address: 4D80DC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D80DC7 second address: 4D80DCB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D80DCB second address: 4D80DD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D80DD1 second address: 4D80DD7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D80E36 second address: 4D80E72 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D507EA96Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b jmp 00007F3D507EA979h 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F3D507EA96Ch 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D80E72 second address: 4D80E78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D80E78 second address: 4D80E7C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D80E7C second address: 4D80EB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F3D50D0EC75h 0x00000011 adc ah, 00000076h 0x00000014 jmp 00007F3D50D0EC71h 0x00000019 popfd 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D80EB4 second address: 4D80EE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushfd 0x00000006 jmp 00007F3D507EA96Eh 0x0000000b sub al, FFFFFF98h 0x0000000e jmp 00007F3D507EA96Bh 0x00000013 popfd 0x00000014 popad 0x00000015 call 00007F3DC14FF600h 0x0000001a push 75A92B70h 0x0000001f push dword ptr fs:[00000000h] 0x00000026 mov eax, dword ptr [esp+10h] 0x0000002a mov dword ptr [esp+10h], ebp 0x0000002e lea ebp, dword ptr [esp+10h] 0x00000032 sub esp, eax 0x00000034 push ebx 0x00000035 push esi 0x00000036 push edi 0x00000037 mov eax, dword ptr [75AF4538h] 0x0000003c xor dword ptr [ebp-04h], eax 0x0000003f xor eax, ebp 0x00000041 push eax 0x00000042 mov dword ptr [ebp-18h], esp 0x00000045 push dword ptr [ebp-08h] 0x00000048 mov eax, dword ptr [ebp-04h] 0x0000004b mov dword ptr [ebp-04h], FFFFFFFEh 0x00000052 mov dword ptr [ebp-08h], eax 0x00000055 lea eax, dword ptr [ebp-10h] 0x00000058 mov dword ptr fs:[00000000h], eax 0x0000005e ret 0x0000005f push eax 0x00000060 push edx 0x00000061 push eax 0x00000062 push edx 0x00000063 pushad 0x00000064 popad 0x00000065 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D80EE3 second address: 4D80EFE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D50D0EC77h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DA08B7 second address: 4DA08CA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D507EA96Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DA08CA second address: 4DA0909 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, si 0x00000006 mov ecx, 36C7EF07h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov ebp, esp 0x00000010 pushad 0x00000011 movzx eax, dx 0x00000014 call 00007F3D50D0EC75h 0x00000019 mov ah, 7Ch 0x0000001b pop ebx 0x0000001c popad 0x0000001d xchg eax, esi 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F3D50D0EC6Fh 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DA0909 second address: 4DA090F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DA090F second address: 4DA0913 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DA0913 second address: 4DA094C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F3D507EA96Eh 0x0000000e xchg eax, esi 0x0000000f jmp 00007F3D507EA970h 0x00000014 mov esi, dword ptr [ebp+0Ch] 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F3D507EA96Ah 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DA094C second address: 4DA0952 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DA0952 second address: 4DA0A2C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3D507EA96Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test esi, esi 0x0000000b pushad 0x0000000c movzx ecx, di 0x0000000f mov di, 089Eh 0x00000013 popad 0x00000014 je 00007F3DC14D83AEh 0x0000001a pushad 0x0000001b pushfd 0x0000001c jmp 00007F3D507EA96Bh 0x00000021 and cx, D54Eh 0x00000026 jmp 00007F3D507EA979h 0x0000002b popfd 0x0000002c pushfd 0x0000002d jmp 00007F3D507EA970h 0x00000032 xor esi, 61FE69C8h 0x00000038 jmp 00007F3D507EA96Bh 0x0000003d popfd 0x0000003e popad 0x0000003f cmp dword ptr [75AF459Ch], 05h 0x00000046 pushad 0x00000047 mov ax, 545Bh 0x0000004b pushfd 0x0000004c jmp 00007F3D507EA970h 0x00000051 or si, 6C28h 0x00000056 jmp 00007F3D507EA96Bh 0x0000005b popfd 0x0000005c popad 0x0000005d je 00007F3DC14F0409h 0x00000063 jmp 00007F3D507EA976h 0x00000068 xchg eax, esi 0x00000069 pushad 0x0000006a mov ch, dl 0x0000006c popad 0x0000006d push eax 0x0000006e jmp 00007F3D507EA96Fh 0x00000073 xchg eax, esi 0x00000074 push eax 0x00000075 push edx 0x00000076 push eax 0x00000077 push edx 0x00000078 pushad 0x00000079 popad 0x0000007a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DA0A2C second address: 4DA0A32 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DA0A32 second address: 4DA0A4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3D507EA979h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DA0ABA second address: 4DA0B3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F3D50D0EC6Ah 0x0000000a and si, EA68h 0x0000000f jmp 00007F3D50D0EC6Bh 0x00000014 popfd 0x00000015 popad 0x00000016 push esi 0x00000017 pushfd 0x00000018 jmp 00007F3D50D0EC6Fh 0x0000001d or ch, FFFFFFAEh 0x00000020 jmp 00007F3D50D0EC79h 0x00000025 popfd 0x00000026 pop eax 0x00000027 popad 0x00000028 pop esi 0x00000029 jmp 00007F3D50D0EC77h 0x0000002e pop ebp 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007F3D50D0EC75h 0x00000036 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 81878D instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 65E8D7 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 826BA9 instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\file.exe TID: 3948 Thread sleep time: -150000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 4268 Thread sleep time: -30000s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\file.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: file.exe Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000003.2074780784.000000000574F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: file.exe, 00000000.00000003.2074780784.000000000574F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696428655f
