Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1571976
MD5: 1cfa4d3434f4056fd9d63f5c16c73c76
SHA1: 6c86f5fb5062e2037b6baf1701230bff249f89f7
SHA256: 49d35e116cb2a602f6f457f4003e0247c283b7e659f9f78022e102a25307acb1
Tags: exeuser-Bitsight
Infos:

Detection

LummaC Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Detected potential crypto function
Entry point lies outside standard sections
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Antivirus detection for URL or domain
Source: https://atten-supporse.biz/B Avira URL Cloud: Label: malware
Source: https://atten-supporse.biz/apiF Avira URL Cloud: Label: malware
Source: https://atten-supporse.biz/api66 Avira URL Cloud: Label: malware
Source: https://atten-supporse.biz/v8 Avira URL Cloud: Label: malware
Source: https://atten-supporse.biz/api) Avira URL Cloud: Label: malware
Found malware configuration
Source: file.exe.5632.0.memstrmin Malware Configuration Extractor: LummaC {"C2 url": ["se-blurry.biz", "zinc-sneark.biz", "atten-supporse.biz", "covery-mover.biz", "formy-spill.biz", "dare-curbys.biz", "impend-differ.biz", "dwell-exclaim.biz", "print-vexer.biz"], "Build id": "LOGS11--LiveTraffic"}
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 00000000.00000003.2140898780.0000000004DF0000.00000004.00001000.00020000.00000000.sdmp String decryptor: impend-differ.biz
Source: 00000000.00000003.2140898780.0000000004DF0000.00000004.00001000.00020000.00000000.sdmp String decryptor: print-vexer.biz
Source: 00000000.00000003.2140898780.0000000004DF0000.00000004.00001000.00020000.00000000.sdmp String decryptor: dare-curbys.biz
Source: 00000000.00000003.2140898780.0000000004DF0000.00000004.00001000.00020000.00000000.sdmp String decryptor: covery-mover.biz
Source: 00000000.00000003.2140898780.0000000004DF0000.00000004.00001000.00020000.00000000.sdmp String decryptor: formy-spill.biz
Source: 00000000.00000003.2140898780.0000000004DF0000.00000004.00001000.00020000.00000000.sdmp String decryptor: dwell-exclaim.biz
Source: 00000000.00000003.2140898780.0000000004DF0000.00000004.00001000.00020000.00000000.sdmp String decryptor: zinc-sneark.biz
Source: 00000000.00000003.2140898780.0000000004DF0000.00000004.00001000.00020000.00000000.sdmp String decryptor: se-blurry.biz
Source: 00000000.00000003.2140898780.0000000004DF0000.00000004.00001000.00020000.00000000.sdmp String decryptor: atten-supporse.biz
Source: 00000000.00000003.2140898780.0000000004DF0000.00000004.00001000.00020000.00000000.sdmp String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000003.2140898780.0000000004DF0000.00000004.00001000.00020000.00000000.sdmp String decryptor: TeslaBrowser/5.5
Source: 00000000.00000003.2140898780.0000000004DF0000.00000004.00001000.00020000.00000000.sdmp String decryptor: - Screen Resoluton:
Source: 00000000.00000003.2140898780.0000000004DF0000.00000004.00001000.00020000.00000000.sdmp String decryptor: - Physical Installed Memory:
Source: 00000000.00000003.2140898780.0000000004DF0000.00000004.00001000.00020000.00000000.sdmp String decryptor: Workgroup: -
Source: 00000000.00000003.2140898780.0000000004DF0000.00000004.00001000.00020000.00000000.sdmp String decryptor: LOGS11--LiveTraffic
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000C6B7E CryptUnprotectData, 0_2_000C6B7E
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.6:49707 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.6:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.6:49711 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.6:49713 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.6:49719 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.6:49727 version: TLS 1.2
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax+79314A46h] 0_2_000D6170
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then push eax 0_2_000BC36E
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [edi+ebp*8], 299A4ECDh 0_2_000EE690
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx esi, byte ptr [esp+eax+36A27D27h] 0_2_000DC6D7
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov byte ptr [esi], al 0_2_000DC6D7
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx edx, byte ptr [esp+ecx+07540F19h] 0_2_000DC6D7
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx edx, byte ptr [esp+ecx+07540F19h] 0_2_000DC6D7
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx edx, byte ptr [esp+ecx+05h] 0_2_000BA960
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h 0_2_000EDBD0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov edx, ecx 0_2_000B9CC0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [edx+ecx*8], 29DF508Eh 0_2_000EDCF0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov byte ptr [edx], bl 0_2_000BCE55
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [eax], dx 0_2_000C7E82
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax-51BA460Ah] 0_2_000DBFDA
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax-51BA460Ah] 0_2_000DBFD3
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax-0BF7BDDDh] 0_2_000D5F7D
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 0_2_000DA060
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov edx, ecx 0_2_000CD074
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov byte ptr [esi], cl 0_2_000DD085
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov byte ptr [esi], cl 0_2_000DD085
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov edx, ecx 0_2_000CD087
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx edi, byte ptr [esi+eax-000000BCh] 0_2_000C7190
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [000F4284h] 0_2_000D5230
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov ecx, eax 0_2_000D2270
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov byte ptr [edi+ebx], 00000000h 0_2_000BC274
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax+1Ch] 0_2_000D92D0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov edx, ebx 0_2_000D92D0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [ecx], dx 0_2_000D7307
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx ebx, bx 0_2_000D536C
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov byte ptr [edi], bl 0_2_000DB3DE
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov byte ptr [edi], bl 0_2_000DB3DE
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp eax 0_2_000DB475
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h] 0_2_000B7470
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx ecx, word ptr [edi+esi*4] 0_2_000B7470
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov byte ptr [ebx], al 0_2_000DB4BB
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx ebx, byte ptr [edx] 0_2_000E45F0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h 0_2_000DA630
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx edx, byte ptr [esp+ecx+2Ch] 0_2_000D7653
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx edx, byte ptr [esp+ecx-41h] 0_2_000D96D8
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp al, 2Eh 0_2_000D66E7
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [eax], cx 0_2_000D86F0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [eax], cx 0_2_000D0717
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [ecx], dx 0_2_000D0717
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx edi, byte ptr [esi+eax-000000BCh] 0_2_000C6E97
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov edi, eax 0_2_000C6E97
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov ebx, eax 0_2_000B5910
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov ebp, eax 0_2_000B5910
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [ebx+esi*8], B430E561h 0_2_000D5920
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [eax], cx 0_2_000D86F0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx edi, byte ptr [esi+eax-000000BCh] 0_2_000C597D
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [ebp-10h] 0_2_000ECAC0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov byte ptr [eax], cl 0_2_000C5ADC
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then add ebp, dword ptr [esp+0Ch] 0_2_000DAAD0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx ebp, word ptr [ecx+ebx*2] 0_2_000E6B20
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx ebx, byte ptr [ecx+esi] 0_2_000B2B70
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [edi+esi*8], B430E561h 0_2_000C9C10
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [ebp-10h] 0_2_000ECCE0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [ebp-10h] 0_2_000ECD60
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [ebp-10h] 0_2_000ECE00
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx edi, byte ptr [esi+eax-000000BCh] 0_2_000C6E97
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov edi, eax 0_2_000C6E97
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp word ptr [ebp+edx+02h], 0000h 0_2_000CCEA5
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx edi, byte ptr [esi+ecx-000000BCh] 0_2_000C5EE0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [eax], cx 0_2_000D1EE0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [ecx+edx*8], B430E561h 0_2_000C4F08
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov ecx, edx 0_2_000C4F08
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then add ebx, 03h 0_2_000D8F5D
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax-0BF7BDDDh] 0_2_000D5F7D
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [edx+ecx*8], 2298EE00h 0_2_000EDFB0

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2057921 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (atten-supporse .biz) : 192.168.2.6:55011 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.6:49713 -> 104.21.112.1:443
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.6:49707 -> 104.21.112.1:443
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.6:49710 -> 104.21.112.1:443
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.6:49709 -> 104.21.112.1:443
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.6:49711 -> 104.21.112.1:443
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.6:49727 -> 104.21.112.1:443
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.6:49719 -> 104.21.112.1:443
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.6:49744 -> 104.21.112.1:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49707 -> 104.21.112.1:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49707 -> 104.21.112.1:443
Source: Network traffic Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.6:49719 -> 104.21.112.1:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.6:49709 -> 104.21.112.1:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49709 -> 104.21.112.1:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: se-blurry.biz
Source: Malware configuration extractor URLs: zinc-sneark.biz
Source: Malware configuration extractor URLs: atten-supporse.biz
Source: Malware configuration extractor URLs: covery-mover.biz
Source: Malware configuration extractor URLs: formy-spill.biz
Source: Malware configuration extractor URLs: dare-curbys.biz
Source: Malware configuration extractor URLs: impend-differ.biz
Source: Malware configuration extractor URLs: dwell-exclaim.biz
Source: Malware configuration extractor URLs: print-vexer.biz
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49713 -> 104.21.112.1:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49707 -> 104.21.112.1:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49710 -> 104.21.112.1:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49709 -> 104.21.112.1:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49711 -> 104.21.112.1:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49727 -> 104.21.112.1:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49719 -> 104.21.112.1:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49744 -> 104.21.112.1:443
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: atten-supporse.biz
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 53Host: atten-supporse.biz
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=NVWURIH7DUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12811Host: atten-supporse.biz
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=4QAMFM7G36V1CLGD16User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15111Host: atten-supporse.biz
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=D4ST53SEUXIHADUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 19945Host: atten-supporse.biz
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=LBMLM2C9YDSTAUQ7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1216Host: atten-supporse.biz
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=MEKP6SVXFRUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 571362Host: atten-supporse.biz
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: atten-supporse.biz
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: atten-supporse.biz
Source: file.exe, 00000000.00000003.2236628228.0000000005936000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: file.exe, 00000000.00000003.2236628228.0000000005936000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: file.exe, 00000000.00000003.2342603560.0000000000FE8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.micro8
Source: file.exe, 00000000.00000003.2236628228.0000000005936000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: file.exe, 00000000.00000003.2236628228.0000000005936000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: file.exe, 00000000.00000003.2236628228.0000000005936000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: file.exe, 00000000.00000003.2236628228.0000000005936000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: file.exe, 00000000.00000003.2236628228.0000000005936000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: file.exe, 00000000.00000003.2236628228.0000000005936000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: file.exe, 00000000.00000003.2236628228.0000000005936000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: file.exe, 00000000.00000003.2236628228.0000000005936000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: file.exe, 00000000.00000003.2236628228.0000000005936000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: file.exe, 00000000.00000003.2190380035.000000000591F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2190484174.0000000005908000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: file.exe, 00000000.00000003.2259012497.0000000001002000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2344169345.0000000000F91000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2342603560.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2300247730.0000000001000000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2299846192.0000000001004000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2344351188.0000000001004000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2235698406.0000000000FFA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2342679298.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2282437741.0000000001004000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2342679298.0000000000F91000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2261438179.0000000001003000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2344299899.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2344169345.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/
Source: file.exe, 00000000.00000002.2344104986.0000000000F3E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/B
Source: file.exe, 00000000.00000003.2259012497.0000000001006000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2342509228.000000000100F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2300143521.000000000100F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2337981805.000000000101D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2299804026.0000000001019000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2261632719.000000000100D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2300143521.0000000001019000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2235678317.0000000001005000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2344368616.0000000001010000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2342679298.0000000000F9E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2282551373.0000000001021000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2212421747.0000000000FFE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2261414653.0000000001009000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2344400074.000000000101E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2342950053.000000000101C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/api
Source: file.exe, 00000000.00000003.2235655968.0000000001002000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2235678317.0000000001005000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/api)
Source: file.exe, 00000000.00000003.2212521763.0000000001005000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2212500277.0000000001002000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2212421747.0000000000FFE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/api66
Source: file.exe, 00000000.00000002.2344169345.0000000000F9E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2342679298.0000000000F9E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/apiC
Source: file.exe, 00000000.00000002.2344169345.0000000000F9E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2342679298.0000000000F9E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/apiF
Source: file.exe, 00000000.00000003.2342586509.0000000001016000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2337981805.000000000101D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2299804026.0000000001019000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2300143521.0000000001019000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2342950053.000000000101C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/apiq
Source: file.exe, 00000000.00000002.2344169345.0000000000F91000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2342679298.0000000000F91000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/v8
Source: file.exe, 00000000.00000003.2238173854.00000000058F9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.
