Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1572053
MD5: d7229a6c265f82bc80e0908656b99344
SHA1: 5f7a6a735d114a12096d8b5e8048f62bf1cdb748
SHA256: 128194635b1cd03bdd7da72b0346b5a5d82da29cde42dade730b15252396a6f7
Tags: exeuser-Bitsight
Infos:

Detection

LummaC Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Downloads executable code via HTTP
Entry point lies outside standard sections
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Antivirus detection for URL or domain
Source: https://atten-supporse.biz/apilit Avira URL Cloud: Label: malware
Source: https://atten-supporse.biz/mv Avira URL Cloud: Label: malware
Source: https://atten-supporse.biz/apiY Avira URL Cloud: Label: malware
Source: https://atten-supporse.biz/6 Avira URL Cloud: Label: malware
Source: https://atten-supporse.biz/apiate Avira URL Cloud: Label: malware
Source: http://185.215.113.16/f Avira URL Cloud: Label: malware
Source: http://185.215.113.16/steam/random.exeZ Avira URL Cloud: Label: malware
Found malware configuration
Source: file.exe.1596.0.memstrmin Malware Configuration Extractor: LummaC {"C2 url": ["dwell-exclaim.biz", "zinc-sneark.biz", "print-vexer.biz", "dare-curbys.biz", "se-blurry.biz", "covery-mover.biz", "impend-differ.biz", "atten-supporse.biz", "formy-spill.biz"], "Build id": "LOGS11--LiveTraffic"}
Multi AV Scanner detection for submitted file
Source: file.exe ReversingLabs: Detection: 39%
Source: file.exe Virustotal: Detection: 50% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 00000000.00000002.2578754897.0000000000091000.00000040.00000001.01000000.00000003.sdmp String decryptor: impend-differ.biz
Source: 00000000.00000002.2578754897.0000000000091000.00000040.00000001.01000000.00000003.sdmp String decryptor: print-vexer.biz
Source: 00000000.00000002.2578754897.0000000000091000.00000040.00000001.01000000.00000003.sdmp String decryptor: dare-curbys.biz
Source: 00000000.00000002.2578754897.0000000000091000.00000040.00000001.01000000.00000003.sdmp String decryptor: covery-mover.biz
Source: 00000000.00000002.2578754897.0000000000091000.00000040.00000001.01000000.00000003.sdmp String decryptor: formy-spill.biz
Source: 00000000.00000002.2578754897.0000000000091000.00000040.00000001.01000000.00000003.sdmp String decryptor: dwell-exclaim.biz
Source: 00000000.00000002.2578754897.0000000000091000.00000040.00000001.01000000.00000003.sdmp String decryptor: zinc-sneark.biz
Source: 00000000.00000002.2578754897.0000000000091000.00000040.00000001.01000000.00000003.sdmp String decryptor: se-blurry.biz
Source: 00000000.00000002.2578754897.0000000000091000.00000040.00000001.01000000.00000003.sdmp String decryptor: atten-supporse.biz
Source: 00000000.00000002.2578754897.0000000000091000.00000040.00000001.01000000.00000003.sdmp String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.2578754897.0000000000091000.00000040.00000001.01000000.00000003.sdmp String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.2578754897.0000000000091000.00000040.00000001.01000000.00000003.sdmp String decryptor: - Screen Resoluton:
Source: 00000000.00000002.2578754897.0000000000091000.00000040.00000001.01000000.00000003.sdmp String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.2578754897.0000000000091000.00000040.00000001.01000000.00000003.sdmp String decryptor: Workgroup: -
Source: 00000000.00000002.2578754897.0000000000091000.00000040.00000001.01000000.00000003.sdmp String decryptor: LOGS11--LiveTraffic
Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=file.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0 HTTP Parser: No favicon
Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=file.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0 HTTP Parser: No favicon
Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=file.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0 HTTP Parser: No favicon
Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=file.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0 HTTP Parser: No favicon
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.6:49707 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.6:49708 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.198.119.143:443 -> 192.168.2.6:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.6:49711 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.6:49713 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.6:49719 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.6:49725 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.198.119.143:443 -> 192.168.2.6:49731 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.6:49746 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.198.119.143:443 -> 192.168.2.6:49762 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.198.119.143:443 -> 192.168.2.6:49811 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.198.119.143:443 -> 192.168.2.6:49944 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.198.119.143:443 -> 192.168.2.6:50022 version: TLS 1.2
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000002.2583063417.0000000005D52000.00000040.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2445366476.0000000007CC0000.00000004.00001000.00020000.00000000.sdmp

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.6:49710 -> 104.21.16.1:443
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.6:49711 -> 104.21.16.1:443
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.6:49707 -> 104.21.16.1:443
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.6:49708 -> 104.21.16.1:443
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.6:49719 -> 104.21.16.1:443
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.6:49725 -> 104.21.16.1:443
Source: Network traffic Suricata IDS: 2057921 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (atten-supporse .biz) : 192.168.2.6:52990 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.6:49746 -> 104.21.16.1:443
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.6:49713 -> 104.21.16.1:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.6:49708 -> 104.21.16.1:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49707 -> 104.21.16.1:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49707 -> 104.21.16.1:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49708 -> 104.21.16.1:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49746 -> 104.21.16.1:443
Source: Network traffic Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.6:49710 -> 104.21.16.1:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: dwell-exclaim.biz
Source: Malware configuration extractor URLs: zinc-sneark.biz
Source: Malware configuration extractor URLs: print-vexer.biz
Source: Malware configuration extractor URLs: dare-curbys.biz
Source: Malware configuration extractor URLs: se-blurry.biz
Source: Malware configuration extractor URLs: covery-mover.biz
Source: Malware configuration extractor URLs: impend-differ.biz
Source: Malware configuration extractor URLs: atten-supporse.biz
Source: Malware configuration extractor URLs: formy-spill.biz
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 10 Dec 2024 01:50:26 GMTContent-Type: application/octet-streamContent-Length: 2821120Last-Modified: Tue, 10 Dec 2024 01:21:12 GMTConnection: keep-aliveETag: "67579788-2b0c00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 80 2b 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 c0 2b 00 00 04 00 00 61 14 2b 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 00 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 00 05 00 00 00 60 00 00 00 06 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 66 6e 63 6c 6e 6a 71 76 00 c0 2a 00 00 a0 00 00 00 ac 2a 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 78 75 74 6b 6a 6f 7a 69 00 20 00 00 00 60 2b 00 00 04 00 00 00 e6 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 80 2b 00 00 22 00 00 00 ea 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.215.113.16 185.215.113.16
Source: Joe Sandbox View IP Address: 239.255.255.250 239.255.255.250
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49710 -> 104.21.16.1:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49711 -> 104.21.16.1:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49707 -> 104.21.16.1:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49708 -> 104.21.16.1:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49719 -> 104.21.16.1:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49725 -> 104.21.16.1:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49746 -> 104.21.16.1:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49713 -> 104.21.16.1:443
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.6:49752 -> 185.215.113.16:80
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.119.143
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.119.143
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.119.143
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.181.0
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.181.0
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.181.0
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.181.0
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.181.0
Source: unknown TCP traffic detected without corresponding DNS query: 20.190.181.0
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.119.143
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.119.143
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.119.143
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.119.143
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.119.143
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.119.143
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.119.143
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.119.143
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.119.143
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.119.143
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.119.143
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.119.143
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.119.143
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.119.143
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.119.143
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.119.143
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.119.143
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.119.143
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.119.143
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.119.143
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.119.143
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.119.143
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.119.143
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.119.143
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.119.143
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.119.143
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.119.143
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.119.143
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /off/def.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: chromecache_103.7.dr, chromecache_91.7.dr String found in binary or memory: href="https://www.facebook.com/sharer/sharer.php?u=${s}" equals www.facebook.com (Facebook)
Source: chromecache_103.7.dr, chromecache_91.7.dr String found in binary or memory: href="https://www.linkedin.com/cws/share?url=${s}" equals www.linkedin.com (Linkedin)