Source: file.exe, 00000000.00000003.2074780784.000000000574F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: file.exe, 00000000.00000003.2074780784.000000000574F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: file.exe, 00000000.00000003.2074780784.000000000574F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696428655
Source: file.exe, 00000000.00000003.2074780784.0000000005754000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: - GDCDYNVMware20,11696428655p
Source: file.exe, 00000000.00000003.2074780784.000000000574F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: file.exe, file.exe, 00000000.00000003.2155758852.0000000001031000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2156940751.0000000001031000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2156730025.0000000000FCE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000003.2074780784.000000000574F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: file.exe, 00000000.00000003.2074780784.000000000574F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: file.exe, 00000000.00000003.2074780784.000000000574F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: file.exe, 00000000.00000003.2074780784.000000000574F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: file.exe, 00000000.00000003.2074780784.000000000574F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: file.exe, 00000000.00000003.2074780784.000000000574F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: file.exe, 00000000.00000003.2074780784.000000000574F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: file.exe, 00000000.00000003.2074780784.000000000574F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: file.exe, 00000000.00000003.2074780784.000000000574F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: file.exe, 00000000.00000003.2074780784.000000000574F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: file.exe, 00000000.00000003.2074780784.000000000574F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696428655s
Source: file.exe, 00000000.00000003.2074780784.000000000574F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: file.exe, 00000000.00000003.2074780784.000000000574F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: file.exe, 00000000.00000003.2074780784.000000000574F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696428655
Source: file.exe, 00000000.00000003.2074780784.000000000574F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696428655o
Source: file.exe, 00000000.00000003.2074780784.000000000574F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: file.exe, 00000000.00000003.2074780784.000000000574F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: file.exe, 00000000.00000003.2074780784.000000000574F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: file.exe, 00000000.00000003.2074780784.000000000574F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: file.exe, 00000000.00000003.2074780784.000000000574F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696428655j
Source: file.exe, 00000000.00000003.2074780784.000000000574F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: file.exe, 00000000.00000003.2074780784.0000000005754000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: YNVMware
Source: file.exe, 00000000.00000003.2074780784.000000000574F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: file.exe, 00000000.00000003.2074780784.000000000574F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: file.exe Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: file.exe, 00000000.00000003.2074780784.000000000574F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: file.exe, 00000000.00000003.2074780784.000000000574F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\file.exe Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\Desktop\file.exe File opened: NTICE
Source: C:\Users\user\Desktop\file.exe File opened: SICE
Source: C:\Users\user\Desktop\file.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00640F10 LdrInitializeThunk, 0_2_00640F10

HIPS / PFW / Operating System Protection Evasion
barindex
LummaC encrypted strings found
Source: file.exe String found in binary or memory: scriptyprefej.store
Source: file.exe String found in binary or memory: navygenerayk.store
Source: file.exe String found in binary or memory: founpiuer.store
Source: file.exe String found in binary or memory: necklacedmny.store
Source: file.exe String found in binary or memory: thumbystriw.store
Source: file.exe String found in binary or memory: fadehairucw.store
Source: file.exe String found in binary or memory: crisiwarny.store
Source: file.exe String found in binary or memory: presticitpo.store
Source: file.exe, 00000000.00000002.2156197184.000000000083E000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Program Manager
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: file.exe, 00000000.00000003.2114154432.00000000010A7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2155414603.00000000010A9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2114026458.00000000010A6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2150400482.00000000010A8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2124998793.00000000010A8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\Desktop\file.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: file.exe PID: 6648, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Found many strings related to Crypto-Wallets (likely being stolen)
Source: file.exe String found in binary or memory: Wallets/Electrum-LTC