Source: file.exe, 00000000.00000003.2259200787.00000000058F8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta
Source: file.exe, 00000000.00000003.2190380035.000000000591F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2190484174.0000000005908000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000000.00000003.2190380035.000000000591F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2190484174.0000000005908000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000003.2190380035.000000000591F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2190484174.0000000005908000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: file.exe, 00000000.00000003.2238173854.00000000058F9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg
Source: file.exe, 00000000.00000003.2259200787.00000000058F8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: file.exe, 00000000.00000003.2190380035.000000000591F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2190484174.0000000005908000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000000.00000003.2190380035.000000000591F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2190484174.0000000005908000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: file.exe, 00000000.00000003.2190380035.000000000591F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2190484174.0000000005908000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: file.exe, 00000000.00000003.2259200787.00000000058F8000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2238173854.00000000058F9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: file.exe, 00000000.00000003.2237695245.0000000005A1E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: file.exe, 00000000.00000003.2237695245.0000000005A1E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: file.exe, 00000000.00000003.2259200787.00000000058F8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_86277c656a4bd7d619968160e91c45fd066919bb3bd119b3
Source: file.exe, 00000000.00000003.2190380035.000000000591F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2190484174.0000000005908000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: file.exe, 00000000.00000003.2190380035.000000000591F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2190484174.0000000005908000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: file.exe, 00000000.00000003.2238083604.0000000005932000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.or
Source: file.exe, 00000000.00000003.2238083604.0000000005932000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org
Source: file.exe, 00000000.00000003.2237695245.0000000005A1E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
Source: file.exe, 00000000.00000003.2237695245.0000000005A1E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
Source: file.exe, 00000000.00000003.2237695245.0000000005A1E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: file.exe, 00000000.00000003.2259200787.00000000058F8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.6:49707 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.6:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.6:49711 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.6:49713 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.6:49719 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.6:49727 version: TLS 1.2

System Summary
barindex
PE file contains section with special chars
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000D6170 0_2_000D6170
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000BE2A9 0_2_000BE2A9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000D33A0 0_2_000D33A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000D15F0 0_2_000D15F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000EE690 0_2_000EE690
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000DC6D7 0_2_000DC6D7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000B97B0 0_2_000B97B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000B87F0 0_2_000B87F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000BA960 0_2_000BA960
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000C6B7E 0_2_000C6B7E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000E9B90 0_2_000E9B90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000E6C40 0_2_000E6C40
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000EDCF0 0_2_000EDCF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000E6F90 0_2_000E6F90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000DBFDA 0_2_000DBFDA
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000C0FD6 0_2_000C0FD6
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000DBFD3 0_2_000DBFD3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00274023 0_2_00274023
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0015D012 0_2_0015D012
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00146009 0_2_00146009
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00136030 0_2_00136030
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00137035 0_2_00137035
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0011E036 0_2_0011E036
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0016503F 0_2_0016503F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0013F023 0_2_0013F023
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0012A02B 0_2_0012A02B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000EA030 0_2_000EA030
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0011A051 0_2_0011A051
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00160042 0_2_00160042
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000BE06A 0_2_000BE06A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000D5F7D 0_2_000D5F7D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000B9070 0_2_000B9070
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0027905B 0_2_0027905B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00118091 0_2_00118091
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000DD085 0_2_000DD085
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0013D09A 0_2_0013D09A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0014A083 0_2_0014A083
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0015B08C 0_2_0015B08C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000D80B0 0_2_000D80B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0014C0AB 0_2_0014C0AB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001240C4 0_2_001240C4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000E80D9 0_2_000E80D9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001530FC 0_2_001530FC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001390FD 0_2_001390FD
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001500EA 0_2_001500EA
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0013B112 0_2_0013B112
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000DA100 0_2_000DA100
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00158103 0_2_00158103
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0016310B 0_2_0016310B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00134160 0_2_00134160
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0013119B 0_2_0013119B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0012F19F 0_2_0012F19F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000C7190 0_2_000C7190
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001671AE 0_2_001671AE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001611C2 0_2_001611C2
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000E01D0 0_2_000E01D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0011E1F6 0_2_0011E1F6
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001221FB 0_2_001221FB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0015D1E0 0_2_0015D1E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0011F1EB 0_2_0011F1EB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000B81F0 0_2_000B81F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0015A1EE 0_2_0015A1EE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0013521B 0_2_0013521B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000B6200 0_2_000B6200
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00144238 0_2_00144238
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00138227 0_2_00138227
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00123276 0_2_00123276
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0012C276 0_2_0012C276
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000B4270 0_2_000B4270
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000D2270 0_2_000D2270
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00158295 0_2_00158295
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00164299 0_2_00164299
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001552B4 0_2_001552B4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001492A7 0_2_001492A7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000C92BA 0_2_000C92BA
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000EE2C0 0_2_000EE2C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001622C1 0_2_001622C1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000D92D0 0_2_000D92D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001482ED 0_2_001482ED
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0012E305 0_2_0012E305
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000E533A 0_2_000E533A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00130326 0_2_00130326
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0011C341 0_2_0011C341
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_002DD37C 0_2_002DD37C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0014F341 0_2_0014F341
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000BB351 0_2_000BB351
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0014D37E 0_2_0014D37E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000B9360 0_2_000B9360
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000CC360 0_2_000CC360
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0015239B 0_2_0015239B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0012B380 0_2_0012B380
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0013A385 0_2_0013A385
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0012D38A 0_2_0012D38A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0013838A 0_2_0013838A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0014B3B0 0_2_0014B3B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001233BE 0_2_001233BE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001403A1 0_2_001403A1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0015C3AD 0_2_0015C3AD
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000EA3F0 0_2_000EA3F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0015640D 0_2_0015640D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0015943F 0_2_0015943F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000CD420 0_2_000CD420
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0013C429 0_2_0013C429
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000E6430 0_2_000E6430
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000BD44C 0_2_000BD44C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00147473 0_2_00147473
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00157460 0_2_00157460
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000B7470 0_2_000B7470
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0012849F 0_2_0012849F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0011248A 0_2_0011248A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0012E4AF 0_2_0012E4AF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001464E8 0_2_001464E8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001504E9 0_2_001504E9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0012F51A 0_2_0012F51A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0016651D 0_2_0016651D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00139502 0_2_00139502
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0016753A 0_2_0016753A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00395505 0_2_00395505
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0011752F 0_2_0011752F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0011955D 0_2_0011955D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0013154D 0_2_0013154D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0015F565 0_2_0015F565
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000C6571 0_2_000C6571
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_002775AB 0_2_002775AB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00161581 0_2_00161581
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0015658E 0_2_0015658E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0011D58C 0_2_0011D58C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0013B5B4 0_2_0013B5B4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0015A5BA 0_2_0015A5BA
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001445AC 0_2_001445AC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001535D8 0_2_001535D8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001485DB 0_2_001485DB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0011B5C3 0_2_0011B5C3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001415C0 0_2_001415C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001375EF 0_2_001375EF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00272634 0_2_00272634
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00127639 0_2_00127639
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0013563E 0_2_0013563E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0012A640 0_2_0012A640
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0014E643 0_2_0014E643
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00110671 0_2_00110671
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0014B671 0_2_0014B671
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0013F67A 0_2_0013F67A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0011467A 0_2_0011467A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00113663 0_2_00113663
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000C2670 0_2_000C2670
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000D5670 0_2_000D5670
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00151691 0_2_00151691
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0026E6B7 0_2_0026E6B7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000B6690 0_2_000B6690
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000E6690 0_2_000E6690
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001556A6 0_2_001556A6
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001346A7 0_2_001346A7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0015C6AD 0_2_0015C6AD
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000E76B0 0_2_000E76B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001426CD 0_2_001426CD
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0012B6C9 0_2_0012B6C9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000C56D0 0_2_000C56D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001646F6 0_2_001646F6
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000D66E7 0_2_000D66E7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00116709 0_2_00116709
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000D0717 0_2_000D0717
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0012C70D 0_2_0012C70D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00121724 0_2_00121724
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000C8731 0_2_000C8731
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0015875F 0_2_0015875F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00115748 0_2_00115748
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00138770 0_2_00138770
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00140770 0_2_00140770
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000DB763 0_2_000DB763
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0013676A 0_2_0013676A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0014E76E 0_2_0014E76E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00133793 0_2_00133793
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001547B4 0_2_001547B4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000C67A5 0_2_000C67A5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0012D7BF 0_2_0012D7BF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001527A5 0_2_001527A5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001427A3 0_2_001427A3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0014B7A9 0_2_0014B7A9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001437F5 0_2_001437F5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001577F3 0_2_001577F3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0011C7E6 0_2_0011C7E6
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001237EE 0_2_001237EE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001457E9 0_2_001457E9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00160811 0_2_00160811
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00111800 0_2_00111800
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0015E828 0_2_0015E828
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0014A859 0_2_0014A859
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00125848 0_2_00125848
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0011784A 0_2_0011784A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0013D87A 0_2_0013D87A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00147895 0_2_00147895
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_002818BC 0_2_002818BC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0013C8B5 0_2_0013C8B5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000B38C0 0_2_000B38C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0026B8F0 0_2_0026B8F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0013A8F6 0_2_0013A8F6
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000CD8E0 0_2_000CD8E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001128FE 0_2_001128FE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001198ED 0_2_001198ED
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000C6E97 0_2_000C6E97
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000E7900 0_2_000E7900
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0015B905 0_2_0015B905
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000B5910 0_2_000B5910
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0013F90F 0_2_0013F90F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000D5920 0_2_000D5920
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00152958 0_2_00152958
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00120942 0_2_00120942
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0011D976 0_2_0011D976
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000D297F 0_2_000D297F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00139981 0_2_00139981