Source: chromecache_103.7.dr, chromecache_91.7.dr String found in binary or memory: </section>`}function Dce(e=tw,t=gp){return sl(M4,e,t)}function $ce(e=aw,t=sw){return sl(t4,e,t)}var vI=(s=>(s.facebook="facebook",s.twitter="twitter",s.linkedin="linkedin",s.email="email",s.weibo="weibo",s))(vI||{}),LRe={facebook:"https://www.facebook.com/sharer/sharer.php?u={url}",twitter:"https://twitter.com/intent/tweet?original_referer={url}&text={achievementCopy}&tw_p=tweetbutton&url={url}",linkedin:"https://www.linkedin.com/feed/?shareActive=true&text={body}",email:"mailto:?subject={subject}&body={body}",weibo:"http://service.weibo.com/share/share.php?title={title}&url={url}"};function $x(e,t,o){let n=encodeURIComponent(t),r=new URL(e);r.hostname="learn.microsoft.com";let s=r.href+=(e.indexOf("?")!==-1?"&":"?")+"WT.mc_id=",i=L.sharingId?`&sharingId=${L.sharingId}`:"";return Object.values(vI).reduce((l,c)=>{if(_.data.isPermissioned)return l[c]="#",l;let d=encodeURIComponent(s+c+i),u=o?.achievementCopyTitle?.overrideTitle??t,p=encodeURIComponent(rQ.replace("{achievementTitle}",o?.achievementCopyTitle?.isUnquoted?`${u}`:`"${u}"`)),g={achievementCopy:p,url:d,title:n,body:`${p}${encodeURIComponent(` equals www.facebook.com (Facebook)
Source: chromecache_103.7.dr, chromecache_91.7.dr String found in binary or memory: </section>`}function Dce(e=tw,t=gp){return sl(M4,e,t)}function $ce(e=aw,t=sw){return sl(t4,e,t)}var vI=(s=>(s.facebook="facebook",s.twitter="twitter",s.linkedin="linkedin",s.email="email",s.weibo="weibo",s))(vI||{}),LRe={facebook:"https://www.facebook.com/sharer/sharer.php?u={url}",twitter:"https://twitter.com/intent/tweet?original_referer={url}&text={achievementCopy}&tw_p=tweetbutton&url={url}",linkedin:"https://www.linkedin.com/feed/?shareActive=true&text={body}",email:"mailto:?subject={subject}&body={body}",weibo:"http://service.weibo.com/share/share.php?title={title}&url={url}"};function $x(e,t,o){let n=encodeURIComponent(t),r=new URL(e);r.hostname="learn.microsoft.com";let s=r.href+=(e.indexOf("?")!==-1?"&":"?")+"WT.mc_id=",i=L.sharingId?`&sharingId=${L.sharingId}`:"";return Object.values(vI).reduce((l,c)=>{if(_.data.isPermissioned)return l[c]="#",l;let d=encodeURIComponent(s+c+i),u=o?.achievementCopyTitle?.overrideTitle??t,p=encodeURIComponent(rQ.replace("{achievementTitle}",o?.achievementCopyTitle?.isUnquoted?`${u}`:`"${u}"`)),g={achievementCopy:p,url:d,title:n,body:`${p}${encodeURIComponent(` equals www.linkedin.com (Linkedin)
Source: chromecache_103.7.dr, chromecache_91.7.dr String found in binary or memory: </section>`}function Dce(e=tw,t=gp){return sl(M4,e,t)}function $ce(e=aw,t=sw){return sl(t4,e,t)}var vI=(s=>(s.facebook="facebook",s.twitter="twitter",s.linkedin="linkedin",s.email="email",s.weibo="weibo",s))(vI||{}),LRe={facebook:"https://www.facebook.com/sharer/sharer.php?u={url}",twitter:"https://twitter.com/intent/tweet?original_referer={url}&text={achievementCopy}&tw_p=tweetbutton&url={url}",linkedin:"https://www.linkedin.com/feed/?shareActive=true&text={body}",email:"mailto:?subject={subject}&body={body}",weibo:"http://service.weibo.com/share/share.php?title={title}&url={url}"};function $x(e,t,o){let n=encodeURIComponent(t),r=new URL(e);r.hostname="learn.microsoft.com";let s=r.href+=(e.indexOf("?")!==-1?"&":"?")+"WT.mc_id=",i=L.sharingId?`&sharingId=${L.sharingId}`:"";return Object.values(vI).reduce((l,c)=>{if(_.data.isPermissioned)return l[c]="#",l;let d=encodeURIComponent(s+c+i),u=o?.achievementCopyTitle?.overrideTitle??t,p=encodeURIComponent(rQ.replace("{achievementTitle}",o?.achievementCopyTitle?.isUnquoted?`${u}`:`"${u}"`)),g={achievementCopy:p,url:d,title:n,body:`${p}${encodeURIComponent(` equals www.twitter.com (Twitter)
Source: global traffic DNS traffic detected: DNS query: atten-supporse.biz
Source: global traffic DNS traffic detected: DNS query: www.google.com
Source: global traffic DNS traffic detected: DNS query: js.monitor.azure.com
Source: global traffic DNS traffic detected: DNS query: mdec.nelreports.net
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: atten-supporse.biz
Source: file.exe, 00000000.00000003.2420578040.0000000000B8E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/
Source: file.exe, 00000000.00000003.2420578040.0000000000B8E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/f
Source: file.exe, 00000000.00000003.2421152066.0000000000B53000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2579497100.0000000000B3E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exe
Source: file.exe, 00000000.00000003.2446364692.0000000000B55000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2421152066.0000000000B53000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2579497100.0000000000B3E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/steam/random.exe
Source: file.exe, 00000000.00000003.2446364692.0000000000B55000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2421152066.0000000000B53000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2579497100.0000000000B3E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/steam/random.exeZ
Source: file.exe, 00000000.00000003.2212238206.000000000536B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: file.exe, 00000000.00000003.2212238206.000000000536B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: file.exe, 00000000.00000003.2239268803.0000000000B55000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2237871217.0000000000B55000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2239058013.0000000000B55000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2237491903.0000000000B53000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2240546025.0000000000B56000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2238596385.0000000000B55000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2238110756.0000000000B55000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2165412620.0000000000B53000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2240259411.0000000000B56000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2260395490.0000000000B55000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2238832656.0000000000B55000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2420951911.0000000000B9A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2239744184.0000000000B55000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2143331142.0000000000B56000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2420578040.0000000000B8E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2165324335.0000000000B52000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2239504789.0000000000B55000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2240046403.0000000000B55000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.microsoft
Source: file.exe, 00000000.00000003.2212238206.000000000536B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: file.exe, 00000000.00000003.2212238206.000000000536B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: file.exe, 00000000.00000003.2212238206.000000000536B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: file.exe, 00000000.00000003.2212238206.000000000536B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: file.exe, 00000000.00000003.2212238206.000000000536B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: file.exe, 00000000.00000003.2212238206.000000000536B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: file.exe, 00000000.00000003.2212238206.000000000536B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: chromecache_103.7.dr, chromecache_91.7.dr String found in binary or memory: http://polymer.github.io/AUTHORS.txt
Source: chromecache_103.7.dr, chromecache_91.7.dr String found in binary or memory: http://polymer.github.io/CONTRIBUTORS.txt
Source: chromecache_103.7.dr, chromecache_91.7.dr String found in binary or memory: http://polymer.github.io/LICENSE.txt
Source: chromecache_103.7.dr, chromecache_91.7.dr String found in binary or memory: http://polymer.github.io/PATENTS.txt
Source: chromecache_111.7.dr String found in binary or memory: http://schema.org/Organization
Source: file.exe, 00000000.00000003.2212238206.000000000536B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: file.exe, 00000000.00000003.2212238206.000000000536B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: file.exe, 00000000.00000003.2167045203.000000000537D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167119582.000000000537B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: chromecache_103.7.dr, chromecache_91.7.dr String found in binary or memory: https://aka.ms/MSIgniteChallenge/Tier1Banner?wt.mc_id=ignite24_learnbanner_tier1_cnl
Source: chromecache_103.7.dr, chromecache_91.7.dr String found in binary or memory: https://aka.ms/certhelp
Source: chromecache_111.7.dr String found in binary or memory: https://aka.ms/feedback/report?space=61
Source: chromecache_103.7.dr, chromecache_91.7.dr String found in binary or memory: https://aka.ms/msignite_docs_banner
Source: chromecache_103.7.dr, chromecache_91.7.dr String found in binary or memory: https://aka.ms/pshelpmechoose
Source: chromecache_111.7.dr String found in binary or memory: https://aka.ms/yourcaliforniaprivacychoices
Source: file.exe, 00000000.00000003.2238596385.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2143403649.0000000000B32000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2165324335.0000000000BA0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2240046403.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2211817141.000000000534B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2239268803.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2239744184.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2240332812.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2165412620.0000000000B53000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2237871217.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2239504789.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2238110756.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2237491903.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2165324335.0000000000B52000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2238832656.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2239058013.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/
Source: file.exe, 00000000.00000003.2165324335.0000000000BA0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/6
Source: file.exe, 00000000.00000003.2165324335.0000000000BA0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2260169372.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2446401500.0000000000BA3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2260473159.0000000000BB6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2421284081.0000000000BA3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2420578040.0000000000BA1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2237491903.0000000000BA1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/api
Source: file.exe, 00000000.00000003.2237491903.0000000000BA1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/apiY
Source: file.exe, 00000000.00000003.2260395490.0000000000B55000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/apiate
Source: file.exe, 00000000.00000003.2237491903.0000000000B53000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/apilit
Source: file.exe, 00000000.00000003.2211817141.000000000534B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/mv
Source: chromecache_111.7.dr String found in binary or memory: https://authoring-docs-microsoft.poolparty.biz/devrel/69c76c32-967e-4c65-b89a-74cc527db725
Source: chromecache_111.7.dr String found in binary or memory: https://authoring-docs-microsoft.poolparty.biz/devrel/7696cda6-0510-47f6-8302-71bb5d2e28cf
Source: chromecache_103.7.dr, chromecache_91.7.dr String found in binary or memory: https://aznb-ame-prod.azureedge.net/component/$
Source: file.exe, 00000000.00000003.2213532412.0000000000BC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.