Source: file.exe, 00000000.00000003.2086942025.00000000010B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Wallets/ElectronCash
Source: file.exe, 00000000.00000003.2075150921.0000000001095000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Edge/Default/Extensions/Jaxx Liberty
Source: file.exe, 00000000.00000003.2061774988.00000000010A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: window-state.json
Source: file.exe, 00000000.00000003.2075150921.0000000001095000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ExodusWeb3
Source: file.exe, 00000000.00000003.2062200123.000000000109A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Binance{
Source: file.exe, 00000000.00000003.2086942025.00000000010B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: file.exe, 00000000.00000003.2086942025.00000000010B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: keystore
Source: file.exe, 00000000.00000003.2062200123.000000000109A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Ledger LiveG
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\FTPbox Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\FTPGetter Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\FTPInfo Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\ProgramData\SiteDesigner\3D-FTP Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\FTPRush Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB Jump to behavior
Searches for user specific document files
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\EFOYFBOLXA Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\EOWRVPQCCS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\EOWRVPQCCS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\HMPPSXQPQV Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\HMPPSXQPQV Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\JDDHMPCDUJ Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\NVWZAPQSQL Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\NYMMPCEIMA Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\ZGGKNSUKOP Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\NYMMPCEIMA Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\QFAPOWPAFG Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\ZGGKNSUKOP Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\EFOYFBOLXA Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\GRXZDKKVDB Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\HMPPSXQPQV Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\NYMMPCEIMA Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\NYMMPCEIMA Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\QFAPOWPAFG Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\QFAPOWPAFG Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\NVWZAPQSQL Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\UNKRLCVOHV Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\EOWRVPQCCS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\LHEPQPGEWF Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000000.00000003.2086942025.00000000010B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2086909296.00000000010A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2102016717.00000000010B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2087372814.00000000010B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2102226797.00000000010B2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2101970932.00000000010A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2102168913.00000000010B2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2103573537.00000000010B3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2061774988.00000000010A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2074555367.00000000010A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2061829602.00000000010B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2062200123.00000000010A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2103604047.00000000010B3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2075150921.00000000010A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 6648, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: file.exe PID: 6648, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1545849 Sample: file.exe Startdate: 31/10/2024 Architecture: WINDOWS Score: 100 10 thumbystriw.store 2->10 12 presticitpo.store 2->12 14 3 other IPs or domains 2->14 18 Multi AV Scanner detection for domain / URL 2->18 20 Suricata IDS alerts for network traffic 2->20 22 Found malware configuration 2->22 24 10 other signatures 2->24 6 file.exe 2->6         started        signatures3 process4 dnsIp5 16 necklacedmny.store 188.114.96.3, 443, 49704, 49705 CLOUDFLARENETUS European Union 6->16 26 Detected unpacking (changes PE section rights) 6->26 28 Query firmware table information (likely to detect VMs) 6->28 30 Tries to detect sandboxes and other dynamic analysis tools (window names) 6->30 32 9 other signatures 6->32 signatures6
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
188.114.96.3
 necklacedmny.store European Union
13335 CLOUDFLARENETUS true

Contacted Domains

Name IP Active
necklacedmny.store 188.114.96.3 true
presticitpo.store unknown unknown
thumbystriw.store unknown unknown
crisiwarny.store unknown unknown
fadehairucw.store unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://necklacedmny.store/api true
    		unknown
    presticitpo.store true
      		unknown
      scriptyprefej.store true
        		unknown
        necklacedmny.store true
          		unknown
          fadehairucw.store true
            		unknown
            navygenerayk.store true
              		unknown
              founpiuer.store true
                		unknown
                thumbystriw.store true
                  		unknown
                  crisiwarny.store true
                    		unknown