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000B8990 0_2_000B8990
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0015F98A 0_2_0015F98A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001489B1 0_2_001489B1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001419B8 0_2_001419B8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001679B9 0_2_001679B9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001569C9 0_2_001569C9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_002639CC 0_2_002639CC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001229F8 0_2_001229F8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001219F9 0_2_001219F9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_002709D5 0_2_002709D5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0014D9E7 0_2_0014D9E7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001599E1 0_2_001599E1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001279E7 0_2_001279E7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0014A9EB 0_2_0014A9EB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000D3A00 0_2_000D3A00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00130A3E 0_2_00130A3E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0011EA3F 0_2_0011EA3F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0011AA21 0_2_0011AA21
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000CBA48 0_2_000CBA48
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000C4A40 0_2_000C4A40
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00132A5C 0_2_00132A5C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000BCA54 0_2_000BCA54
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0024EA41 0_2_0024EA41
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00116A7F 0_2_00116A7F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0012AA6E 0_2_0012AA6E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000DBA8D 0_2_000DBA8D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00134A87 0_2_00134A87
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000ECAC0 0_2_000ECAC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000C5ADC 0_2_000C5ADC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00110B18 0_2_00110B18
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00144B19 0_2_00144B19
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00275B35 0_2_00275B35
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000C1B1B 0_2_000C1B1B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0013BB0B 0_2_0013BB0B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00151B0C 0_2_00151B0C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00131B08 0_2_00131B08
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00139B30 0_2_00139B30
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00111B52 0_2_00111B52
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0013CB5E 0_2_0013CB5E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000CCB5A 0_2_000CCB5A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0012BB48 0_2_0012BB48
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0011AB7A 0_2_0011AB7A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0012DB6E 0_2_0012DB6E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0012CB95 0_2_0012CB95
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00160B84 0_2_00160B84
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0012FBA3 0_2_0012FBA3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0015BBA6 0_2_0015BBA6
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00136BA4 0_2_00136BA4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0014CBD0 0_2_0014CBD0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0014FBD9 0_2_0014FBD9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0027ABF6 0_2_0027ABF6
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0011CBC0 0_2_0011CBC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00115BCC 0_2_00115BCC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00129BF3 0_2_00129BF3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000C8C1E 0_2_000C8C1E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00140C07 0_2_00140C07
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000C9C10 0_2_000C9C10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00116C35 0_2_00116C35
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000CDC20 0_2_000CDC20
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0013CC22 0_2_0013CC22
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00145C21 0_2_00145C21
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00165C2F 0_2_00165C2F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00132C28 0_2_00132C28
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000E4C4D 0_2_000E4C4D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00122C5D 0_2_00122C5D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00166C4C 0_2_00166C4C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0011BC4A 0_2_0011BC4A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0013EC71 0_2_0013EC71
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00112C61 0_2_00112C61
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00155C67 0_2_00155C67
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000D7C9D 0_2_000D7C9D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0011DC8D 0_2_0011DC8D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0013ACB6 0_2_0013ACB6
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001BECB1 0_2_001BECB1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00164CA1 0_2_00164CA1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001D2CFC 0_2_001D2CFC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000ECCE0 0_2_000ECCE0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00150CFB 0_2_00150CFB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00152CE5 0_2_00152CE5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00120CE3 0_2_00120CE3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000D2CF8 0_2_000D2CF8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00157D13 0_2_00157D13
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00147D07 0_2_00147D07
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00162D37 0_2_00162D37
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0013CD37 0_2_0013CD37
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000D3D30 0_2_000D3D30
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0011CD5C 0_2_0011CD5C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00125D74 0_2_00125D74
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000ECD60 0_2_000ECD60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00143D65 0_2_00143D65
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000D4D70 0_2_000D4D70
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00149DB3 0_2_00149DB3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00121DA5 0_2_00121DA5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00130DAE 0_2_00130DAE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00122DC2 0_2_00122DC2
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00137DEC 0_2_00137DEC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000CAE00 0_2_000CAE00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000ECE00 0_2_000ECE00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0015DE38 0_2_0015DE38
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00141E2E 0_2_00141E2E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000D3E30 0_2_000D3E30
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0015CE56 0_2_0015CE56
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000D3E4B 0_2_000D3E4B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000CDE40 0_2_000CDE40
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0014EE59 0_2_0014EE59
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00161E59 0_2_00161E59
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00134E4E 0_2_00134E4E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0015FE4A 0_2_0015FE4A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0013FE72 0_2_0013FE72
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000B5E60 0_2_000B5E60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0012EE64 0_2_0012EE64
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0014DE68 0_2_0014DE68
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0015BE68 0_2_0015BE68
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00124E6D 0_2_00124E6D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_001F1E9F 0_2_001F1E9F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00114E95 0_2_00114E95
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00112E8B 0_2_00112E8B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000C6E97 0_2_000C6E97
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000B2EA0 0_2_000B2EA0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0014AEBF 0_2_0014AEBF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000D6EBE 0_2_000D6EBE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00136ED1 0_2_00136ED1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00115ECD 0_2_00115ECD
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00126EF8 0_2_00126EF8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000C5EE0 0_2_000C5EE0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00160EE3 0_2_00160EE3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0012FF11 0_2_0012FF11
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000C4F08 0_2_000C4F08
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0011AF01 0_2_0011AF01
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0012CF3F 0_2_0012CF3F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000CEF30 0_2_000CEF30
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0026EF1B 0_2_0026EF1B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0012DF50 0_2_0012DF50
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00111F59 0_2_00111F59
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00139F58 0_2_00139F58
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000D8F5D 0_2_000D8F5D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00131F7B 0_2_00131F7B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000D5F7D 0_2_000D5F7D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0011FF91 0_2_0011FF91
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00128F93 0_2_00128F93
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00132FB3 0_2_00132FB3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000C8FAD 0_2_000C8FAD
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0015EFB1 0_2_0015EFB1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00154FA4 0_2_00154FA4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00156FA3 0_2_00156FA3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000EDFB0 0_2_000EDFB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00140FC4 0_2_00140FC4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0012BFCA 0_2_0012BFCA
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0013DFCC 0_2_0013DFCC
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\file.exe Code function: String function: 000B8000 appears 55 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 000C4A30 appears 76 times
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exe Static PE information: Section: ZLIB complexity 0.9975197339965398
Source: file.exe Static PE information: Section: bewqqxki ZLIB complexity 0.99474094643944
Source: file.exe Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@1/0@1/1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000E0A6C CoCreateInstance, 0_2_000E0A6C
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: file.exe, 00000000.00000003.2213378420.0000000005918000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2190780011.00000000058F5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: file.exe Static file information: File size 1846272 > 1048576
Source: file.exe Static PE information: Raw size of bewqqxki is bigger than: 0x100000 < 0x19ac00

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.b0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;bewqqxki:EW;foqowxur:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;bewqqxki:EW;foqowxur:EW;.taggant:EW;
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: file.exe Static PE information: real checksum: 0x1d16cb should be: 0x1c4889
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: bewqqxki
Source: file.exe Static PE information: section name: foqowxur
Source: file.exe Static PE information: section name: .taggant
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0010A276 push ebx; mov dword ptr [esp], edx 0_2_0010A4BD
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00109BDD push ecx; mov dword ptr [esp], 6EE7D6BAh 0_2_0010A519
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0010E013 push 02C1C67Fh; mov dword ptr [esp], ebp 0_2_0010E025
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00274023 push edx; mov dword ptr [esp], ecx 0_2_00274046
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00274023 push 3EDD1B3Fh; mov dword ptr [esp], edx 0_2_00274083
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00274023 push edx; mov dword ptr [esp], edi 0_2_002740BB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00274023 push esi; mov dword ptr [esp], eax 0_2_00274164
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00274023 push 7F825E88h; mov dword ptr [esp], edi 0_2_002741B2
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00274023 push edx; mov dword ptr [esp], 57CB1161h 0_2_002742B7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00274023 push ecx; mov dword ptr [esp], edx 0_2_002743E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00274023 push edi; mov dword ptr [esp], 3B8580A8h 0_2_00274495
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00274023 push ebp; mov dword ptr [esp], eax 0_2_002744A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00274023 push 3C5849DDh; mov dword ptr [esp], esi 0_2_002744C4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00274023 push ebx; mov dword ptr [esp], edi 0_2_00274517
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00274023 push ecx; mov dword ptr [esp], 731F5D72h 0_2_0027454F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00274023 push edx; mov dword ptr [esp], ecx 0_2_00274609
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00274023 push esi; mov dword ptr [esp], ebp 0_2_00274632
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00274023 push ebp; mov dword ptr [esp], 7064C796h 0_2_00274641
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00274023 push 763BA314h; mov dword ptr [esp], edi 0_2_0027466F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00274023 push edx; mov dword ptr [esp], eax 0_2_0027471B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00274023 push ecx; mov dword ptr [esp], 77FB9F81h 0_2_00274746
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00274023 push 13A358A1h; mov dword ptr [esp], ebx 0_2_0027475C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00274023 push ebp; mov dword ptr [esp], 05FBFABAh 0_2_00274761
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00274023 push 3A2ED171h; mov dword ptr [esp], esi 0_2_002747C9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00274023 push 2F7F7831h; mov dword ptr [esp], ebp 0_2_0027481C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00274023 push 04AA5ADBh; mov dword ptr [esp], ebp 0_2_00274859
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00274023 push ebx; mov dword ptr [esp], edx 0_2_0027485D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00274023 push ebx; mov dword ptr [esp], esi 0_2_00274866
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00274023 push esi; mov dword ptr [esp], 7DFBEC60h 0_2_002748D5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00274023 push eax; mov dword ptr [esp], ecx 0_2_002748EE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00274023 push 6C242860h; mov dword ptr [esp], edi 0_2_002748F6
Source: file.exe Static PE information: section name: entropy: 7.980056988548206
Source: file.exe Static PE information: section name: bewqqxki entropy: 7.953902804253043

Boot Survival
barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\Desktop\file.exe System information queried: FirmwareTableInformation Jump to behavior