Source: file.exe, 00000000.00000003.2260473159.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2238596385.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2420951911.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2240046403.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2239268803.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2239744184.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2240332812.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2446401500.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2237871217.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2239504789.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2579823183.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2238110756.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2420578040.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2237491903.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2238832656.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2239058013.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2264719548.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta
Source: file.exe, 00000000.00000003.2167045203.000000000537D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167119582.000000000537B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000000.00000003.2167045203.000000000537D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167119582.000000000537B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000003.2167045203.000000000537D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167119582.000000000537B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: chromecache_103.7.dr, chromecache_91.7.dr String found in binary or memory: https://channel9.msdn.com/
Source: chromecache_103.7.dr, chromecache_91.7.dr String found in binary or memory: https://client-api.arkoselabs.com/v2/api.js
Source: file.exe, 00000000.00000003.2213532412.0000000000BC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg
Source: file.exe, 00000000.00000003.2260473159.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2238596385.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2420951911.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2240046403.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2239268803.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2239744184.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2240332812.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2446401500.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2237871217.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2239504789.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2579823183.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2238110756.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2420578040.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2237491903.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2238832656.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2239058013.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2264719548.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: file.exe, 00000000.00000003.2167045203.000000000537D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167119582.000000000537B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000000.00000003.2167045203.000000000537D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167119582.000000000537B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: file.exe, 00000000.00000003.2167045203.000000000537D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167119582.000000000537B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: chromecache_111.7.dr String found in binary or memory: https://github.com/Thraka
Source: chromecache_111.7.dr String found in binary or memory: https://github.com/Youssef1313
Source: chromecache_111.7.dr String found in binary or memory: https://github.com/adegeo
Source: chromecache_111.7.dr String found in binary or memory: https://github.com/dotnet/docs/blob/17c4acca45e573a92878a44a2cce57d699fe9c7c/docs/framework/install/
Source: chromecache_111.7.dr String found in binary or memory: https://github.com/dotnet/docs/blob/live/docs/framework/install/application-not-started.md
Source: chromecache_111.7.dr String found in binary or memory: https://github.com/dotnet/docs/blob/main/docs/framework/install/application-not-started.md
Source: chromecache_111.7.dr String found in binary or memory: https://github.com/dotnet/docs/issues/new?template=z-customer-feedback.yml
Source: chromecache_103.7.dr, chromecache_91.7.dr String found in binary or memory: https://github.com/dotnet/try
Source: chromecache_111.7.dr String found in binary or memory: https://github.com/gewarren
Source: chromecache_103.7.dr, chromecache_91.7.dr String found in binary or memory: https://github.com/jonschlinkert/is-plain-object
Source: chromecache_103.7.dr, chromecache_91.7.dr String found in binary or memory: https://github.com/js-cookie/js-cookie
Source: chromecache_111.7.dr String found in binary or memory: https://github.com/mairaw
Source: chromecache_111.7.dr String found in binary or memory: https://github.com/nschonni
Source: file.exe, 00000000.00000003.2260473159.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2238596385.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2420951911.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2240046403.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2239268803.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2239744184.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2240332812.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2446401500.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2237871217.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2239504789.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2579823183.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2238110756.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2213532412.0000000000BC0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2420578040.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2237491903.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2238832656.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2239058013.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2264719548.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: chromecache_111.7.dr String found in binary or memory: https://js.monitor.azure.com/scripts/c/ms.jsll-4.min.js
Source: chromecache_103.7.dr, chromecache_91.7.dr String found in binary or memory: https://learn-video.azurefd.net/vod/player
Source: chromecache_103.7.dr, chromecache_91.7.dr String found in binary or memory: https://management.azure.com/providers/Microsoft.Portal/consoles/default?api-version=2017-12-01-prev
Source: chromecache_103.7.dr, chromecache_91.7.dr String found in binary or memory: https://management.azure.com/providers/Microsoft.Portal/userSettings/cloudconsole?api-version=2023-0
Source: chromecache_103.7.dr, chromecache_91.7.dr String found in binary or memory: https://management.azure.com/subscriptions?api-version=2016-06-01
Source: chromecache_103.7.dr, chromecache_91.7.dr String found in binary or memory: https://octokit.github.io/rest.js/#throttling
Source: chromecache_91.7.dr String found in binary or memory: https://schema.org
Source: file.exe, 00000000.00000003.2213228106.0000000005457000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: file.exe, 00000000.00000003.2213228106.0000000005457000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: chromecache_103.7.dr, chromecache_91.7.dr String found in binary or memory: https://twitter.com/intent/tweet?original_referer=$
Source: chromecache_103.7.dr, chromecache_91.7.dr String found in binary or memory: https://videoencodingpublic-hgeaeyeba8gycee3.b01.azurefd.net/public-09ce73a6-05a5-4e4d-b3d7-bd5a8c05
Source: chromecache_91.7.dr String found in binary or memory: https://videoencodingpublic-hgeaeyeba8gycee3.b01.azurefd.net/public-b4da8140-92cf-421c-8b7b-e471d5b9
Source: file.exe, 00000000.00000003.2260473159.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2238596385.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2420951911.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2240046403.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2239268803.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2239744184.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2240332812.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2446401500.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2237871217.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2239504789.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2579823183.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2238110756.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2420578040.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2237491903.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2238832656.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2239058013.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2264719548.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_
Source: file.exe, 00000000.00000003.2167045203.000000000537D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167119582.000000000537B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: file.exe, 00000000.00000003.2167045203.000000000537D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167119582.000000000537B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: chromecache_103.7.dr, chromecache_91.7.dr String found in binary or memory: https://www.linkedin.com/cws/share?url=$
Source: file.exe, 00000000.00000003.2213139320.0000000005367000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.or
Source: file.exe, 00000000.00000003.2213139320.0000000005367000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org
Source: file.exe, 00000000.00000003.2213228106.0000000005457000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
Source: file.exe, 00000000.00000003.2213228106.0000000005457000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
Source: file.exe, 00000000.00000003.2213228106.0000000005457000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: file.exe, 00000000.00000003.2213532412.0000000000BC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_
Source: unknown Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown Network traffic detected: HTTP traffic on port 50032 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50032
Source: unknown Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50022 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49944 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50022
Source: unknown Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49944
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49701
Source: unknown HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.6:49707 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.6:49708 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.198.119.143:443 -> 192.168.2.6:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.6:49711 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.6:49713 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.6:49719 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.6:49725 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.198.119.143:443 -> 192.168.2.6:49731 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.6:49746 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.198.119.143:443 -> 192.168.2.6:49762 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.198.119.143:443 -> 192.168.2.6:49811 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.198.119.143:443 -> 192.168.2.6:49944 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.198.119.143:443 -> 192.168.2.6:50022 version: TLS 1.2

System Summary
barindex
PE file contains section with special chars
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D6C5D2 0_2_05D6C5D2
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05DB05CA 0_2_05DB05CA
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D975F9 0_2_05D975F9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D89DEB 0_2_05D89DEB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05DB2D98 0_2_05DB2D98
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D7F58E 0_2_05D7F58E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D9FD83 0_2_05D9FD83
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D83DA5 0_2_05D83DA5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05DAA55B 0_2_05DAA55B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D80D5E 0_2_05D80D5E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D67D5E 0_2_05D67D5E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D92D66 0_2_05D92D66
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D81510 0_2_05D81510
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D6ED30 0_2_05D6ED30
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D6953B 0_2_05D6953B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D8952B 0_2_05D8952B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D914D9 0_2_05D914D9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D7DCDB 0_2_05D7DCDB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05DA04CB 0_2_05DA04CB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D9ACC1 0_2_05D9ACC1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D96CF9 0_2_05D96CF9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05DABCF2 0_2_05DABCF2
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05DA24F6 0_2_05DA24F6
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05DAFCF4 0_2_05DAFCF4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D6F490 0_2_05D6F490
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05DA6491 0_2_05DA6491
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D90C96 0_2_05D90C96
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D91C88 0_2_05D91C88
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D75CB0 0_2_05D75CB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D81CB7 0_2_05D81CB7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D8C44C 0_2_05D8C44C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D71441 0_2_05D71441
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D88C46 0_2_05D88C46
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05DA1475 0_2_05DA1475
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D7EC61 0_2_05D7EC61
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05DB5C13 0_2_05DB5C13
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05DA4C16 0_2_05DA4C16
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05DB1415 0_2_05DB1415
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D6FC06 0_2_05D6FC06
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D7340F 0_2_05D7340F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D94439 0_2_05D94439
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D9243E 0_2_05D9243E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05DAF435 0_2_05DAF435
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05DB1C34 0_2_05DB1C34
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05DAD42C 0_2_05DAD42C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D7C7D1 0_2_05D7C7D1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D71FDA 0_2_05D71FDA
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05DACFC8 0_2_05DACFC8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D6D7C1 0_2_05D6D7C1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D6A7C9 0_2_05D6A7C9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D73FF0 0_2_05D73FF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D947F3 0_2_05D947F3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D937F4 0_2_05D937F4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05DB4FEB 0_2_05DB4FEB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05DB5790 0_2_05DB5790
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D8BF96 0_2_05D8BF96
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D9DF89 0_2_05D9DF89
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D98783 0_2_05D98783
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D8AFBC 0_2_05D8AFBC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05DA6FB3 0_2_05DA6FB3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D7AFA7 0_2_05D7AFA7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05DAD752 0_2_05DAD752
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05DB0F41 0_2_05DB0F41
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D75F4A 0_2_05D75F4A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05DB3F44 0_2_05DB3F44
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05DB1F7E 0_2_05DB1F7E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D6AF6A 0_2_05D6AF6A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D84F10 0_2_05D84F10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D6DF0D 0_2_05D6DF0D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D74F0C 0_2_05D74F0C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D82705 0_2_05D82705
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05DAEF3B 0_2_05DAEF3B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D8A724 0_2_05D8A724
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D9CF25 0_2_05D9CF25
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D6BEDA 0_2_05D6BEDA
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D90ED7 0_2_05D90ED7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05DA5ECB 0_2_05DA5ECB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D7BEC0 0_2_05D7BEC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D866F9 0_2_05D866F9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D9D6F6 0_2_05D9D6F6
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D78694 0_2_05D78694
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05DA3694 0_2_05DA3694
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D8FE97 0_2_05D8FE97
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D8568E 0_2_05D8568E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D8EEB9 0_2_05D8EEB9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D78EBC 0_2_05D78EBC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D996AA 0_2_05D996AA
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D966A1 0_2_05D966A1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05DAC6A3 0_2_05DAC6A3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D70EA8 0_2_05D70EA8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D8D65B 0_2_05D8D65B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D9BE41 0_2_05D9BE41
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D9C646 0_2_05D9C646
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D68E7E 0_2_05D68E7E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05DA0E6B 0_2_05DA0E6B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D7FE17 0_2_05D7FE17
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D8761A 0_2_05D8761A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D8360D 0_2_05D8360D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D7660D 0_2_05D7660D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D6CE37 0_2_05D6CE37
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D9EE32 0_2_05D9EE32
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D72639 0_2_05D72639
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D79E38 0_2_05D79E38
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D5DE21 0_2_05D5DE21
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D76E2D 0_2_05D76E2D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D841C9 0_2_05D841C9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D809CF 0_2_05D809CF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D6B9FC 0_2_05D6B9FC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05DA29EC 0_2_05DA29EC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D7B9EE 0_2_05D7B9EE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D831E6 0_2_05D831E6
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D99990 0_2_05D99990
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D8398B 0_2_05D8398B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05DA6981 0_2_05DA6981
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D6E9A0 0_2_05D6E9A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D969A4 0_2_05D969A4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D92958 0_2_05D92958
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D70955 0_2_05D70955
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D7315B 0_2_05D7315B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D9E940 0_2_05D9E940
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D81143 0_2_05D81143
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05DAF947 0_2_05DAF947
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05DA0978 0_2_05DA0978
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D81976 0_2_05D81976
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D8C96B 0_2_05D8C96B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05DA211D 0_2_05DA211D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D98113 0_2_05D98113
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D70122 0_2_05D70122
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05DA192C 0_2_05DA192C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D9A8DE 0_2_05D9A8DE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D7E0C0 0_2_05D7E0C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D698CD 0_2_05D698CD
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D9B0FE 0_2_05D9B0FE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D820E9 0_2_05D820E9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D920E6 0_2_05D920E6
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D68897 0_2_05D68897
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05DB3098 0_2_05DB3098
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05DA9094 0_2_05DA9094
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05DB3895 0_2_05DB3895
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D89888 0_2_05D89888
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05DB1086 0_2_05DB1086
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D96087 0_2_05D96087
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05DAF084 0_2_05DAF084
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D7F0A9 0_2_05D7F0A9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D6F056 0_2_05D6F056
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D7B856 0_2_05D7B856
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D6E053 0_2_05D6E053
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05DB004D 0_2_05DB004D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D9F878 0_2_05D9F878
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05DAB870 0_2_05DAB870
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D97060 0_2_05D97060
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D8B863 0_2_05D8B863
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D67819 0_2_05D67819
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05DA580D 0_2_05DA580D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05DA8804 0_2_05DA8804
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D7D038 0_2_05D7D038
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05DA302E 0_2_05DA302E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D6F82C 0_2_05D6F82C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D8DBD1 0_2_05D8DBD1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D82BC8 0_2_05D82BC8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D683C9 0_2_05D683C9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D8ABFF 0_2_05D8ABFF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D6A3FE 0_2_05D6A3FE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D94BF1 0_2_05D94BF1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05DACBF1 0_2_05DACBF1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05DA53E9 0_2_05DA53E9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D8E3E3 0_2_05D8E3E3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05DA7BE5 0_2_05DA7BE5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D6AB90 0_2_05D6AB90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D93391 0_2_05D93391
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D9D38C 0_2_05D9D38C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05DA23B2 0_2_05DA23B2
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05DADBA8 0_2_05DADBA8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D97BAC 0_2_05D97BAC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D84B5C 0_2_05D84B5C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D95B4D 0_2_05D95B4D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D6734F 0_2_05D6734F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D7AB67 0_2_05D7AB67
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05DA9B62 0_2_05DA9B62
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D90312 0_2_05D90312
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D74B0A 0_2_05D74B0A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05DA3B32 0_2_05DA3B32
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D6C324 0_2_05D6C324
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D83B2C 0_2_05D83B2C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D7A32D 0_2_05D7A32D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05DB4320 0_2_05DB4320
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D9F326 0_2_05D9F326
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D7C2D7 0_2_05D7C2D7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D85ADE 0_2_05D85ADE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D9FACC 0_2_05D9FACC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D802FB 0_2_05D802FB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D6B2FD 0_2_05D6B2FD
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D6CAE1 0_2_05D6CAE1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05DA72E2 0_2_05DA72E2
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D8D2E6 0_2_05D8D2E6
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05DA429E 0_2_05DA429E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05DA829D 0_2_05DA829D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05DB5294 0_2_05DB5294
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D95285 0_2_05D95285
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D98AB0 0_2_05D98AB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D8F2B4 0_2_05D8F2B4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05DB22B6 0_2_05DB22B6
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D762A0 0_2_05D762A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D8FAA2 0_2_05D8FAA2
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D7D25E 0_2_05D7D25E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D86251 0_2_05D86251
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D9A257 0_2_05D9A257
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D77258 0_2_05D77258
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D66A40 0_2_05D66A40
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D75240 0_2_05D75240
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D7E249 0_2_05D7E249
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D9CA78 0_2_05D9CA78
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D69272 0_2_05D69272
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D76A71 0_2_05D76A71
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D78266 0_2_05D78266
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D6D265 0_2_05D6D265
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05DAC26C 0_2_05DAC26C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D9921D 0_2_05D9921D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D9321E 0_2_05D9321E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D7EA02 0_2_05D7EA02
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D8DA38 0_2_05D8DA38
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D68230 0_2_05D68230
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D71A2F 0_2_05D71A2F
Sample file is different than original file name gathered from version info
Source: file.exe, 00000000.00000003.2420894411.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2380043483.00000000057D8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2384562112.000000000599F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2385567823.00000000058C2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2382952953.00000000057D9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2384832769.00000000058B4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2389108586.000000000590E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2385674507.00000000059BB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2388442467.00000000057D8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2391771793.0000000005A6D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2380602593.000000000591E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2382472069.000000000595D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000002.2582742277.0000000005A9D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2384189473.00000000058BC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2387013733.00000000057D6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2382857138.00000000058A4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2382378250.0000000005892000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2383228938.00000000057D9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2389276668.00000000057D9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2378368389.00000000055D2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2384311106.00000000057D6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2378679158.00000000057DA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2383928347.00000000058BB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2380846912.00000000057D3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000002.2583085606.0000000005D56000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2388621379.00000000058FD000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2380440503.00000000057D3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2382568593.00000000057DC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2385761370.00000000057DA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2385461938.00000000057D7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2388916221.00000000057DE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2381077838.0000000005882000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2384426609.00000000058B7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2380123024.0000000005879000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2387129505.00000000058E6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2378911968.000000000586A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2380520515.0000000005873000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2383129185.00000000058A5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2391936355.00000000057DC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2381880802.0000000005896000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2380283540.000000000587B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2382216550.0000000005895000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2384698390.00000000057D5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2385984594.00000000059D1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2382666817.00000000058AE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2387829509.00000000058FF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2378832092.00000000057D4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2381161319.0000000005938000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2381970210.00000000057D8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2387245443.00000000059FF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2391234992.0000000005919000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2386787111.00000000057D7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2381245611.00000000057D6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2378439034.0000000005435000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2389933493.0000000005A3C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2390289738.0000000005907000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2382128161.00000000057D2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2420390858.0000000005333000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2387710611.00000000057DC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2383339555.00000000058A3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2386095518.00000000057D8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2386229850.00000000058D8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2388318757.0000000005A1E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2388069648.00000000057DA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2388193990.00000000058FC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2387594099.0000000005A09000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2420181670.00000000053EB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2386674507.00000000059DD000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2386436139.00000000057D5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2383830940.00000000057DC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2389481593.0000000005908000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2378755201.0000000005437000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2382040438.0000000005898000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2380931281.0000000005885000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2379958992.000000000590A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2378599064.0000000005435000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2385874424.00000000058D2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2390532949.0000000005A45000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2388746710.0000000005A2B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2380996289.00000000057D3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2390107449.00000000057D7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2385376860.00000000058C9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2382286561.00000000057DA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2390736016.00000000057D9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2420390858.0000000005345000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2387947982.0000000005A21000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2390889040.0000000005921000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2380204618.00000000057DC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2387364304.00000000057DA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2380683578.00000000057D9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2380361629.0000000005921000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2382761003.00000000057E1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2386900566.00000000058EE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2392097635.0000000005925000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2391406251.00000000057D8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2383439656.0000000005981000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2420217556.000000000535F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2385266794.00000000057D6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2384948529.0000000005997000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2384060814.00000000057D7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2385158872.00000000058D1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2387478983.00000000058EB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2391066218.00000000057D8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2391583363.000000000591A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2380763734.0000000005883000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2385055222.00000000057D4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2386558696.00000000058D6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2378518212.00000000057D5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exe Static PE information: Section: ZLIB complexity 0.9975129757785467