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2864EE second address: 286512 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FA93CFE6D5Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FA93CFE6D62h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 26CE73 second address: 26CE87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA93D08FA20h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 26CE87 second address: 26CE8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 26CE8B second address: 26CE91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 26CE91 second address: 26CE9E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 285879 second address: 28587D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 28587D second address: 2858A0 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007FA93CFE6D69h 0x0000000c jmp 00007FA93CFE6D63h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2858A0 second address: 2858A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2858A4 second address: 2858A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 285B82 second address: 285B86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 285B86 second address: 285B98 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FA93CFE6D56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jne 00007FA93CFE6D56h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 28867A second address: 2886E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA93D08FA20h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 3D51D6D4h 0x00000010 pushad 0x00000011 jmp 00007FA93D08FA26h 0x00000016 sub dword ptr [ebp+122D35E7h], edx 0x0000001c popad 0x0000001d lea ebx, dword ptr [ebp+12453497h] 0x00000023 push 00000000h 0x00000025 push ebp 0x00000026 call 00007FA93D08FA18h 0x0000002b pop ebp 0x0000002c mov dword ptr [esp+04h], ebp 0x00000030 add dword ptr [esp+04h], 00000015h 0x00000038 inc ebp 0x00000039 push ebp 0x0000003a ret 0x0000003b pop ebp 0x0000003c ret 0x0000003d mov dh, bl 0x0000003f xchg eax, ebx 0x00000040 jng 00007FA93D08FA22h 0x00000046 jo 00007FA93D08FA1Ch 0x0000004c push eax 0x0000004d push edx 0x0000004e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2887AA second address: 2887BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edi 0x00000006 pop edi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2887BA second address: 2887BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 27F8A2 second address: 27F8A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2A7938 second address: 2A793C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2A793C second address: 2A7940 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2A7940 second address: 2A7985 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FA93D08FA27h 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007FA93D08FA27h 0x00000012 jl 00007FA93D08FA1Ch 0x00000018 je 00007FA93D08FA16h 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2A7C9E second address: 2A7CA9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007FA93CFE6D56h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2A7CA9 second address: 2A7CB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2A7DF8 second address: 2A7E19 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA93CFE6D67h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2A7E19 second address: 2A7E1D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2A7F7D second address: 2A7F81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2A872E second address: 2A8762 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA93D08FA21h 0x00000007 jg 00007FA93D08FA16h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 pop eax 0x00000012 push esi 0x00000013 pop esi 0x00000014 jns 00007FA93D08FA16h 0x0000001a jbe 00007FA93D08FA16h 0x00000020 popad 0x00000021 pop ebx 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2A8762 second address: 2A8775 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA93CFE6D5Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2A8775 second address: 2A877B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2A877B second address: 2A8794 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FA93CFE6D64h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2A8794 second address: 2A879A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 29E94A second address: 29E951 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 27DDB8 second address: 27DDBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 27DDBC second address: 27DDF6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA93CFE6D69h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007FA93CFE6D67h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 27DDF6 second address: 27DE10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jnc 00007FA93D08FA16h 0x0000000c popad 0x0000000d jmp 00007FA93D08FA1Dh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2A88D8 second address: 2A88E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2A88E0 second address: 2A88E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2A88E6 second address: 2A88EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2A88EB second address: 2A8917 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA93D08FA21h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b jmp 00007FA93D08FA23h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 272121 second address: 272125 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 272125 second address: 272136 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA93D08FA1Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 272136 second address: 27213C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 27213C second address: 272140 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 272140 second address: 272159 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA93CFE6D5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jng 00007FA93CFE6D56h 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 27C371 second address: 27C37C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B5ED5 second address: 2B5EE9 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007FA93CFE6D62h 0x0000000c jng 00007FA93CFE6D56h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B6041 second address: 2B605B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA93D08FA25h 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B605B second address: 2B6060 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B64C2 second address: 2B64CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B64CB second address: 2B64D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B8D97 second address: 2B8E1C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jmp 00007FA93D08FA25h 0x0000000c pop edx 0x0000000d popad 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 pushad 0x00000013 jns 00007FA93D08FA18h 0x00000019 pushad 0x0000001a jmp 00007FA93D08FA29h 0x0000001f jmp 00007FA93D08FA1Fh 0x00000024 popad 0x00000025 popad 0x00000026 mov eax, dword ptr [eax] 0x00000028 jmp 00007FA93D08FA1Dh 0x0000002d mov dword ptr [esp+04h], eax 0x00000031 push ebx 0x00000032 pushad 0x00000033 pushad 0x00000034 popad 0x00000035 pushad 0x00000036 popad 0x00000037 popad 0x00000038 pop ebx 0x00000039 pop eax 0x0000003a mov edi, 0E4A79C1h 0x0000003f push 3313B808h 0x00000044 push edx 0x00000045 push eax 0x00000046 push edx 0x00000047 jg 00007FA93D08FA16h 0x0000004d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B988A second address: 2B9890 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B9B75 second address: 2B9B93 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA93D08FA1Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e js 00007FA93D08FA16h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B9B93 second address: 2B9B97 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B9B97 second address: 2B9B9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B9C92 second address: 2B9C9C instructions: 0x00000000 rdtsc 0x00000002 je 00007FA93CFE6D5Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B9DDE second address: 2B9DE2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B9DE2 second address: 2B9E80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 jmp 00007FA93CFE6D5Eh 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push edi 0x00000011 call 00007FA93CFE6D58h 0x00000016 pop edi 0x00000017 mov dword ptr [esp+04h], edi 0x0000001b add dword ptr [esp+04h], 0000001Bh 0x00000023 inc edi 0x00000024 push edi 0x00000025 ret 0x00000026 pop edi 0x00000027 ret 0x00000028 jmp 00007FA93CFE6D60h 0x0000002d jmp 00007FA93CFE6D68h 0x00000032 xchg eax, ebx 0x00000033 pushad 0x00000034 pushad 0x00000035 jmp 00007FA93CFE6D63h 0x0000003a jmp 00007FA93CFE6D65h 0x0000003f popad 0x00000040 push eax 0x00000041 push edx 0x00000042 jmp 00007FA93CFE6D5Eh 0x00000047 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2BA4F7 second address: 2BA4FD instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2BAD99 second address: 2BAD9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2BAD9F second address: 2BADA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2BADA3 second address: 2BADA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2BB6AC second address: 2BB6B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2BB6B2 second address: 2BB6BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a push edi 0x0000000b pop edi 0x0000000c pop ebx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2BD60A second address: 2BD610 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2BD610 second address: 2BD66C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 mov esi, 0E7B9B59h 0x0000000e push 00000000h 0x00000010 push 00000000h 0x00000012 push ebp 0x00000013 call 00007FA93CFE6D58h 0x00000018 pop ebp 0x00000019 mov dword ptr [esp+04h], ebp 0x0000001d add dword ptr [esp+04h], 0000001Ah 0x00000025 inc ebp 0x00000026 push ebp 0x00000027 ret 0x00000028 pop ebp 0x00000029 ret 0x0000002a call 00007FA93CFE6D68h 0x0000002f mov si, ax 0x00000032 pop esi 0x00000033 push 00000000h 0x00000035 and edi, 2D992A24h 0x0000003b xchg eax, ebx 0x0000003c pushad 0x0000003d push eax 0x0000003e push edx 0x0000003f pushad 0x00000040 popad 0x00000041 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2BD66C second address: 2BD670 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2BE15F second address: 2BE165 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2BE165 second address: 2BE169 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2BD3B0 second address: 2BD3B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2BD3B6 second address: 2BD3BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2BECF6 second address: 2BECFA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2BF8CE second address: 2BF8D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007FA93D08FA16h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2BF645 second address: 2BF64B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2C0103 second address: 2C0107 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2C0107 second address: 2C010B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2C214E second address: 2C2153 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2C010B second address: 2C0115 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2C2153 second address: 2C2163 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2C0115 second address: 2C0119 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2C2163 second address: 2C2167 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2C2167 second address: 2C216D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2C372B second address: 2C3739 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2C3739 second address: 2C373D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2C2953 second address: 2C2957 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2C373D second address: 2C3743 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2C39C4 second address: 2C39D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2C39D2 second address: 2C39D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2C39D6 second address: 2C39E6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA93D08FA1Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2C5862 second address: 2C5875 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA93CFE6D5Eh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2C39E6 second address: 2C39EB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2C5875 second address: 2C587B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2C68C4 second address: 2C68C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2C68C8 second address: 2C68CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2C59B6 second address: 2C59D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jo 00007FA93D08FA16h 0x0000000b jo 00007FA93D08FA16h 0x00000011 popad 0x00000012 popad 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 jbe 00007FA93D08FA18h 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2C68CE second address: 2C68DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA93CFE6D5Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2C78C4 second address: 2C78D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FA93D08FA1Bh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2C888B second address: 2C88F4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a jmp 00007FA93CFE6D69h 0x0000000f push 00000000h 0x00000011 js 00007FA93CFE6D7Ch 0x00000017 call 00007FA93CFE6D62h 0x0000001c jmp 00007FA93CFE6D63h 0x00000021 pop ebx 0x00000022 push 00000000h 0x00000024 mov di, 953Dh 0x00000028 xchg eax, esi 0x00000029 jnp 00007FA93CFE6D5Ah 0x0000002f push edx 0x00000030 push edx 0x00000031 pop edx 0x00000032 pop edx 0x00000033 push eax 0x00000034 push eax 0x00000035 push edx 0x00000036 push ebx 0x00000037 push esi 0x00000038 pop esi 0x00000039 pop ebx 0x0000003a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2C7ACD second address: 2C7B6C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FA93D08FA1Ah 0x00000008 push esi 0x00000009 pop esi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp], eax 0x00000010 mov di, si 0x00000013 push dword ptr fs:[00000000h] 0x0000001a push 00000000h 0x0000001c push ecx 0x0000001d call 00007FA93D08FA18h 0x00000022 pop ecx 0x00000023 mov dword ptr [esp+04h], ecx 0x00000027 add dword ptr [esp+04h], 00000019h 0x0000002f inc ecx 0x00000030 push ecx 0x00000031 ret 0x00000032 pop ecx 0x00000033 ret 0x00000034 push esi 0x00000035 jmp 00007FA93D08FA28h 0x0000003a pop ebx 0x0000003b jmp 00007FA93D08FA20h 0x00000040 mov dword ptr fs:[00000000h], esp 0x00000047 mov dword ptr [ebp+1245830Fh], ecx 0x0000004d mov edi, eax 0x0000004f mov eax, dword ptr [ebp+122D01D1h] 0x00000055 stc 0x00000056 push FFFFFFFFh 0x00000058 jl 00007FA93D08FA1Ah 0x0000005e mov di, 2005h 0x00000062 push eax 0x00000063 push eax 0x00000064 push edx 0x00000065 jmp 00007FA93D08FA20h 0x0000006a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2C992A second address: 2C9992 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA93CFE6D5Eh 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ecx 0x00000010 call 00007FA93CFE6D58h 0x00000015 pop ecx 0x00000016 mov dword ptr [esp+04h], ecx 0x0000001a add dword ptr [esp+04h], 00000015h 0x00000022 inc ecx 0x00000023 push ecx 0x00000024 ret 0x00000025 pop ecx 0x00000026 ret 0x00000027 mov dword ptr [ebp+122D2D8Fh], esi 0x0000002d push 00000000h 0x0000002f mov bx, F375h 0x00000033 push 00000000h 0x00000035 sub dword ptr [ebp+122D2FA4h], eax 0x0000003b xchg eax, esi 0x0000003c push esi 0x0000003d jmp 00007FA93CFE6D5Dh 0x00000042 pop esi 0x00000043 push eax 0x00000044 push eax 0x00000045 push edx 0x00000046 jmp 00007FA93CFE6D5Eh 0x0000004b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2C9992 second address: 2C99A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA93D08FA1Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2C99A5 second address: 2C99A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2C9B76 second address: 2C9BE4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA93D08FA1Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d mov edi, dword ptr [ebp+122D35ACh] 0x00000013 push dword ptr fs:[00000000h] 0x0000001a mov di, 39F2h 0x0000001e add edi, 72ACCB4Ah 0x00000024 mov dword ptr fs:[00000000h], esp 0x0000002b mov dword ptr [ebp+122D35E7h], edi 0x00000031 mov eax, dword ptr [ebp+122D1741h] 0x00000037 push 00000000h 0x00000039 push edi 0x0000003a call 00007FA93D08FA18h 0x0000003f pop edi 0x00000040 mov dword ptr [esp+04h], edi 0x00000044 add dword ptr [esp+04h], 00000015h 0x0000004c inc edi 0x0000004d push edi 0x0000004e ret 0x0000004f pop edi 0x00000050 ret 0x00000051 movsx edi, bx 0x00000054 push FFFFFFFFh 0x00000056 mov ebx, dword ptr [ebp+122D3A21h] 0x0000005c push eax 0x0000005d push esi 0x0000005e push eax 0x0000005f push edx 0x00000060 push eax 0x00000061 push edx 0x00000062 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2C9BE4 second address: 2C9BE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2CBABF second address: 2CBAC6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2CEC44 second address: 2CEC54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA93CFE6D5Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2CF1BA second address: 2CF1BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2CF1BE second address: 2CF1C4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2CF1C4 second address: 2CF1E3 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FA93D08FA25h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2D11DB second address: 2D11EB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA93CFE6D5Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2D11EB second address: 2D11F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FA93D08FA16h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2D03D9 second address: 2D03F5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA93CFE6D60h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jbe 00007FA93CFE6D5Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2D11F5 second address: 2D1241 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b mov dword ptr [ebp+12457ED4h], ecx 0x00000011 push 00000000h 0x00000013 mov edi, edx 0x00000015 push 00000000h 0x00000017 jmp 00007FA93D08FA23h 0x0000001c xchg eax, esi 0x0000001d jnl 00007FA93D08FA22h 0x00000023 push eax 0x00000024 push eax 0x00000025 push edx 0x00000026 jne 00007FA93D08FA1Ch 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2D212D second address: 2D2132 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2DAE76 second address: 2DAE92 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FA93D08FA26h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2DAE92 second address: 2DAE97 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2DB021 second address: 2DB039 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007FA93D08FA1Ch 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2DB35A second address: 2DB366 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 jng 00007FA93CFE6D56h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2DFADB second address: 2DFAE9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA93D08FA1Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2DFB8D second address: 2DFB9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jns 00007FA93CFE6D56h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2DFC54 second address: 2DFC58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2DFC58 second address: 2DFC5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2DFC5C second address: 2DFC62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2DFC62 second address: 2DFC82 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FA93CFE6D5Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c push eax 0x0000000d push edx 0x0000000e je 00007FA93CFE6D5Ch 0x00000014 js 00007FA93CFE6D56h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2DFD37 second address: 2DFD42 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2DFD42 second address: 2DFD4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2DFD4E second address: 2DFDB1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA93D08FA28h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e push eax 0x0000000f jbe 00007FA93D08FA23h 0x00000015 pop eax 0x00000016 mov eax, dword ptr [eax] 0x00000018 jmp 00007FA93D08FA25h 0x0000001d mov dword ptr [esp+04h], eax 0x00000021 push ebx 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007FA93D08FA1Fh 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2DFDB1 second address: 2DFDB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2E5C9C second address: 2E5CA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2E5CA7 second address: 2E5CAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2E5CAB second address: 2E5CCA instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jnp 00007FA93D08FA16h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d jmp 00007FA93D08FA1Eh 0x00000012 pop esi 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2E52CD second address: 2E52D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2E56EC second address: 2E56F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007FA93D08FA16h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2E56F8 second address: 2E5717 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA93CFE6D5Fh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f jnc 00007FA93CFE6D56h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2EB1DA second address: 2EB1F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007FA93D08FA1Dh 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2EB1F2 second address: 2EB1F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2EB1F8 