Source: file.exe Static PE information: Section: kcjzlwkt ZLIB complexity 0.9946914618549823
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@24/64@9/5
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: file.exe, 00000000.00000003.2167378468.0000000005368000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2190448124.000000000535F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167628605.000000000534A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe ReversingLabs: Detection: 39%
Source: file.exe Virustotal: Detection: 50%
Source: file.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: file.exe String found in binary or memory: 3The file %s is missing. Please, re-install this application
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=file.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2092 --field-trial-handle=1896,i,9604878912781494424,10388162517610597454,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\Desktop\file.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=file.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 --field-trial-handle=1976,i,6169164683179771580,6537590639377131950,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\Desktop\file.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=file.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=file.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2092 --field-trial-handle=1896,i,9604878912781494424,10388162517610597454,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 --field-trial-handle=1976,i,6169164683179771580,6537590639377131950,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.shell.servicehostbuilder.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wkscli.dll Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: file.exe Static file information: File size 1890304 > 1048576
Source: file.exe Static PE information: Raw size of kcjzlwkt is bigger than: 0x100000 < 0x1a5800
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000002.2583063417.0000000005D52000.00000040.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2445366476.0000000007CC0000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.90000.0.unpack :EW;.rsrc:W;.idata :W; :EW;kcjzlwkt:EW;cwbfsuvm:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;kcjzlwkt:EW;cwbfsuvm:EW;.taggant:EW;
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: file.exe Static PE information: real checksum: 0x1da749 should be: 0x1d5fe1
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: kcjzlwkt
Source: file.exe Static PE information: section name: cwbfsuvm
Source: file.exe Static PE information: section name: .taggant
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D625D6 push 3E58D652h; mov dword ptr [esp], ecx 0_2_05D63C3C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D64DD8 push 750FD3F3h; mov dword ptr [esp], esi 0_2_05D64DDD
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D605EA push edx; mov dword ptr [esp], ebx 0_2_05D605F4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D5ED91 push edx; mov dword ptr [esp], eax 0_2_05D5F88E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D60DB7 push esi; mov dword ptr [esp], eax 0_2_05D60DBE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D60DB7 push 6309229Dh; mov dword ptr [esp], ebp 0_2_05D611E5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D60DB7 push 1CF6864Ah; mov dword ptr [esp], ebx 0_2_05D611F2
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D60DB7 push edx; mov dword ptr [esp], edi 0_2_05D611F6
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D5C553 push ebp; ret 0_2_05D5C565
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D62D4E push ecx; mov dword ptr [esp], edi 0_2_05D62D4F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D5F57E push ebx; mov dword ptr [esp], esp 0_2_05D5F780
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D5F57E push 7766FB56h; mov dword ptr [esp], eax 0_2_05D5F82C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D5E56C push 7766FB56h; mov dword ptr [esp], eax 0_2_05D5F82C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D6251D push eax; mov dword ptr [esp], ebp 0_2_05D6251E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D5C50D push ebp; mov dword ptr [esp], ebx 0_2_05D5C514
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D60D20 push 1E864426h; mov dword ptr [esp], ebx 0_2_05D60D25
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D5D4F9 push 32AABF41h; mov dword ptr [esp], edi 0_2_05D5D50B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D60CE7 push ebp; mov dword ptr [esp], eax 0_2_05D64A86
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D63C93 push 2FB63D11h; mov dword ptr [esp], edx 0_2_05D63CAA
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D63C93 push ebp; mov dword ptr [esp], eax 0_2_05D63CC6
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D63C93 push ecx; mov dword ptr [esp], edx 0_2_05D64EED
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D63C93 push 7CB9CB00h; mov dword ptr [esp], eax 0_2_05D64F0B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D6348F push ebp; mov dword ptr [esp], ecx 0_2_05D63490
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D62C89 push 4B3468BDh; mov dword ptr [esp], ecx 0_2_05D62C8E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D60C53 push eax; mov dword ptr [esp], edi 0_2_05D6240C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D60C53 push esi; mov dword ptr [esp], 6FF96C2Eh 0_2_05D6376C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D60C53 push 051AA7B8h; mov dword ptr [esp], ebp 0_2_05D64E52
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D60C62 push ebx; mov dword ptr [esp], 1A747CFFh 0_2_05D65028
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D62417 push edx; mov dword ptr [esp], 3418E570h 0_2_05D629E8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05DA4C16 push ecx; mov dword ptr [esp], 60AB94CFh 0_2_05DA505B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05DA4C16 push 70CF66E8h; mov dword ptr [esp], ebx 0_2_05DA51D0
Source: file.exe Static PE information: section name: entropy: 7.975138897205294
Source: file.exe Static PE information: section name: kcjzlwkt entropy: 7.953160073987712

Boot Survival
barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\file.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\Desktop\file.exe System information queried: FirmwareTableInformation Jump to behavior
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 271749 second address: 27174D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 27174D second address: 271781 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F1910516D68h 0x0000000b pushad 0x0000000c jng 00007F1910516D56h 0x00000012 jmp 00007F1910516D5Dh 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 271781 second address: 271789 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 26B8B1 second address: 26B8B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 26B8B5 second address: 26B8BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2707F0 second address: 270810 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 jmp 00007F1910516D65h 0x0000000b push edi 0x0000000c pop edi 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 270810 second address: 27081B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 pop eax 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 27081B second address: 27085A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnp 00007F1910516D6Dh 0x0000000b jmp 00007F1910516D67h 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 jmp 00007F1910516D5Ah 0x00000018 jmp 00007F1910516D5Ah 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 pop eax 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 27085A second address: 27085E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 270B18 second address: 270B20 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 270B20 second address: 270B35 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007F19111E380Fh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 270B35 second address: 270B39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 270CA5 second address: 270CAF instructions: 0x00000000 rdtsc 0x00000002 jo 00007F19111E3806h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 270CAF second address: 270CBB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F1910516D56h 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 270CBB second address: 270CE0 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F19111E3806h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jp 00007F19111E3806h 0x00000015 pushad 0x00000016 popad 0x00000017 jmp 00007F19111E380Dh 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 270CE0 second address: 270CEC instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 popad 0x00000007 pop edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 270CEC second address: 270CF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F19111E3806h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 270CF6 second address: 270CFA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 270FAD second address: 270FDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 pushad 0x00000009 jmp 00007F19111E380Eh 0x0000000e je 00007F19111E380Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 jl 00007F19111E3806h 0x0000001c push edx 0x0000001d pop edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 27384C second address: 273852 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 273852 second address: 273874 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F19111E3813h 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 push esi 0x00000013 pop esi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 273874 second address: 273893 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1910516D67h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pop edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 273893 second address: 2738B4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F19111E380Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov eax, dword ptr [eax] 0x0000000c push eax 0x0000000d push edx 0x0000000e jbe 00007F19111E380Ch 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2738B4 second address: 2738CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1910516D64h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2738CC second address: 2738D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 273B91 second address: 273B9B instructions: 0x00000000 rdtsc 0x00000002 jng 00007F1910516D5Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 273BDF second address: 273BE4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 273CE7 second address: 273CEE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 273CEE second address: 273D28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jns 00007F19111E380Eh 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 pushad 0x00000013 jmp 00007F19111E380Ah 0x00000018 jmp 00007F19111E380Ch 0x0000001d popad 0x0000001e mov eax, dword ptr [eax] 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 pop eax 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 273D28 second address: 273D2E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 273D2E second address: 273D69 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F19111E3808h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 jmp 00007F19111E380Eh 0x00000015 pop eax 0x00000016 and dl, FFFFFF86h 0x00000019 mov ecx, dword ptr [ebp+122D1FA1h] 0x0000001f lea ebx, dword ptr [ebp+1245E788h] 0x00000025 add esi, dword ptr [ebp+122D3A45h] 0x0000002b xchg eax, ebx 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 push eax 0x00000031 pop eax 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 273D69 second address: 273D73 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F1910516D56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 291771 second address: 291785 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F19111E380Dh 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 29192B second address: 291935 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F1910516D56h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 291D78 second address: 291D92 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F19111E3814h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 291D92 second address: 291DB4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jne 00007F1910516D56h 0x0000000b jmp 00007F1910516D60h 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push edx 0x00000014 push ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 291DB4 second address: 291DBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 292198 second address: 29219E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 29219E second address: 2921A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2921A4 second address: 2921B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 jne 00007F1910516D56h 0x0000000c pop edi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 292494 second address: 292498 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 292498 second address: 29249E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 29249E second address: 2924A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F19111E3806h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2924A8 second address: 2924AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 26368C second address: 263690 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 263690 second address: 263696 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 293038 second address: 29303C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2931DA second address: 2931F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F1910516D62h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2931F5 second address: 2931F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2931F9 second address: 293221 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F1910516D56h 0x00000008 jmp 00007F1910516D65h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 jnl 00007F1910516D56h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 293221 second address: 293256 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 pushad 0x00000007 jmp 00007F19111E3813h 0x0000000c pushad 0x0000000d jmp 00007F19111E380Dh 0x00000012 jmp 00007F19111E380Bh 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 293256 second address: 293263 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jne 00007F1910516D56h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 265083 second address: 26508F instructions: 0x00000000 rdtsc 0x00000002 jg 00007F19111E3806h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 26508F second address: 26509B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jl 00007F1910516D56h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 26509B second address: 2650BB instructions: 0x00000000 rdtsc 0x00000002 jc 00007F19111E3806h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jp 00007F19111E380Eh 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push ebx 0x00000015 pushad 0x00000016 popad 0x00000017 pop ebx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 298212 second address: 298216 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 25AFDF second address: 25AFE4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 25AFE4 second address: 25AFEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 25AFEA second address: 25AFF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 25AFF2 second address: 25AFFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 25AFFE second address: 25B004 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 29AEF9 second address: 29AEFF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2996D4 second address: 2996D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 29B03F second address: 29B06D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007F1910516D56h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 jp 00007F1910516D58h 0x00000016 push ebx 0x00000017 jmp 00007F1910516D5Ah 0x0000001c pop ebx 0x0000001d popad 0x0000001e mov eax, dword ptr [esp+04h] 0x00000022 push eax 0x00000023 push edx 0x00000024 push ebx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 29B06D second address: 29B072 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 29B072 second address: 29B098 instructions: 0x00000000 rdtsc 0x00000002 js 00007F1910516D66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c push eax 0x0000000d push edx 0x0000000e jnl 00007F1910516D58h 0x00000014 push edi 0x00000015 pop edi 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 29B098 second address: 29B0AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F19111E380Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 29B0AA second address: 29B0D2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1910516D65h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f pushad 0x00000010 jc 00007F1910516D5Ch 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 29B0D2 second address: 29B0DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 29B0DA second address: 29B0DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2A0E51 second address: 2A0E57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2A1148 second address: 2A1153 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007F1910516D56h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2A1153 second address: 2A115F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 popad 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2A1F62 second address: 2A1F6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2A1F6D second address: 2A1F71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2A25B9 second address: 2A25BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2A25BD second address: 2A25C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2A2680 second address: 2A268B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007F1910516D56h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2A274A second address: 2A2758 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F19111E3806h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2A2758 second address: 2A2777 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F1910516D63h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2A2777 second address: 2A2790 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F19111E3815h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2A2790 second address: 2A27A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1910516D60h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2A328F second address: 2A3293 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2A3293 second address: 2A3299 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2A37BB second address: 2A37C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2A37C1 second address: 2A37C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2A37C5 second address: 2A37C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2A40FA second address: 2A4114 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F1910516D65h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2A4114 second address: 2A41AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edi 0x00000009 jbe 00007F19111E3808h 0x0000000f pushad 0x00000010 popad 0x00000011 pop edi 0x00000012 nop 0x00000013 push 00000000h 0x00000015 push eax 0x00000016 call 00007F19111E3808h 0x0000001b pop eax 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 add dword ptr [esp+04h], 0000001Dh 0x00000028 inc eax 0x00000029 push eax 0x0000002a ret 0x0000002b pop eax 0x0000002c ret 0x0000002d push 00000000h 0x0000002f mov esi, dword ptr [ebp+122D3A29h] 0x00000035 push 00000000h 0x00000037 push 00000000h 0x00000039 push ebx 0x0000003a call 00007F19111E3808h 0x0000003f pop ebx 0x00000040 mov dword ptr [esp+04h], ebx 0x00000044 add dword ptr [esp+04h], 0000001Dh 0x0000004c inc ebx 0x0000004d push ebx 0x0000004e ret 0x0000004f pop ebx 0x00000050 ret 0x00000051 push ecx 0x00000052 or edi, 4D7D67C3h 0x00000058 pop edi 0x00000059 xchg eax, ebx 0x0000005a jmp 00007F19111E3810h 0x0000005f push eax 0x00000060 push eax 0x00000061 push edx 0x00000062 jmp 00007F19111E3817h 0x00000067 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2A725A second address: 2A7277 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F1910516D5Ch 0x0000000a jnl 00007F1910516D56h 0x00000010 popad 0x00000011 push eax 0x00000012 jl 00007F1910516D60h 0x00000018 pushad 0x00000019 push edx 0x0000001a pop edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2A7D90 second address: 2A7DEA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 mov edi, 0E239B0Bh 0x0000000e mov edi, esi 0x00000010 push 00000000h 0x00000012 stc 0x00000013 push 00000000h 0x00000015 stc 0x00000016 push ebx 0x00000017 pop edi 0x00000018 xchg eax, ebx 0x00000019 pushad 0x0000001a jmp 00007F19111E3815h 0x0000001f pushad 0x00000020 ja 00007F19111E3806h 0x00000026 jns 00007F19111E3806h 0x0000002c popad 0x0000002d popad 0x0000002e push eax 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007F19111E3819h 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2A7DEA second address: 2A7DFE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1910516D60h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2A8697 second address: 2A86A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F19111E380Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2A90C8 second address: 2A90CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2AA355 second address: 2AA365 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F19111E3812h 0x00000008 jnp 00007F19111E3806h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2AA365 second address: 2AA37D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F1910516D5Eh 0x0000000a js 00007F1910516D56h 0x00000010 push edi 0x00000011 pop edi 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push eax 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2AA37D second address: 2AA383 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2AD144 second address: 2AD14A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2AD14A second address: 2AD154 instructions: 0x00000000 rdtsc 0x00000002 je 00007F19111E3806h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 261BAF second address: 261BB3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B0E66 second address: 2B0E77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F19111E380Ah 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B134D second address: 2B1351 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B1351 second address: 2B135E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B2535 second address: 2B256A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F1910516D5Dh 0x00000008 push edi 0x00000009 pop edi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 jmp 00007F1910516D69h 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B154C second address: 2B1551 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B1551 second address: 2B1562 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edi 0x00000009 jc 00007F1910516D5Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B1656 second address: 2B165C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B165C second address: 2B166F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1910516D5Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B2779 second address: 2B2789 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F19111E380Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B44BC second address: 2B44C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B372A second address: 2B3742 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jbe 00007F19111E3814h 0x0000000f pushad 0x00000010 jno 00007F19111E3806h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B3742 second address: 2B37E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 nop 0x00000006 push 00000000h 0x00000008 push edi 0x00000009 call 00007F1910516D58h 0x0000000e pop edi 0x0000000f mov dword ptr [esp+04h], edi 0x00000013 add dword ptr [esp+04h], 00000014h 0x0000001b inc edi 0x0000001c push edi 0x0000001d ret 0x0000001e pop edi 0x0000001f ret 0x00000020 push dword ptr fs:[00000000h] 0x00000027 push 00000000h 0x00000029 push ebx 0x0000002a call 00007F1910516D58h 0x0000002f pop ebx 0x00000030 mov dword ptr [esp+04h], ebx 0x00000034 add dword ptr [esp+04h], 00000015h 0x0000003c inc ebx 0x0000003d push ebx 0x0000003e ret 0x0000003f pop ebx 0x00000040 ret 0x00000041 mov ebx, dword ptr [ebp+122D3362h] 0x00000047 mov dword ptr fs:[00000000h], esp 0x0000004e mov eax, dword ptr [ebp+122D024Dh] 0x00000054 push FFFFFFFFh 0x00000056 push 00000000h 0x00000058 push ecx 0x00000059 call 00007F1910516D58h 0x0000005e pop ecx 0x0000005f mov dword ptr [esp+04h], ecx 0x00000063 add dword ptr [esp+04h], 0000001Bh 0x0000006b inc ecx 0x0000006c push ecx 0x0000006d ret 0x0000006e pop ecx 0x0000006f ret 0x00000070 mov edi, dword ptr [ebp+122D1C8Fh] 0x00000076 push eax 0x00000077 jng 00007F1910516D74h 0x0000007d push eax 0x0000007e push edx 0x0000007f jmp 00007F1910516D66h 0x00000084 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B55FB second address: 2B55FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B466F second address: 2B471B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 jmp 00007F1910516D64h 0x0000000e push dword ptr fs:[00000000h] 0x00000015 push 00000000h 0x00000017 push ebx 0x00000018 call 00007F1910516D58h 0x0000001d pop ebx 0x0000001e mov dword ptr [esp+04h], ebx 0x00000022 add dword ptr [esp+04h], 00000017h 0x0000002a inc ebx 0x0000002b push ebx 0x0000002c ret 0x0000002d pop ebx 0x0000002e ret 0x0000002f add dword ptr [ebp+122D1885h], esi 0x00000035 mov dword ptr fs:[00000000h], esp 0x0000003c cmc 0x0000003d mov eax, dword ptr [ebp+122D100Dh] 0x00000043 call 00007F1910516D69h 0x00000048 mov ebx, dword ptr [ebp+122D3711h] 0x0000004e pop ebx 0x0000004f push FFFFFFFFh 0x00000051 push 00000000h 0x00000053 push ebp 0x00000054 call 00007F1910516D58h 0x00000059 pop ebp 0x0000005a mov dword ptr [esp+04h], ebp 0x0000005e add dword ptr [esp+04h], 00000019h 0x00000066 inc ebp 0x00000067 push ebp 0x00000068 ret 0x00000069 pop ebp 0x0000006a ret 0x0000006b or dword ptr [ebp+122D33C0h], ecx 0x00000071 add dword ptr [ebp+122D32ABh], ecx 0x00000077 nop 0x00000078 push eax 0x00000079 push edx 0x0000007a pushad 0x0000007b push eax 0x0000007c push edx 0x0000007d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B471B second address: 2B4722 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B752B second address: 2B752F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B75AE second address: 2B75B8 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F19111E3806h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B858E second address: 2B8598 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F1910516D56h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B8598 second address: 2B859C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B859C second address: 2B85AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jbe 00007F1910516D56h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B771D second address: 2B7727 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F19111E3806h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B7727 second address: 2B772E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B85AE second address: 2B85FF instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007F19111E3808h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f nop 0x00000010 jo 00007F19111E3819h 0x00000016 jmp 00007F19111E3813h 0x0000001b push 00000000h 0x0000001d add dword ptr [ebp+12488F2Bh], edx 0x00000023 push 00000000h 0x00000025 pushad 0x00000026 jmp 00007F19111E380Fh 0x0000002b sub eax, 1C83AC21h 0x00000031 popad 0x00000032 xchg eax, esi 0x00000033 push eax 0x00000034 push edx 0x00000035 push edi 0x00000036 push eax 0x00000037 pop eax 0x00000038 pop edi 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B85FF second address: 2B861F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jnp 00007F1910516D56h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F1910516D5Fh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B861F second address: 2B8634 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F19111E3811h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B8750 second address: 2B8763 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 jmp 00007F1910516D5Bh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B8763 second address: 2B87EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 jmp 00007F19111E3819h 0x0000000e push dword ptr fs:[00000000h] 0x00000015 push 00000000h 0x00000017 push edi 0x00000018 call 00007F19111E3808h 0x0000001d pop edi 0x0000001e mov dword ptr [esp+04h], edi 0x00000022 add dword ptr [esp+04h], 0000001Ah 0x0000002a inc edi 0x0000002b push edi 0x0000002c ret 0x0000002d pop edi 0x0000002e ret 0x0000002f mov dword ptr fs:[00000000h], esp 0x00000036 mov eax, dword ptr [ebp+122D0245h] 0x0000003c push 00000000h 0x0000003e push ebp 0x0000003f call 00007F19111E3808h 0x00000044 pop ebp 0x00000045 mov dword ptr [esp+04h], ebp 0x00000049 add dword ptr [esp+04h], 0000001Ch 0x00000051 inc ebp 0x00000052 push ebp 0x00000053 ret 0x00000054 pop ebp 0x00000055 ret 0x00000056 mov bl, 14h 0x00000058 push FFFFFFFFh 0x0000005a xor edi, 727A9243h 0x00000060 push eax 0x00000061 push ecx 0x00000062 push eax 0x00000063 push edx 0x00000064 pushad 0x00000065 popad 0x00000066 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2BB453 second address: 2BB49F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 jmp 00007F1910516D5Dh 0x0000000e push 00000000h 0x00000010 pushad 0x00000011 je 00007F1910516D6Ah 0x00000017 jmp 00007F1910516D64h 0x0000001c movsx edx, bx 0x0000001f popad 0x00000020 push 00000000h 0x00000022 mov edi, esi 0x00000024 push eax 0x00000025 push eax 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007F1910516D5Dh 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2BD346 second address: 2BD34A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2BE342 second address: 2BE34C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F1910516D56h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2BE34C second address: 2BE373 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jmp 00007F19111E3818h 0x00000011 push eax 0x00000012 pop eax 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B97AD second address: 2B97B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2BE373 second address: 2BE378 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B97B2 second address: 2B97B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B97B8 second address: 2B97BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2BF2E8 second address: 2BF2ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2BF2ED second address: 2BF2F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2C02DA second address: 2C02E4 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F1910516D5Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2BF531 second address: 2BF537 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2BF537 second address: 2BF53C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2C04F5 second address: 2C04F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2C04F9 second address: 2C0513 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1910516D66h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2CAC2B second address: 2CAC59 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F19111E3806h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F19111E380Ah 0x00000012 jmp 00007F19111E3811h 0x00000017 popad 0x00000018 pushad 0x00000019 push ebx 0x0000001a pop ebx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2CAC59 second address: 2CAC61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2CA3FD second address: 2CA401 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2CA401 second address: 2CA409 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2CA409 second