second address: 2EB1FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2EB1FC second address: 2EB219 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA93CFE6D60h 0x00000007 jg 00007FA93CFE6D56h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2EB219 second address: 2EB220 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2E9E50 second address: 2E9E54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2E9E54 second address: 2E9E5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2EAB8E second address: 2EAB97 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push esi 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2EDF0E second address: 2EDF12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2EDF12 second address: 2EDF30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA93CFE6D65h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2EDF30 second address: 2EDF3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FA93D08FA16h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2EDF3C second address: 2EDF42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2813D8 second address: 2813E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 pushad 0x0000000a popad 0x0000000b pop ebx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F38B9 second address: 2F38BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F38BF second address: 2F38C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F38C9 second address: 2F38CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F38CF second address: 2F38D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F2316 second address: 2F231A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F231A second address: 2F231E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F231E second address: 2F2340 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA93CFE6D5Dh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FA93CFE6D5Fh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F2687 second address: 2F268B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F268B second address: 2F268F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F268F second address: 2F26BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA93D08FA24h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jc 00007FA93D08FA29h 0x00000011 jmp 00007FA93D08FA1Dh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F2809 second address: 2F2815 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FA93CFE6D56h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F2815 second address: 2F2829 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 jmp 00007FA93D08FA1Bh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F2B49 second address: 2F2B4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F2CC9 second address: 2F2CD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 29F48B second address: 29F4A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FA93CFE6D58h 0x0000000a push edi 0x0000000b pop edi 0x0000000c popad 0x0000000d jl 00007FA93CFE6D6Eh 0x00000013 push esi 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2704CA second address: 270522 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FA93D08FA16h 0x0000000a popad 0x0000000b jmp 00007FA93D08FA29h 0x00000010 pushad 0x00000011 jno 00007FA93D08FA16h 0x00000017 jnc 00007FA93D08FA16h 0x0000001d pushad 0x0000001e popad 0x0000001f pushad 0x00000020 popad 0x00000021 popad 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007FA93D08FA1Ah 0x00000029 jmp 00007FA93D08FA26h 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F3731 second address: 2F3735 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F3735 second address: 2F375D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FA93D08FA1Fh 0x00000008 jne 00007FA93D08FA16h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 jo 00007FA93D08FA16h 0x0000001a pushad 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F375D second address: 2F3775 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FA93CFE6D63h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F3775 second address: 2F377F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007FA93D08FA16h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F1EA1 second address: 2F1EAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jbe 00007FA93CFE6D56h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2FC38A second address: 2FC38F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2FB21F second address: 2FB234 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA93CFE6D5Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2FB234 second address: 2FB23F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FA93D08FA16h 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B7634 second address: 29E94A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pop edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FA93CFE6D68h 0x0000000f pop edx 0x00000010 nop 0x00000011 push 00000000h 0x00000013 push eax 0x00000014 call 00007FA93CFE6D58h 0x00000019 pop eax 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e add dword ptr [esp+04h], 00000016h 0x00000026 inc eax 0x00000027 push eax 0x00000028 ret 0x00000029 pop eax 0x0000002a ret 0x0000002b jmp 00007FA93CFE6D5Dh 0x00000030 lea eax, dword ptr [ebp+124823DAh] 0x00000036 mov dword ptr [ebp+122D198Fh], ecx 0x0000003c push eax 0x0000003d jmp 00007FA93CFE6D66h 0x00000042 mov dword ptr [esp], eax 0x00000045 mov ecx, dword ptr [ebp+12452676h] 0x0000004b call dword ptr [ebp+122D30C1h] 0x00000051 push eax 0x00000052 push edx 0x00000053 push eax 0x00000054 push edi 0x00000055 pop edi 0x00000056 pushad 0x00000057 popad 0x00000058 pop eax 0x00000059 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B7C4B second address: 2B7C51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B7C51 second address: 108B50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 nop 0x00000006 push 00000000h 0x00000008 push edi 0x00000009 call 00007FA93CFE6D58h 0x0000000e pop edi 0x0000000f mov dword ptr [esp+04h], edi 0x00000013 add dword ptr [esp+04h], 00000016h 0x0000001b inc edi 0x0000001c push edi 0x0000001d ret 0x0000001e pop edi 0x0000001f ret 0x00000020 mov edx, dword ptr [ebp+122D1807h] 0x00000026 push dword ptr [ebp+122D0611h] 0x0000002c call dword ptr [ebp+122D17F7h] 0x00000032 pushad 0x00000033 jmp 00007FA93CFE6D63h 0x00000038 xor eax, eax 0x0000003a stc 0x0000003b mov edx, dword ptr [esp+28h] 0x0000003f jbe 00007FA93CFE6D5Dh 0x00000045 jmp 00007FA93CFE6D67h 0x0000004a mov dword ptr [ebp+122D37B1h], eax 0x00000050 or dword ptr [ebp+122D3066h], ebx 0x00000056 mov esi, 0000003Ch 0x0000005b pushad 0x0000005c jno 00007FA93CFE6D5Ch 0x00000062 sub dword ptr [ebp+122D3066h], edx 0x00000068 popad 0x00000069 add esi, dword ptr [esp+24h] 0x0000006d pushad 0x0000006e clc 0x0000006f popad 0x00000070 lodsw 0x00000072 mov dword ptr [ebp+122D3101h], edx 0x00000078 add eax, dword ptr [esp+24h] 0x0000007c xor dword ptr [ebp+122D24F5h], ecx 0x00000082 mov ebx, dword ptr [esp+24h] 0x00000086 cmc 0x00000087 push eax 0x00000088 push eax 0x00000089 push edx 0x0000008a jmp 00007FA93CFE6D61h 0x0000008f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B7CCD second address: 2B7CD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B7CD3 second address: 2B7CF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FA93CFE6D66h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B7F5F second address: 2B7F64 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B7F64 second address: 2B7F6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B8103 second address: 2B8109 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B8109 second address: 2B810D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B810D second address: 2B8156 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push ebp 0x0000000e call 00007FA93D08FA18h 0x00000013 pop ebp 0x00000014 mov dword ptr [esp+04h], ebp 0x00000018 add dword ptr [esp+04h], 00000014h 0x00000020 inc ebp 0x00000021 push ebp 0x00000022 ret 0x00000023 pop ebp 0x00000024 ret 0x00000025 mov dword ptr [ebp+122D2518h], eax 0x0000002b push 00000004h 0x0000002d nop 0x0000002e jmp 00007FA93D08FA1Ch 0x00000033 push eax 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007FA93D08FA1Ah 0x0000003b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B87B3 second address: 2B87BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B87BE second address: 2B87C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B87C2 second address: 2B87D2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA93CFE6D5Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B87D2 second address: 2B87F3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA93D08FA24h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B88EF second address: 2B8932 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FA93CFE6D56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c jnc 00007FA93CFE6D5Ah 0x00000012 nop 0x00000013 mov ecx, eax 0x00000015 lea eax, dword ptr [ebp+1248241Eh] 0x0000001b push 00000000h 0x0000001d push eax 0x0000001e call 00007FA93CFE6D58h 0x00000023 pop eax 0x00000024 mov dword ptr [esp+04h], eax 0x00000028 add dword ptr [esp+04h], 00000016h 0x00000030 inc eax 0x00000031 push eax 0x00000032 ret 0x00000033 pop eax 0x00000034 ret 0x00000035 nop 0x00000036 pushad 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a popad 0x0000003b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B8932 second address: 2B8965 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA93D08FA28h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c pop ecx 0x0000000d popad 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FA93D08FA1Fh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B8965 second address: 2B89B0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA93CFE6D5Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a movsx ecx, dx 0x0000000d lea eax, dword ptr [ebp+124823DAh] 0x00000013 push 00000000h 0x00000015 push ebp 0x00000016 call 00007FA93CFE6D58h 0x0000001b pop ebp 0x0000001c mov dword ptr [esp+04h], ebp 0x00000020 add dword ptr [esp+04h], 0000001Bh 0x00000028 inc ebp 0x00000029 push ebp 0x0000002a ret 0x0000002b pop ebp 0x0000002c ret 0x0000002d mov edx, dword ptr [ebp+122D2518h] 0x00000033 nop 0x00000034 pushad 0x00000035 push eax 0x00000036 push edx 0x00000037 pushad 0x00000038 popad 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B89B0 second address: 2B89B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B89B4 second address: 2B89DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007FA93CFE6D6Ch 0x0000000c jmp 00007FA93CFE6D66h 0x00000011 popad 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B89DE second address: 2B89E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B89E2 second address: 2B89E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B89E8 second address: 29F48B instructions: 0x00000000 rdtsc 0x00000002 jng 00007FA93D08FA29h 0x00000008 jmp 00007FA93D08FA23h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push edi 0x00000013 call 00007FA93D08FA18h 0x00000018 pop edi 0x00000019 mov dword ptr [esp+04h], edi 0x0000001d add dword ptr [esp+04h], 00000017h 0x00000025 inc edi 0x00000026 push edi 0x00000027 ret 0x00000028 pop edi 0x00000029 ret 0x0000002a xor dx, 680Dh 0x0000002f sub edx, dword ptr [ebp+122D17F7h] 0x00000035 call dword ptr [ebp+12451AD3h] 0x0000003b pushad 0x0000003c pushad 0x0000003d jne 00007FA93D08FA16h 0x00000043 push esi 0x00000044 pop esi 0x00000045 popad 0x00000046 js 00007FA93D08FA1Ch 0x0000004c push eax 0x0000004d push edx 0x0000004e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2FB50B second address: 2FB524 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA93CFE6D63h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2FB524 second address: 2FB52A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2FB52A second address: 2FB55A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnl 00007FA93CFE6D81h 0x0000000b push edi 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007FA93CFE6D67h 0x00000013 pop edi 0x00000014 push eax 0x00000015 push edx 0x00000016 jng 00007FA93CFE6D56h 0x0000001c push ecx 0x0000001d pop ecx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2FB838 second address: 2FB83D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2FB9CD second address: 2FB9D7 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2FB9D7 second address: 2FB9DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2FBB00 second address: 2FBB1A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA93CFE6D64h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2FBC79 second address: 2FBC8B instructions: 0x00000000 rdtsc 0x00000002 js 00007FA93D08FA16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jbe 00007FA93D08FA1Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2FF9FC second address: 2FFA0A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2FFB70 second address: 2FFB7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 30231D second address: 302327 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 302327 second address: 30233C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007FA93D08FA1Bh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 30201B second address: 30201F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 306FEF second address: 307014 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 push esi 0x00000007 pop esi 0x00000008 jmp 00007FA93D08FA29h 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 30682E second address: 306843 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007FA93CFE6D5Fh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 306843 second address: 306848 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3069EC second address: 306A18 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA93CFE6D5Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FA93CFE6D68h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 306A18 second address: 306A1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 306CEF second address: 306D21 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA93CFE6D5Ch 0x00000007 jmp 00007FA93CFE6D64h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 pushad 0x00000012 popad 0x00000013 pop edx 0x00000014 push eax 0x00000015 push edx 0x00000016 jg 00007FA93CFE6D56h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 30AFC9 second address: 30AFCD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 30A26D second address: 30A271 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 30A408 second address: 30A40D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 30A40D second address: 30A42C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d jmp 00007FA93CFE6D62h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 30A42C second address: 30A444 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FA93D08FA1Ah 0x0000000b push eax 0x0000000c push edx 0x0000000d ja 00007FA93D08FA16h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 30A591 second address: 30A5AF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA93CFE6D62h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 30A5AF second address: 30A5B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 30A5B3 second address: 30A5B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 30A9D3 second address: 30A9E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop ebx 0x00000008 pushad 0x00000009 jo 00007FA93D08FA22h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 30A9E4 second address: 30A9EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 30A9EA second address: 30A9F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 30A9F1 second address: 30A9F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 31085C second address: 310881 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FA93D08FA16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jo 00007FA93D08FA2Bh 0x00000010 jmp 00007FA93D08FA25h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 310881 second address: 310899 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007FA93CFE6D5Ah 0x00000008 jns 00007FA93CFE6D56h 0x0000000e pop edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 pop eax 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 310899 second address: 31089D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 30F237 second address: 30F25F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FA93CFE6D69h 0x0000000e jno 00007FA93CFE6D56h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 30F25F second address: 30F273 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA93D08FA1Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2813B2 second address: 2813D8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA93CFE6D66h 0x00000007 ja 00007FA93CFE6D56h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B8278 second address: 2B827C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B827C second address: 2B8286 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B8286 second address: 2B828A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B828A second address: 2B82E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jl 00007FA93CFE6D60h 0x0000000e pushad 0x0000000f jnc 00007FA93CFE6D56h 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 nop 0x00000019 mov edi, dword ptr [ebp+122D37C5h] 0x0000001f mov ch, bl 0x00000021 mov ebx, dword ptr [ebp+12482419h] 0x00000027 mov edx, dword ptr [ebp+122D1B9Fh] 0x0000002d pushad 0x0000002e mov dword ptr [ebp+122D2DCEh], esi 0x00000034 pushad 0x00000035 push edi 0x00000036 pop ecx 0x00000037 mov cx, ax 0x0000003a popad 0x0000003b popad 0x0000003c add eax, ebx 0x0000003e push ebx 0x0000003f jmp 00007FA93CFE6D65h 0x00000044 pop edx 0x00000045 push eax 0x00000046 pushad 0x00000047 push eax 0x00000048 push edi 0x00000049 pop edi 0x0000004a pop eax 0x0000004b push eax 0x0000004c push edx 0x0000004d push eax 0x0000004e push edx 0x0000004f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B82E9 second address: 2B82ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B82ED second address: 2B830C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a mov edi, dword ptr [ebp+122D379Dh] 0x00000010 push 00000004h 0x00000012 jg 00007FA93CFE6D58h 0x00000018 push eax 0x00000019 push eax 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 318C4E second address: 318C5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FA93D08FA16h 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 318C5D second address: 318C71 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FA93CFE6D5Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 318C71 second address: 318C75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 318C75 second address: 318C79 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 316CA6 second address: 316CBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA93D08FA20h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 316CBA second address: 316CCC instructions: 0x00000000 rdtsc 0x00000002 jg 00007FA93CFE6D56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jl 