address: 2CA415 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F19111E3806h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2CA5B4 second address: 2CA5B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2CA5B8 second address: 2CA5BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2CA5BC second address: 2CA5C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2CA863 second address: 2CA868 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2CA868 second address: 2CA8A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F1910516D5Fh 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jne 00007F1910516D89h 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F1910516D66h 0x0000001b jp 00007F1910516D56h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2CA8A4 second address: 2CA8A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2CD1E6 second address: 2CD1EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2D793A second address: 2D794B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F19111E3806h 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e pop edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2D794B second address: 2D794F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2D794F second address: 2D7955 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2D7955 second address: 2D7976 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F1910516D5Ch 0x00000008 pushad 0x00000009 jmp 00007F1910516D60h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 256002 second address: 256006 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2D6570 second address: 2D6576 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2D6576 second address: 2D6581 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F19111E3806h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2D6581 second address: 2D65A2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edx 0x00000006 pop edx 0x00000007 jmp 00007F1910516D5Eh 0x0000000c popad 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 jno 00007F1910516D56h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2D65A2 second address: 2D65C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jne 00007F19111E3806h 0x00000010 jmp 00007F19111E3817h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2D6CE2 second address: 2D6CFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F1910516D5Fh 0x0000000c jc 00007F1910516D56h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2D6CFE second address: 2D6D3E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 jmp 00007F19111E3817h 0x0000000e jnl 00007F19111E3806h 0x00000014 pop edx 0x00000015 popad 0x00000016 jo 00007F19111E3837h 0x0000001c push edx 0x0000001d jmp 00007F19111E380Bh 0x00000022 push ecx 0x00000023 pop ecx 0x00000024 pop edx 0x00000025 pushad 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2D6D3E second address: 2D6D46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2D7032 second address: 2D7048 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F19111E3812h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2D7048 second address: 2D705F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1910516D63h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2D705F second address: 2D706E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F19111E380Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2D7492 second address: 2D749D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2D749D second address: 2D74C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F19111E3806h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jnl 00007F19111E3806h 0x00000015 jmp 00007F19111E3814h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2D767D second address: 2D7687 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F1910516D56h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2DB97A second address: 2DB99C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F19111E3819h 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2DC034 second address: 2DC03A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2DC344 second address: 2DC348 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2DC645 second address: 2DC65F instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F1910516D5Eh 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a jnp 00007F1910516D56h 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 je 00007F1910516D56h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 289A7D second address: 289A81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2DCCE3 second address: 2DCD0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1910516D62h 0x00000009 jmp 00007F1910516D5Eh 0x0000000e popad 0x0000000f push ebx 0x00000010 push ebx 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2E05BC second address: 2E05C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2E05C0 second address: 2E05C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2E05C6 second address: 2E05E5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F19111E3819h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2E05E5 second address: 2E05EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2E05EB second address: 2E05EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2E05EF second address: 2E05F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2E05F3 second address: 2E05F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2E05F9 second address: 2E0606 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2E0606 second address: 2E061A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F19111E3806h 0x0000000a pop edx 0x0000000b push edi 0x0000000c jl 00007F19111E3806h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2E061A second address: 2E061F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2595C3 second address: 2595C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2595C7 second address: 2595E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F1910516D56h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e jmp 00007F1910516D5Ch 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2E5942 second address: 2E5968 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 jmp 00007F19111E3819h 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2E5968 second address: 2E596C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2E596C second address: 2E59B0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F19111E3819h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d pop eax 0x0000000e pop ecx 0x0000000f push ebx 0x00000010 jmp 00007F19111E3819h 0x00000015 pop ebx 0x00000016 push eax 0x00000017 push edx 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a push edi 0x0000001b pop edi 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2E5362 second address: 2E5366 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2E5366 second address: 2E537B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F19111E380Fh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2E537B second address: 2E538D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1910516D5Ch 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2E538D second address: 2E5391 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2E5618 second address: 2E5631 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F1910516D64h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2E5631 second address: 2E563A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2E563A second address: 2E563E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2E563E second address: 2E5648 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F19111E3806h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2E5648 second address: 2E5668 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F1910516D66h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2AF264 second address: 288F89 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F19111E3816h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov dword ptr [ebp+122D1853h], ebx 0x00000012 lea eax, dword ptr [ebp+12499FD1h] 0x00000018 push 00000000h 0x0000001a push ecx 0x0000001b call 00007F19111E3808h 0x00000020 pop ecx 0x00000021 mov dword ptr [esp+04h], ecx 0x00000025 add dword ptr [esp+04h], 00000018h 0x0000002d inc ecx 0x0000002e push ecx 0x0000002f ret 0x00000030 pop ecx 0x00000031 ret 0x00000032 push eax 0x00000033 jp 00007F19111E3810h 0x00000039 mov dword ptr [esp], eax 0x0000003c pushad 0x0000003d mov dword ptr [ebp+122D572Bh], eax 0x00000043 mov ecx, dword ptr [ebp+122D397Dh] 0x00000049 popad 0x0000004a push edi 0x0000004b movsx edx, cx 0x0000004e pop edx 0x0000004f call dword ptr [ebp+124585DFh] 0x00000055 pushad 0x00000056 jns 00007F19111E380Ah 0x0000005c push eax 0x0000005d jno 00007F19111E3806h 0x00000063 jmp 00007F19111E3813h 0x00000068 pop eax 0x00000069 pushad 0x0000006a jnl 00007F19111E3806h 0x00000070 push eax 0x00000071 push edx 0x00000072 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2AF56E second address: 2AF598 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F1910516D58h 0x0000000a push eax 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e pushad 0x0000000f jmp 00007F1910516D68h 0x00000014 push ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2AF93E second address: 2AF96B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F19111E380Bh 0x00000008 push eax 0x00000009 pop eax 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 jmp 00007F19111E380Fh 0x00000016 mov eax, dword ptr [eax] 0x00000018 push esi 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2AF96B second address: 2AF990 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F1910516D56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f pushad 0x00000010 jmp 00007F1910516D61h 0x00000015 push eax 0x00000016 push edx 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2AF990 second address: 2AF9D0 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pop eax 0x00000008 call 00007F19111E380Dh 0x0000000d mov dword ptr [ebp+1248C3A1h], edi 0x00000013 pop edx 0x00000014 jmp 00007F19111E3819h 0x00000019 push 0C9DA651h 0x0000001e pushad 0x0000001f pushad 0x00000020 push edx 0x00000021 pop edx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2AFAB1 second address: 2AFAB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2AFAB5 second address: 2AFAC8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jc 00007F19111E3806h 0x00000010 push eax 0x00000011 pop eax 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2AFB56 second address: 2AFB6B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1910516D5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e pop esi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2E902D second address: 2E9048 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 ja 00007F19111E3806h 0x0000000e popad 0x0000000f pop eax 0x00000010 push esi 0x00000011 push eax 0x00000012 push edx 0x00000013 jno 00007F19111E3806h 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2E9307 second address: 2E930D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2E930D second address: 2E931A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2E931A second address: 2E9320 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2E9320 second address: 2E9333 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 ja 00007F19111E3806h 0x0000000c jno 00007F19111E3806h 0x00000012 pop edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2E9494 second address: 2E94B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jnl 00007F1910516D56h 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f pop ebx 0x00000010 push ecx 0x00000011 pushad 0x00000012 popad 0x00000013 pop ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 js 00007F1910516D56h 0x0000001c jg 00007F1910516D56h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2E9623 second address: 2E9644 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F19111E3818h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2E9644 second address: 2E9648 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2E9648 second address: 2E966B instructions: 0x00000000 rdtsc 0x00000002 jc 00007F19111E3806h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F19111E3815h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2E966B second address: 2E967D instructions: 0x00000000 rdtsc 0x00000002 jno 00007F1910516D56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jp 00007F1910516D56h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2E9A71 second address: 2E9A9A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F19111E3819h 0x00000007 jmp 00007F19111E380Ch 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2EE5EA second address: 2EE605 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007F1910516D65h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2EE605 second address: 2EE61D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007F19111E3806h 0x00000009 jc 00007F19111E3806h 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2EE61D second address: 2EE627 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F1910516D56h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2EE627 second address: 2EE62B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F054B second address: 2F0577 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F1910516D66h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jne 00007F1910516D56h 0x00000015 jno 00007F1910516D56h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F0577 second address: 2F057F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F057F second address: 2F058D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1910516D5Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F06F6 second address: 2F070B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F19111E3810h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F7A9D second address: 2F7AA1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2F7D71 second address: 2F7D8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F19111E3806h 0x0000000a pop esi 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 push edx 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 pop edx 0x00000015 popad 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 push esi 0x0000001a pop esi 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2FB4D6 second address: 2FB4DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2FB7A5 second address: 2FB7C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F19111E3813h 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2FB7C0 second address: 2FB7CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2FB7CD second address: 2FB7D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jg 00007F19111E3806h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2FB94B second address: 2FB955 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F1910516D56h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2FB955 second address: 2FB96B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F19111E380Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jl 00007F19111E3812h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2FBABB second address: 2FBAC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 30097C second address: 300987 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F19111E3806h 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 300987 second address: 3009A4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1910516D67h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B007F second address: 2B0093 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F19111E3810h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B0093 second address: 2B00EA instructions: 0x00000000 rdtsc 0x00000002 jns 00007F1910516D56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push eax 0x00000010 call 00007F1910516D58h 0x00000015 pop eax 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a add dword ptr [esp+04h], 0000001Bh 0x00000022 inc eax 0x00000023 push eax 0x00000024 ret 0x00000025 pop eax 0x00000026 ret 0x00000027 jmp 00007F1910516D63h 0x0000002c mov ebx, dword ptr [ebp+1249A010h] 0x00000032 cld 0x00000033 and dl, 0000007Ah 0x00000036 add eax, ebx 0x00000038 mov cx, ax 0x0000003b nop 0x0000003c pushad 0x0000003d push ebx 0x0000003e push eax 0x0000003f push edx 0x00000040 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2B00EA second address: 2B016A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007F19111E380Eh 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d push ecx 0x0000000e jmp 00007F19111E3814h 0x00000013 pop ecx 0x00000014 jmp 00007F19111E3819h 0x00000019 popad 0x0000001a nop 0x0000001b mov edx, 2D681BF8h 0x00000020 push 00000004h 0x00000022 push 00000000h 0x00000024 push eax 0x00000025 call 00007F19111E3808h 0x0000002a pop eax 0x0000002b mov dword ptr [esp+04h], eax 0x0000002f add dword ptr [esp+04h], 0000001Dh 0x00000037 inc eax 0x00000038 push eax 0x00000039 ret 0x0000003a pop eax 0x0000003b ret 0x0000003c mov edx, dword ptr [ebp+12458EB0h] 0x00000042 nop 0x00000043 push eax 0x00000044 push edx 0x00000045 push ebx 0x00000046 push eax 0x00000047 pop eax 0x00000048 pop ebx 0x00000049 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 