00007FA93CFE6D56h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 316CCC second address: 316CEA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 js 00007FA93D08FA16h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FA93D08FA1Eh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 316CEA second address: 316CEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 316CEE second address: 316CF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 316CF2 second address: 316D00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 316D00 second address: 316D3E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 ja 00007FA93D08FA21h 0x0000000e jmp 00007FA93D08FA1Bh 0x00000013 pushad 0x00000014 push edi 0x00000015 pop edi 0x00000016 jng 00007FA93D08FA16h 0x0000001c jmp 00007FA93D08FA27h 0x00000021 popad 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 316D3E second address: 316D42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3170E9 second address: 317100 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA93D08FA23h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 317100 second address: 31711E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jbe 00007FA93CFE6D56h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d js 00007FA93CFE6D56h 0x00000013 pop ecx 0x00000014 popad 0x00000015 pushad 0x00000016 jo 00007FA93CFE6D5Eh 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 31744E second address: 3174B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA93D08FA27h 0x00000009 push esi 0x0000000a pop esi 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e jmp 00007FA93D08FA25h 0x00000013 pushad 0x00000014 jmp 00007FA93D08FA21h 0x00000019 js 00007FA93D08FA16h 0x0000001f push ebx 0x00000020 pop ebx 0x00000021 popad 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007FA93D08FA20h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3174B0 second address: 3174B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3177A6 second address: 3177C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 jmp 00007FA93D08FA22h 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 31836C second address: 318383 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA93CFE6D63h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 318383 second address: 318389 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 321027 second address: 32102B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 32102B second address: 32102F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 32102F second address: 32103B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 32103B second address: 32103F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 32103F second address: 32105C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FA93CFE6D5Ch 0x0000000e jp 00007FA93CFE6D58h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3201BC second address: 3201D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 push edi 0x00000008 pushad 0x00000009 popad 0x0000000a pop edi 0x0000000b push esi 0x0000000c jg 00007FA93D08FA16h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 320605 second address: 320624 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push edi 0x00000006 pop edi 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FA93CFE6D5Dh 0x00000011 jnp 00007FA93CFE6D56h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3285B4 second address: 3285C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3285C0 second address: 3285E7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007FA93CFE6D71h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 328A35 second address: 328A6C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA93D08FA22h 0x00000007 jp 00007FA93D08FA16h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jp 00007FA93D08FA22h 0x00000015 push edi 0x00000016 jp 00007FA93D08FA16h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 328BBE second address: 328BC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 328BC4 second address: 328BC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 328BC9 second address: 328BD3 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FA93CFE6D5Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 32919A second address: 3291B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FA93D08FA23h 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3291B6 second address: 3291C8 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FA93CFE6D56h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3299C4 second address: 3299D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 je 00007FA93D08FA16h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 328023 second address: 328027 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 328027 second address: 32803B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnl 00007FA93D08FA16h 0x0000000e jnc 00007FA93D08FA16h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 275625 second address: 275650 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007FA93CFE6D66h 0x0000000b jmp 00007FA93CFE6D5Eh 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 275650 second address: 27565B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jl 00007FA93D08FA16h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 27565B second address: 275685 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jnl 00007FA93CFE6D5Eh 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e jmp 00007FA93CFE6D5Ah 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 jns 00007FA93CFE6D56h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 32ED05 second address: 32ED0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 32ED0E second address: 32ED20 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA93CFE6D5Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 332DC2 second address: 332DCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 332DCB second address: 332DD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FA93CFE6D56h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 332DD5 second address: 332E00 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FA93D08FA16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jo 00007FA93D08FA1Ah 0x00000013 pushad 0x00000014 popad 0x00000015 pushad 0x00000016 popad 0x00000017 push ebx 0x00000018 jmp 00007FA93D08FA20h 0x0000001d pushad 0x0000001e popad 0x0000001f pop ebx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 332969 second address: 33296D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 33296D second address: 332981 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA93D08FA1Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 332981 second address: 33299C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA93CFE6D61h 0x00000007 push eax 0x00000008 push edx 0x00000009 jns 00007FA93CFE6D56h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 33299C second address: 3329A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 33438F second address: 334393 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 33F401 second address: 33F422 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007FA93D08FA23h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d js 00007FA93D08FA16h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 34514D second address: 345151 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 27A766 second address: 27A78D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 pushad 0x00000007 jmp 00007FA93D08FA25h 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f js 00007FA93D08FA16h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 344CCD second address: 344CE5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA93CFE6D62h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 348B6C second address: 348B7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jnc 00007FA93D08FA16h 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 351DC1 second address: 351DC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 35726B second address: 357275 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FA93D08FA1Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 35CDD0 second address: 35CDD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 35CF5B second address: 35CF77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA93D08FA28h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 35CF77 second address: 35CF87 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA93CFE6D5Ch 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 35CF87 second address: 35CFB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FA93D08FA27h 0x0000000c jmp 00007FA93D08FA1Bh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 35CFB2 second address: 35CFBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jne 00007FA93CFE6D62h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 35CFBF second address: 35CFC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 35D3CF second address: 35D3E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FA93CFE6D56h 0x0000000a pop eax 0x0000000b push esi 0x0000000c jns 00007FA93CFE6D56h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 35D524 second address: 35D52A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 35D52A second address: 35D534 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 35D534 second address: 35D538 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 35D538 second address: 35D567 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA93CFE6D67h 0x00000007 jmp 00007FA93CFE6D64h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 35D567 second address: 35D574 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FA93D08FA18h 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 35D705 second address: 35D70C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 35D70C second address: 35D712 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 35D712 second address: 35D723 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA93CFE6D5Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 35D8EF second address: 35D8F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 35D8F3 second address: 35D908 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FA93CFE6D5Bh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 35E2D0 second address: 35E2E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 jnc 00007FA93D08FA16h 0x0000000b jc 00007FA93D08FA16h 0x00000011 pop edi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 361EA0 second address: 361EA4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 361B5F second address: 361B79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FA93D08FA23h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 361B79 second address: 361B83 instructions: 0x00000000 rdtsc 0x00000002 je 00007FA93CFE6D56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 36E469 second address: 36E46D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 36E46D second address: 36E473 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 36C265 second address: 36C26B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 36C26B second address: 36C26F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 37ECC6 second address: 37ECCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 37ECCC second address: 37ECD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 394A83 second address: 394A87 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 394D0A second address: 394D12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 394D12 second address: 394D27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jp 00007FA93D08FA16h 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 394D27 second address: 394D2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 394D2D second address: 394D31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 394D31 second address: 394D56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 pushad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d js 00007FA93CFE6D56h 0x00000013 jnp 00007FA93CFE6D56h 0x00000019 push eax 0x0000001a pop eax 0x0000001b popad 0x0000001c push edi 0x0000001d jl 00007FA93CFE6D56h 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 394FD1 second address: 394FEF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA93D08FA27h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 394FEF second address: 39500B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA93CFE6D66h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 395476 second address: 39547D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3984E2 second address: 3984E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3984E6 second address: 3984EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3984EC second address: 398511 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA93CFE6D5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushad 0x0000000c jmp 00007FA93CFE6D61h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 398511 second address: 398519 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3987EB second address: 39883F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007FA93CFE6D5Ch 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push ebx 0x00000011 call 00007FA93CFE6D58h 0x00000016 pop ebx 0x00000017 mov dword ptr [esp+04h], ebx 0x0000001b add dword ptr [esp+04h], 0000001Bh 0x00000023 inc ebx 0x00000024 push ebx 0x00000025 ret 0x00000026 pop ebx 0x00000027 ret 0x00000028 mov edx, dword ptr [ebp+122D1AD0h] 0x0000002e push 00000004h 0x00000030 or edx, 705D99F7h 0x00000036 call 00007FA93CFE6D59h 0x0000003b push esi 0x0000003c push eax 0x0000003d push edx 0x0000003e push eax 0x0000003f push edx 0x00000040 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 39883F second address: 398843 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 398843 second address: 398847 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 398847 second address: 398879 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 jmp 00007FA93D08FA1Bh 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 push ebx 0x00000012 jo 00007FA93D08FA18h 0x00000018 pushad 0x00000019 popad 0x0000001a pop ebx 0x0000001b mov eax, dword ptr [eax] 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 jmp 00007FA93D08FA1Ah 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 398879 second address: 39887E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 39B4D9 second address: 39B4DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 39B4DD second address: 39B4F2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA93CFE6D5Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F8032B second address: 4F80344 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA93D08FA25h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F80344 second address: 4F80375 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FA93CFE6D67h 0x00000008 pop esi 0x00000009 mov bx, 455Ch 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push esi 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FA93CFE6D5Ah 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F80375 second address: 4F80379 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F80379 second address: 4F8037F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F8037F second address: 4F803C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FA93D08FA1Ch 0x00000008 pop ecx 0x00000009 call 00007FA93D08FA1Bh 0x0000000e pop eax 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 mov dword ptr [esp], ebp 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 pushad 0x00000019 popad 0x0000001a pushfd 0x0000001b jmp 00007FA93D08FA1Eh 0x00000020 xor cl, 00000008h 0x00000023 jmp 00007FA93D08FA1Bh 0x00000028 popfd 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F803C5 second address: 4F80421 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA93CFE6D69h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c movzx eax, dx 0x0000000f push edi 0x00000010 pushfd 0x00000011 jmp 00007FA93CFE6D64h 0x00000016 sub ah, FFFFFFC8h 0x00000019 jmp 00007FA93CFE6D5Bh 0x0000001e popfd 0x0000001f pop eax 0x00000020 popad 0x00000021 mov edx, dword ptr [ebp+0Ch] 0x00000024 pushad 0x00000025 mov ax, di 0x00000028 mov dh, D3h 0x0000002a popad 0x0000002b mov ecx, dword ptr [ebp+08h] 0x0000002e pushad 0x0000002f push eax 0x00000030 push edx 0x00000031 mov cl, 31h 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F80421 second address: 4F8045D instructions: 0x00000000 rdtsc 0x00000002 mov ax, dx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushfd 0x0000000a jmp 00007FA93D08FA23h 0x0000000f xor ax, D06Eh 0x00000014 jmp 00007FA93D08FA29h 0x00000019 popfd 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FA0753 second address: 4FA07BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FA93CFE6D67h 0x00000009 sub ax, E9FEh 0x0000000e jmp 00007FA93CFE6D69h 0x00000013 popfd 0x00000014 mov ebx, ecx 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 xchg eax, ebp 0x0000001a jmp 00007FA93CFE6D5Ah 0x0000001f mov ebp, esp 0x00000021 jmp 00007FA93CFE6D60h 0x00000026 xchg eax, ecx 0x00000027 pushad 0x00000028 mov ebx, ecx 0x0000002a popad 0x0000002b push eax 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 pushad 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FA07BB second address: 4FA07D6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA93D08FA27h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FA07D6 second address: 4FA07EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA93CFE6D64h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FA07EE second address: 4FA085E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA93D08FA1Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ecx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FA93D08FA24h 0x00000013 adc ax, 6F48h 0x00000018 jmp 00007FA93D08FA1Bh 0x0000001d popfd 0x0000001e pushfd 0x0000001f jmp 00007FA93D08FA28h 0x00000024 sbb cl, FFFFFFA8h 0x00000027 jmp 00007FA93D08FA1Bh 0x0000002c popfd 0x0000002d popad 0x0000002e xchg eax, esi 0x0000002f pushad 0x00000030 movzx esi, di 0x00000033 mov dh, E6h 0x00000035 popad 0x00000036 push eax 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a push eax 0x0000003b push edx 0x0000003c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FA085E second address: 4FA0865 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FA0865 second address: 4FA08A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, ax 0x00000006 pushfd 0x00000007 jmp 00007FA93D08FA26h 0x0000000c add esi, 4B26C668h 0x00000012 jmp 00007FA93D08FA1Bh 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b xchg eax, esi 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f call 00007FA93D08FA1Bh 0x00000024 pop eax 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FA08A8 second address: 4FA08E0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA93CFE6D65h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea eax, dword ptr [ebp-04h] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FA93CFE6D68h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FA08E0 second address: 4FA08EF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA93D08FA1Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FA08EF second address: 4FA08F4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FA0A7A second address: 4FA0AEA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FA93D08FA1Fh 0x00000009 xor cx, 4ADEh 0x0000000e jmp 00007FA93D08FA29h 0x00000013 popfd 0x00000014 pushfd 0x00000015 jmp 00007FA93D08FA20h 0x0000001a xor si, 7AD8h 0x0000001f jmp 00007FA93D08FA1Bh 0x00000024 popfd 0x00000025 popad 0x00000026 pop edx 0x00000027 pop eax 0x00000028 mov eax, esi 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007FA93D08FA25h 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FA0AEA second address: 4FA0B12 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dl, 78h 0x00000005 call 00007FA93CFE6D68h 0x0000000a pop esi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop esi 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FA0B12 second address: 4FA0B2C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA93D08FA26h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FA0B2C second address: 4FA0B32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FA0B32 second address: 4FA0B36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FA0B36 second address: 4FA0B3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FA0B3A second address: 4FA0B4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 leave 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov ah, 9Eh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FA0B4A second address: 4FA0B4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FA0B4F second address: 4FA003B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA93D08FA1Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 retn 0004h 0x0000000c nop 0x0000000d sub esp, 04h 0x00000010 xor ebx, ebx 0x00000012 cmp eax, 00000000h 0x00000015 je 00007FA93D08FB63h 0x0000001b xor eax, eax 0x0000001d mov dword ptr [esp], 00000000h 0x00000024 mov dword ptr [esp+04h], 00000000h 0x0000002c call 00007FA941F4DFABh 0x00000031 mov edi, edi 0x00000033 jmp 00007FA93D08FA26h 0x00000038 xchg eax, ebp 0x00000039 pushad 0x0000003a push ecx 0x0000003b pop esi 0x0000003c push ebx 0x0000003d call 00007FA93D08FA24h 0x00000042 pop eax 0x00000043 pop edx 0x00000044 popad 0x00000045 push eax 0x00000046 push eax 0x00000047 push edx 0x00000048 push eax 0x00000049 push edx 0x0000004a pushad 0x0000004b popad 0x0000004c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FA003B second address: 4FA0055 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA93CFE6D66h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FA0055 second address: 4FA007D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, si 0x00000006 push eax 0x00000007 pop edx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007FA93D08FA24h 0x00000011 mov ebp, esp 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FA007D second address: 4FA0081 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FA0081 second address: 4FA0087 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FA0087 second address: 4FA00C1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA93CFE6D64h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push FFFFFFFEh 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov ecx, ebx 0x00000010 call 00007FA93CFE6D69h 0x00000015 pop esi 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FA00C1 second address: 4FA00D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA93D08FA1Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FA00D2 second address: 4FA00EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 call 00007FA93CFE6D59h 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 mov edx, esi 0x00000012 movzx ecx, di 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FA00EC second address: 4FA0110 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, 12B24219h 0x00000008 mov eax, 4D9BE6D5h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 jmp 00007FA93D08FA1Ch 0x00000019 movzx esi, bx 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FA0110 second address: 4FA0135 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA93CFE6D5Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FA93CFE6D5Dh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FA0135 second address: 4FA013B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FA013B second address: 4FA0184 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA93CFE6D5Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b pushad 0x0000000c mov edi, 0D0164E4h 0x00000011 pushfd 0x00000012 jmp 00007FA93CFE6D5Dh 0x00000017 adc eax, 7BE8C526h 0x0000001d jmp 00007FA93CFE6D61h 0x00000022 popfd 0x00000023 popad 0x00000024 mov dword ptr [esp+04h], eax 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FA0184 second address: 4FA0188 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FA0188 second address: 4FA018E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FA02A5 second address: 4FA02AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FA02AA second address: 4FA02D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 pushad 0x00000009 mov dx, D986h 0x0000000d mov di, 0812h 0x00000011 popad 0x00000012 sub esp, 18h 0x00000015 pushad 0x00000016 mov bx, 876Ah 0x0000001a call 00007FA93CFE6D5Bh 0x0000001f pop ebx 0x00000020 popad 0x00000021 xchg eax, ebx 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FA02D8 second address: 4FA02DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FA02DE second address: 4FA036C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FA93CFE6D64h 0x00000009 jmp 00007FA93CFE6D65h 0x0000000e popfd 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push eax 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 pushfd 0x00000019 jmp 00007FA93CFE6D68h 0x0000001e sbb eax, 73388418h 0x00000024 jmp 00007FA93CFE6D5Bh 0x00000029 popfd 0x0000002a pushfd 0x0000002b jmp 00007FA93CFE6D68h 0x00000030 add esi, 2247EE78h 0x00000036 jmp 00007FA93CFE6D5Bh 0x0000003b popfd 0x0000003c popad 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FA036C second address: 4FA0372 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FA0372 second address: 4FA0376 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FA0376 second address: 4FA03A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebx 0x00000009 pushad 0x0000000a movsx edi, cx 0x0000000d push esi 0x0000000e pushad 0x0000000f popad 0x00000010 pop edx 0x00000011 popad 0x00000012 xchg eax, esi 0x00000013 jmp 00007FA93D08FA1Eh 0x00000018 push eax 0x00000019 pushad 0x0000001a mov al, dl 0x0000001c mov edi, ecx 0x0000001e popad 0x0000001f xchg eax, esi 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 movsx edi, ax 0x00000026 mov ebx, eax 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FA03A8 second address: 4FA03D8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FA93CFE6D60h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, edi 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FA93CFE6D67h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FA03D8 second address: 4FA03DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FA03DE second address: 4FA03F6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FA93CFE6D5Dh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FA03F6 second address: 4FA0465 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, edi 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FA93D08FA1Fh 0x00000012 or ecx, 42B5D86Eh 0x00000018 jmp 00007FA93D08FA29h 0x0000001d popfd 0x0000001e mov bl, ah 0x00000020 popad 0x00000021 mov eax, dword ptr [769B4538h] 0x00000026 pushad 0x00000027 pushfd 0x00000028 jmp 00007FA93D08FA29h 0x0000002d jmp 00007FA93D08FA1Bh 0x00000032 popfd 0x00000033 push eax 0x00000034 push edx 0x00000035 mov cl, 4Fh 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FA0465 second address: 4FA04B3 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FA93CFE6D5Bh 0x00000008 or esi, 2CA233DEh 0x0000000e jmp 00007FA93CFE6D69h 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 popad 0x00000017 xor dword ptr [ebp-08h], eax 0x0000001a pushad 0x0000001b mov edi, ecx 0x0000001d mov cx, 339Fh 0x00000021 popad 0x00000022 xor eax, ebp 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007FA93CFE6D5Eh 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FA04B3 second address: 4FA04C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA93D08FA1Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FA04C5 second address: 4FA04EE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA93CFE6D5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FA93CFE6D65h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FA04EE second address: 4FA055B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 1C033862h 0x00000008 pushfd 0x00000009 jmp 00007FA93D08FA23h 0x0000000e adc cx, 695Eh 0x00000013 jmp 00007FA93D08FA29h 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c push eax 0x0000001d jmp 00007FA93D08FA21h 0x00000022 nop 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007FA93D08FA28h 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FA055B second address: 4FA0561 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FA0561 second address: 4FA05B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FA93D08FA1Ch 0x00000008 pop eax 0x00000009 jmp 00007FA93D08FA1Bh 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 lea eax, dword ptr [ebp-10h] 0x00000014 pushad 0x00000015 mov dx, ax 0x00000018 pushfd 0x00000019 jmp 00007FA93D08FA20h 0x0000001e and ecx, 719FC948h 0x00000024 jmp 00007FA93D08FA1Bh 0x00000029 popfd 0x0000002a popad 0x0000002b mov dword ptr fs:[00000000h], eax 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 push eax 0x00000036 push edx 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FA05B6 second address: 4FA05BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FA05BA second address: 4FA05C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FA05C0 second address: 4FA05C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FA05C6 second address: 4FA05CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FA05CA second address: 4FA05CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FA05CE second address: 4FA0634 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [ebp-18h], esp 0x0000000b pushad 0x0000000c mov si, 1DFDh 0x00000010 pushfd 0x00000011 jmp 00007FA93D08FA1Ah 0x00000016 and ah, FFFFFFD8h 0x00000019 jmp 00007FA93D08FA1Bh 0x0000001e popfd 0x0000001f popad 0x00000020 mov eax, dword ptr fs:[00000018h] 0x00000026 jmp 00007FA93D08FA26h 0x0000002b mov ecx, dword ptr [eax+00000FDCh] 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007FA93D08FA27h 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FA0634 second address: 4FA06AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FA93CFE6D5Fh 0x00000009 add ecx, 582923AEh 0x0000000f jmp 00007FA93CFE6D69h 0x00000014 popfd 0x00000015 mov edx, eax 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a test ecx, ecx 0x0000001c jmp 00007FA93CFE6D5Ah 0x00000021 jns 00007FA93CFE6D78h 0x00000027 jmp 00007FA93CFE6D60h 0x0000002c add eax, ecx 0x0000002e jmp 00007FA93CFE6D60h 0x00000033 mov ecx, dword ptr [ebp+08h] 0x00000036 push eax 0x00000037 push edx 0x00000038 pushad 0x00000039 mov bl, DFh 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FA06AA second address: 4FA06AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FA06AF second address: 4FA06C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA93CFE6D60h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FA06C3 second address: 4FA06C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F901BF second address: 4F90210 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA93CFE6D69h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FA93CFE6D5Fh 0x00000013 xor ax, CBCEh 0x00000018 jmp 00007FA93CFE6D69h 0x0000001d popfd 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F90210 second address: 4F90216 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F90216 second address: 4F9021A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F9021A second address: 4F9021E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F9021E second address: 4F9025B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FA93CFE6D66h 0x0000000e xchg eax, ebp 0x0000000f pushad 0x00000010 movzx eax, bx 0x00000013 movsx edi, ax 0x00000016 popad 0x00000017 mov ebp, esp 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FA93CFE6D61h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F9025B second address: 4F90261 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F90261 second address: 4F90265 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F90265 second address: 4F90276 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 sub esp, 2Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push esi 0x0000000f pop edx 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F90276 second address: 4F90289 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA93CFE6D5Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F90289 second address: 4F9028D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F9028D second address: 4F902D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 jmp 00007FA93CFE6D62h 0x0000000e mov dword ptr [esp], ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 pushfd 0x00000015 jmp 00007FA93CFE6D5Dh 0x0000001a sbb si, 5586h 0x0000001f jmp 00007FA93CFE6D61h 0x00000024 popfd 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F902D4 second address: 4F902D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F902D9 second address: 4F902F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 movzx eax, dx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FA93CFE6D5Ah 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F902F2 second address: 4F902F8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F90354 second address: 4F9036C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA93CFE6D5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub ebx, ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov edi, ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F9036C second address: 4F90371 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F90371 second address: 4F90377 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F90377 second address: 4F9037B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F9037B second address: 4F903C7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA93CFE6D65h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b sub edi, edi 0x0000000d jmp 00007FA93CFE6D67h 0x00000012 inc ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FA93CFE6D65h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F903C7 second address: 4F9041C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FA93D08FA27h 0x00000009 xor al, FFFFFFAEh 0x0000000c jmp 00007FA93D08FA29h 0x00000011 popfd 0x00000012 mov edi, eax 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 test al, al 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c call 00007FA93D08FA22h 0x00000021 pop eax 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F9041C second address: 4F90484 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 je 00007FA93CFE6F86h 0x0000000d jmp 00007FA93CFE6D5Dh 0x00000012 lea ecx, dword ptr [ebp-14h] 0x00000015 jmp 00007FA93CFE6D5Eh 0x0000001a mov dword ptr [ebp-14h], edi 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007FA93CFE6D5Eh 0x00000024 and esi, 6C78FFE8h 0x0000002a jmp 00007FA93CFE6D5Bh 0x0000002f popfd 0x00000030 push eax 0x00000031 push edx 0x00000032 jmp 00007FA93CFE6D66h 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F90502 second address: 4F90589 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FA93D08FA20h 0x00000008 sbb si, FC98h 0x0000000d jmp 00007FA93D08FA1Bh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 jmp 00007FA93D08FA28h 0x0000001a popad 0x0000001b test eax, eax 0x0000001d pushad 0x0000001e mov cl, 20h 0x00000020 pushfd 0x00000021 jmp 00007FA93D08FA23h 0x00000026 jmp 00007FA93D08FA23h 0x0000002b popfd 0x0000002c popad 0x0000002d jg 00007FA9AEA5D933h 0x00000033 push eax 0x00000034 push edx 0x00000035 push eax 0x00000036 push edx 0x00000037 jmp 00007FA93D08FA20h 0x0000003c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F90589 second address: 4F90598 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA93CFE6D5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F90598 second address: 4F90674 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA93D08FA29h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 js 00007FA93D08FAB4h 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007FA93D08FA1Ch 0x00000016 and esi, 4477E548h 0x0000001c jmp 00007FA93D08FA1Bh 0x00000021 popfd 0x00000022 mov edi, ecx 0x00000024 popad 0x00000025 cmp dword ptr [ebp-14h], edi 0x00000028 pushad 0x00000029 mov cx, 8CB7h 0x0000002d call 00007FA93D08FA1Ch 0x00000032 jmp 00007FA93D08FA22h 0x00000037 pop esi 0x00000038 popad 0x00000039 jne 00007FA9AEA5D8ABh 0x0000003f pushad 0x00000040 call 00007FA93D08FA27h 0x00000045 pushfd 0x00000046 jmp 00007FA93D08FA28h 0x0000004b jmp 00007FA93D08FA25h 0x00000050 popfd 0x00000051 pop esi 0x00000052 mov di, 0D44h 0x00000056 popad 0x00000057 mov ebx, dword ptr [ebp+08h] 0x0000005a push eax 0x0000005b push edx 0x0000005c jmp 00007FA93D08FA26h 0x00000061 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F90674 second address: 4F90686 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA93CFE6D5Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F90686 second address: 4F906BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 lea eax, dword ptr [ebp-2Ch] 0x0000000b pushad 0x0000000c mov bl, 5Dh 0x0000000e push eax 0x0000000f push edx 0x00000010 pushfd 0x00000011 jmp 00007FA93D08FA24h 0x00000016 adc si, C388h 0x0000001b jmp 00007FA93D08FA1Bh 0x00000020 popfd 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F906BC second address: 4F906FB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA93CFE6D68h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a xchg eax, esi 0x0000000b jmp 00007FA93CFE6D60h 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FA93CFE6D5Eh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F906FB second address: 4F9070D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA93D08FA1Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F9070D second address: 4F90725 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA93CFE6D5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, esi 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F90725 second address: 4F90740 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA93D08FA27h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F90740 second address: 4F90746 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F90746 second address: 4F9074A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F9074A second address: 4F907F1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 pushad 0x0000000a pushad 0x0000000b mov ecx, 7613577Fh 0x00000010 pushfd 0x00000011 jmp 00007FA93CFE6D64h 0x00000016 sbb ecx, 69EB0F68h 0x0000001c jmp 00007FA93CFE6D5Bh 0x00000021 popfd 0x00000022 popad 0x00000023 call 00007FA93CFE6D68h 0x00000028 mov si, C261h 0x0000002c pop esi 0x0000002d popad 0x0000002e mov dword ptr [esp], eax 0x00000031 pushad 0x00000032 mov cl, dl 0x00000034 mov cx, 2C5Bh 0x00000038 popad 0x00000039 xchg eax, ebx 0x0000003a jmp 00007FA93CFE6D5Eh 0x0000003f push eax 0x00000040 pushad 0x00000041 mov di, 9AD4h 0x00000045 pushfd 0x00000046 jmp 00007FA93CFE6D5Dh 0x0000004b xor eax, 115A2996h 0x00000051 jmp 00007FA93CFE6D61h 0x00000056 popfd 0x00000057 popad 0x00000058 xchg eax, ebx 0x00000059 push eax 0x0000005a push edx 0x0000005b pushad 0x0000005c mov ax, di 0x0000005f mov eax, edi 0x00000061 popad 0x00000062 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F90070 second address: 4F900CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 movsx ebx, ax 0x00000008 popad 0x00000009 mov ebp, esp 0x0000000b jmp 00007FA93D08FA28h 0x00000010 xchg eax, ecx 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007FA93D08FA1Eh 0x00000018 or si, BFB8h 0x0000001d jmp 00007FA93D08FA1Bh 0x00000022 popfd 0x00000023 mov eax, 7ECF6BEFh 0x00000028 popad 0x00000029 push eax 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007FA93D08FA20h 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F900CE second address: 4F900D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F900D4 second address: 4F900D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F90D6E second address: 4F90D8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov eax, edi 0x00000006 popad 0x00000007 popad 0x00000008 add dword ptr [esp], 66F56FBBh 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FA93CFE6D5Ch 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F90D8B second address: 4F90DAE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bh, DEh 0x00000005 mov cx, D349h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c call 00007FA9AEA547F1h 0x00000011 push 76952B70h 0x00000016 push dword ptr fs:[00000000h] 0x0000001d mov eax, dword ptr [esp+10h] 0x00000021 mov dword ptr [esp+10h], ebp 0x00000025 lea ebp, dword ptr [esp+10h] 0x00000029 sub esp, eax 0x0000002b push ebx 0x0000002c push esi 0x0000002d push edi 0x0000002e mov eax, dword ptr [769B4538h] 0x00000033 xor dword ptr [ebp-04h], eax 0x00000036 xor eax, ebp 0x00000038 push eax 0x00000039 mov dword ptr [ebp-18h], esp 0x0000003c push dword ptr [ebp-08h] 0x0000003f mov eax, dword ptr [ebp-04h] 0x00000042 mov dword ptr [ebp-04h], FFFFFFFEh 0x00000049 mov dword ptr [ebp-08h], eax 0x0000004c lea eax, dword ptr [ebp-10h] 0x0000004f mov dword ptr fs:[00000000h], eax 0x00000055 ret 0x00000056 push eax 0x00000057 push edx 0x00000058 push eax 0x00000059 push edx 0x0000005a jmp 00007FA93D08FA1Eh 0x0000005f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F90DAE second address: 4F90DBD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA93CFE6D5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F90E18 second address: 4F90E82 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FA93D08FA1Fh 0x00000009 sbb eax, 2DAD79CEh 0x0000000f jmp 00007FA93D08FA29h 0x00000014 popfd 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a je 00007FA9AEA4354Bh 0x00000020 jmp 00007FA93D08FA1Ch 0x00000025 cmp dword ptr [ebp+08h], 00002000h 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007FA93D08FA27h 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FA0B7B second address: 4FA0BA3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, edi 0x00000005 mov dx, 0FF6h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FA93CFE6D69h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FA0BA3 second address: 4FA0BF7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 64159CE2h 0x00000008 pushfd 0x00000009 jmp 00007FA93D08FA23h 0x0000000e jmp 00007FA93D08FA23h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 mov dword ptr [esp], ebp 0x0000001a jmp 00007FA93D08FA26h 0x0000001f mov ebp, esp 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FA0BF7 second address: 4FA0BFD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FA0BFD second address: 4FA0C0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA93D08FA1Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FA0C0C second address: 4FA0C73 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA93CFE6D69h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, esi 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FA93CFE6D5Ch 0x00000013 sub ax, 5298h 0x00000018 jmp 00007FA93CFE6D5Bh 0x0000001d popfd 0x0000001e movzx esi, dx 0x00000021 popad 0x00000022 push eax 0x00000023 pushad 0x00000024 push eax 0x00000025 push edx 0x00000026 pushfd 0x00000027 jmp 00007FA93CFE6D5Eh 0x0000002c adc ax, FCF8h 0x00000031 jmp 00007FA93CFE6D5Bh 0x00000036 popfd 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FA0C73 second address: 4FA0C9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 mov esi, edx 0x00000007 mov bx, CAD4h 0x0000000b popad 0x0000000c popad 0x0000000d xchg eax, esi 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FA93D08FA25h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FA0C9A second address: 4FA0CA0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FA0CA0 second address: 4FA0CB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA93D08FA23h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FA0CB7 second address: 4FA0CBB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FA0CBB second address: 4FA0D0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov esi, dword ptr [ebp+0Ch] 0x0000000b jmp 00007FA93D08FA25h 0x00000010 test esi, esi 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007FA93D08FA1Ch 0x00000019 sbb eax, 457BBB48h 0x0000001f jmp 00007FA93D08FA1Bh 0x00000024 popfd 0x00000025 popad 0x00000026 je 00007FA9AEA3D0CFh 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f push esi 0x00000030 pop ebx 0x00000031 mov ah, 89h 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FA0D0C second address: 4FA0D35 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FA93CFE6D62h 0x00000008 pop eax 0x00000009 mov ax, di 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f cmp dword ptr [769B459Ch], 05h 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FA0D35 second address: 4FA0D4B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA93D08FA22h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FA0D4B second address: 4FA0D51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FA0D51 second address: 4FA0DDF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007FA9AEA55154h 0x0000000e jmp 00007FA93D08FA29h 0x00000013 xchg eax, esi 0x00000014 pushad 0x00000015 mov dx, ax 0x00000018 mov ch, 3Fh 0x0000001a popad 0x0000001b push eax 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f pushfd 0x00000020 jmp 00007FA93D08FA27h 0x00000025 and cx, 130Eh 0x0000002a jmp 00007FA93D08FA29h 0x0000002f popfd 0x00000030 pushfd 0x00000031 jmp 00007FA93D08FA20h 0x00000036 xor ecx, 44369988h 0x0000003c jmp 00007FA93D08FA1Bh 0x00000041 popfd 0x00000042 popad 0x00000043 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FA0E20 second address: 4FA0E24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FA0E24 second address: 4FA0E28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FA0E28 second address: 4FA0E2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FA0E2E second address: 4FA0E3D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA93D08FA1Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FA0E3D second address: 4FA0E41 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FA0E41 second address: 4FA0E6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FA93D08FA24h 0x0000000e xchg eax, esi 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FA93D08FA1Ah 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FA0E6D second address: 4FA0E71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FA0E71 second address: 4FA0E77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FA0E77 second address: 4FA0E88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA93CFE6D5Dh 0x00000009 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 108B80 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 108AFF instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 2B77D6 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 3359E6 instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0010E1CA rdtsc 0_2_0010E1CA
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\file.exe TID: 6948 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 6948 Thread sleep time: -30000s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\file.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: file.exe, file.exe, 00000000.00000002.2343347154.0000000000290000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000003.2212690171.000000000593B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: file.exe, 00000000.00000003.2212690171.000000000593B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
Source: file.exe, 00000000.00000003.2212690171.000000000593B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: file.exe, 00000000.00000003.2212690171.000000000593B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696487552f
Source: file.exe, 00000000.00000003.2212690171.000000000593B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: file.exe, 00000000.00000003.2212690171.000000000593B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: file.exe, 00000000.00000002.2344169345.0000000000F9E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2342679298.0000000000F9E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000003.2212690171.000000000593B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: file.exe, 00000000.00000003.2212690171.000000000593B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: file.exe, 00000000.00000003.2212690171.000000000593B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: file.exe, 00000000.00000003.2212690171.000000000593B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696487552
Source: file.exe, 00000000.00000003.2212690171.000000000593B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696487552o
Source: file.exe, 00000000.00000003.2212690171.0000000005941000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: - GDCDYNVMware20,11696487552p
Source: file.exe, 00000000.00000003.2212690171.000000000593B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696487552
Source: file.exe, 00000000.00000003.2212690171.000000000593B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: file.exe, 00000000.00000003.2212690171.000000000593B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: file.exe, 00000000.00000003.2212690171.000000000593B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696487552j
Source: file.exe, 00000000.00000003.2212690171.000000000593B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: file.exe, 00000000.00000003.2212690171.000000000593B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: file.exe, 00000000.00000003.2212690171.000000000593B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: file.exe, 00000000.00000003.2212690171.000000000593B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: file.exe, 00000000.00000002.2344104986.0000000000F3E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWP
Source: file.exe, 00000000.00000003.2212690171.000000000593B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: file.exe, 00000000.00000003.2212690171.000000000593B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: file.exe, 00000000.00000003.2212690171.000000000593B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: file.exe, 00000000.00000003.2212690171.000000000593B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: file.exe, 00000000.00000003.2212690171.000000000593B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: file.exe, 00000000.00000003.2212690171.000000000593B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: file.exe, 00000000.00000003.2212690171.000000000593B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696487552s
Source: file.exe, 00000000.00000003.2212690171.000000000593B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: file.exe, 00000000.00000003.2212690171.000000000593B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: file.exe, 00000000.00000003.2212690171.000000000593B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: file.exe, 00000000.00000002.2343347154.0000000000290000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: file.exe, 00000000.00000003.2212690171.000000000593B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: file.exe, 00000000.00000003.2212690171.000000000593B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\file.exe Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\Desktop\file.exe File opened: NTICE
Source: C:\Users\user\Desktop\file.exe File opened: SICE
Source: C:\Users\user\Desktop\file.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0010E1CA rdtsc 0_2_0010E1CA
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_000EB480 LdrInitializeThunk, 0_2_000EB480
Source: file.exe Binary or memory string: 2}Program Manager
Source: file.exe, 00000000.00000002.2343347154.0000000000290000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: }Program Manager
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: file.exe, 00000000.00000003.2300263343.0000000000FFF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2344336830.0000000000FFF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: les%\Windows Defender\MsMpeng.exe
Source: file.exe, 00000000.00000003.2282477322.000000000101D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2342679298.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2282551373.0000000001021000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2344169345.0000000000F7F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2299863908.0000000000FFE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\Desktop\file.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: file.exe PID: 5632, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: file.exe, 00000000.00000003.2261632719.0000000001015000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %appdata%\Electrum\wallets
Source: file.exe, 00000000.00000003.2261632719.0000000001015000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %appdata%\ElectronCash\wallets
Source: file.exe, 00000000.00000003.2261632719.0000000001015000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Wallets/JAXX New Version
Source: file.exe, 00000000.00000003.2299804026.000000000100F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: appdata%\\Binance","m":["app-store.json",".finger-print.fp","simple-storage.json","window-state.json"],"z":"Wallets/Binance","d":1,"fs":20971520
Source: file.exe, 00000000.00000003.2235655968.0000000001002000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Wallets/Exodus
Source: file.exe, 00000000.00000003.2190452514.0000000001001000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: erations\":600000}"}],"c":[{"t":0,"p":"%appdata%\\Ethereum","m":["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\
Source: file.exe, 00000000.00000003.2235655968.0000000001002000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: file.exe, 00000000.00000003.2235655968.0000000001002000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: keystore
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\logins.json Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cert9.db Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.js Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\formhistory.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.db Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB Jump to behavior
Searches for user specific document files
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\GIGIYTFFYT Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\GIGIYTFFYT Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\LSBIHQFDVT Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\LSBIHQFDVT Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\NEBFQQYWPS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\NEBFQQYWPS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\NVWZAPQSQL Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\NVWZAPQSQL Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\PWCCAWLGRE Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\PWCCAWLGRE Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\QCFWYSKMHA Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\QCFWYSKMHA Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\LSBIHQFDVT Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\LSBIHQFDVT Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000000.00000003.2259071375.0000000001006000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2212521763.0000000001005000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2235655968.0000000001002000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2259012497.0000000001006000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2190452514.0000000001001000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2235678317.0000000001005000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2212421747.0000000000FFE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2212500277.0000000001002000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2261414653.0000000001009000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 5632, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: file.exe PID: 5632, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1571976 Sample: file.exe Startdate: 09/12/2024 Architecture: WINDOWS Score: 100 10 atten-supporse.biz 2->10 14 Suricata IDS alerts for network traffic 2->14 16 Found malware configuration 2->16 18 Antivirus detection for URL or domain 2->18 20 7 other signatures 2->20 6 file.exe 2->6         started        signatures3 process4 dnsIp5 12 atten-supporse.biz 104.21.112.1, 443, 49707, 49709 CLOUDFLARENETUS United States 6->12 22 Detected unpacking (changes PE section rights) 6->22 24 Query firmware table information (likely to detect VMs) 6->24 26 Tries to detect sandboxes and other dynamic analysis tools (window names) 6->26 28 8 other signatures 6->28 signatures6
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.21.112.1
 atten-supporse.biz United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
atten-supporse.biz 104.21.112.1 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
dare-curbys.biz false
    		high
    impend-differ.biz false
      		high
      covery-mover.biz false
        		high
        https://atten-supporse.biz/api false
          		high
          dwell-exclaim.biz false
            		high
            zinc-sneark.biz false
              		high
              formy-spill.biz false
                		high
                atten-supporse.biz false
                  		high
                  se-blurry.biz false
                    		high
                    print-vexer.biz false
                      		high