303164 second address: 303184 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F1910516D6Ah 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 303184 second address: 303188 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 303188 second address: 30318C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 30952D second address: 309531 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 309892 second address: 309898 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 309898 second address: 3098A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 popad 0x00000009 jns 00007F19111E3806h 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3098A8 second address: 3098B9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007F1910516D56h 0x00000009 jnl 00007F1910516D56h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 30A455 second address: 30A462 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jnp 00007F19111E380Eh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 30A75D second address: 30A7A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 je 00007F1910516D6Ch 0x0000000b jmp 00007F1910516D66h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 pushad 0x00000017 popad 0x00000018 jmp 00007F1910516D69h 0x0000001d je 00007F1910516D56h 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 30A7A6 second address: 30A7AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 30AA8E second address: 30AA94 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 30AD5A second address: 30AD5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 30AD5F second address: 30AD65 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 30AD65 second address: 30AD69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 30AD69 second address: 30AD87 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jng 00007F1910516D5Eh 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 30AD87 second address: 30AD8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 30AD8B second address: 30AD9F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F1910516D5Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 30AD9F second address: 30ADD2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007F19111E3806h 0x00000009 jmp 00007F19111E3811h 0x0000000e jmp 00007F19111E3810h 0x00000013 popad 0x00000014 ja 00007F19111E3816h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 30B0B6 second address: 30B0BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 30B0BD second address: 30B0C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 30B0C3 second address: 30B0D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 30B0D0 second address: 30B0D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3129D5 second address: 3129DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 312B08 second address: 312B11 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 312B11 second address: 312B20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 ja 00007F1910516D56h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 312B20 second address: 312B25 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 312E10 second address: 312E2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 ja 00007F1910516D58h 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F1910516D5Ch 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 312E2D second address: 312E37 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F19111E3806h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 31322B second address: 31322F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 31322F second address: 313247 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F19111E380Eh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 313247 second address: 31324B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 31324B second address: 313251 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 313251 second address: 31325E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 31A1E8 second address: 31A210 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F19111E380Dh 0x00000007 jns 00007F19111E3806h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007F19111E3811h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 33041E second address: 330426 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 330426 second address: 330431 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 330431 second address: 33043D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 33043D second address: 330443 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 330443 second address: 330447 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 330447 second address: 33045C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 pushad 0x0000000a jne 00007F19111E3808h 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 33045C second address: 33047C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1910516D67h 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 330131 second address: 330163 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F19111E380Eh 0x0000000c jnl 00007F19111E3806h 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 jne 00007F19111E381Bh 0x0000001d jmp 00007F19111E3815h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 330163 second address: 330168 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 341443 second address: 341461 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007F19111E3819h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 341461 second address: 341468 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 341468 second address: 341486 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F19111E3815h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 349211 second address: 34923F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1910516D68h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b js 00007F1910516D60h 0x00000011 jmp 00007F1910516D5Ah 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 34923F second address: 349244 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 347E61 second address: 347E71 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F1910516D56h 0x00000008 jns 00007F1910516D56h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 34B796 second address: 34B79B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 34B79B second address: 34B7A0 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 34B7A0 second address: 34B7EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F19111E3819h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jnp 00007F19111E3816h 0x00000013 pushad 0x00000014 push eax 0x00000015 pop eax 0x00000016 jng 00007F19111E3806h 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 jno 00007F19111E3806h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 34B7EB second address: 34B7EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 34DB93 second address: 34DB99 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 34F146 second address: 34F151 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3521A3 second address: 3521A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 351D21 second address: 351D50 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F1910516D56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b pushad 0x0000000c jmp 00007F1910516D65h 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F1910516D5Ch 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 351EC0 second address: 351EC4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 351EC4 second address: 351ECD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3552A5 second address: 3552A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 35B1B0 second address: 35B1BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 362A47 second address: 362A4D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3602BB second address: 3602C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3602C0 second address: 3602C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 36F904 second address: 36F915 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 jnl 00007F1910516D5Ah 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 371033 second address: 37103D instructions: 0x00000000 rdtsc 0x00000002 jl 00007F19111E380Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3738CC second address: 3738F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jp 00007F1910516D56h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F1910516D69h 0x00000013 ja 00007F1910516D56h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3738F9 second address: 373925 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F19111E3814h 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jl 00007F19111E3806h 0x00000013 jmp 00007F19111E380Ah 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3893C2 second address: 3893CC instructions: 0x00000000 rdtsc 0x00000002 jno 00007F1910516D56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3893CC second address: 3893E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jng 00007F19111E3806h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jnl 00007F19111E3806h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3883E1 second address: 3883ED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jc 00007F1910516D56h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 388DA4 second address: 388DD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F19111E3816h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F19111E380Dh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 388F37 second address: 388F51 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1910516D66h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 388F51 second address: 388F5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 388F5D second address: 388F61 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 388F61 second address: 388F69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 388F69 second address: 388F73 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F1910516D56h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 388F73 second address: 388F97 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F19111E3806h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b js 00007F19111E3806h 0x00000011 jns 00007F19111E3806h 0x00000017 pop edi 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b push edx 0x0000001c jc 00007F19111E3808h 0x00000022 push edi 0x00000023 pop edi 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3890FA second address: 389102 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 389102 second address: 389107 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 389107 second address: 38910D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 38910D second address: 389111 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 38F211 second address: 38F238 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1910516D5Ch 0x00000009 popad 0x0000000a jnl 00007F1910516D62h 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 pop eax 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 38F238 second address: 38F23C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 38ED11 second address: 38ED37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 push esi 0x00000006 pop esi 0x00000007 pop ecx 0x00000008 popad 0x00000009 pushad 0x0000000a push eax 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d pop eax 0x0000000e jmp 00007F1910516D64h 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 pop eax 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 38ED37 second address: 38ED5A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F19111E3815h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jl 00007F19111E380Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 2A50BC second address: 2A50C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F0268 second address: 49F0302 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F19111E3814h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F19111E3810h 0x0000000f push eax 0x00000010 pushad 0x00000011 mov ebx, 467A0174h 0x00000016 pushfd 0x00000017 jmp 00007F19111E380Dh 0x0000001c jmp 00007F19111E380Bh 0x00000021 popfd 0x00000022 popad 0x00000023 xchg eax, ebp 0x00000024 pushad 0x00000025 pushfd 0x00000026 jmp 00007F19111E3814h 0x0000002b sub cx, A658h 0x00000030 jmp 00007F19111E380Bh 0x00000035 popfd 0x00000036 popad 0x00000037 mov ebp, esp 0x00000039 pushad 0x0000003a movsx edi, ax 0x0000003d mov esi, 081D26A3h 0x00000042 popad 0x00000043 mov edx, dword ptr [ebp+0Ch] 0x00000046 push eax 0x00000047 push edx 0x00000048 jmp 00007F19111E3815h 0x0000004d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F0302 second address: 49F0308 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A105EC second address: 4A10600 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F19111E380Fh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A10600 second address: 4A1069F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, ebp 0x00000008 jmp 00007F1910516D64h 0x0000000d push eax 0x0000000e jmp 00007F1910516D5Bh 0x00000013 xchg eax, ebp 0x00000014 pushad 0x00000015 mov ax, D5FBh 0x00000019 popad 0x0000001a mov ebp, esp 0x0000001c pushad 0x0000001d mov ecx, edi 0x0000001f pushfd 0x00000020 jmp 00007F1910516D5Fh 0x00000025 sbb cl, FFFFFFDEh 0x00000028 jmp 00007F1910516D69h 0x0000002d popfd 0x0000002e popad 0x0000002f xchg eax, ecx 0x00000030 push eax 0x00000031 push edx 0x00000032 pushad 0x00000033 pushfd 0x00000034 jmp 00007F1910516D63h 0x00000039 xor ax, D4EEh 0x0000003e jmp 00007F1910516D69h 0x00000043 popfd 0x00000044 mov esi, 18554877h 0x00000049 popad 0x0000004a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A1069F second address: 4A106BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F19111E3818h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A106BB second address: 4A10741 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1910516D5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d mov cx, dx 0x00000010 mov eax, edi 0x00000012 popad 0x00000013 xchg eax, ecx 0x00000014 jmp 00007F1910516D5Dh 0x00000019 xchg eax, esi 0x0000001a jmp 00007F1910516D5Eh 0x0000001f push eax 0x00000020 pushad 0x00000021 push edx 0x00000022 jmp 00007F1910516D5Ch 0x00000027 pop ecx 0x00000028 jmp 00007F1910516D5Bh 0x0000002d popad 0x0000002e xchg eax, esi 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 pushfd 0x00000033 jmp 00007F1910516D5Bh 0x00000038 and ecx, 7CBE0B1Eh 0x0000003e jmp 00007F1910516D69h 0x00000043 popfd 0x00000044 movzx esi, bx 0x00000047 popad 0x00000048 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A10741 second address: 4A10747 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A10747 second address: 4A1077D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1910516D64h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b lea eax, dword ptr [ebp-04h] 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F1910516D67h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A1077D second address: 4A107C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop eax 0x00000005 jmp 00007F19111E380Bh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d nop 0x0000000e pushad 0x0000000f mov ecx, 71E474BBh 0x00000014 pushfd 0x00000015 jmp 00007F19111E3810h 0x0000001a jmp 00007F19111E3815h 0x0000001f popfd 0x00000020 popad 0x00000021 push eax 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A107C5 second address: 4A107CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A107CB second address: 4A107D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A107D0 second address: 4A107FB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1910516D5Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F1910516D65h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A107FB second address: 4A10801 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A10801 second address: 4A10805 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A10805 second address: 4A10809 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A10809 second address: 4A1081E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push dword ptr [ebp+08h] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e movzx eax, dx 0x00000011 mov cx, di 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A10892 second address: 4A108AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F19111E3814h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A108AA second address: 4A108BE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F1910516D99h 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A108BE second address: 4A108C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A108C2 second address: 4A108C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A108C8 second address: 4A108CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A10912 second address: 4A10916 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A10916 second address: 4A1091C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A1091C second address: 4A10063 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1910516D5Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a jmp 00007F1910516D60h 0x0000000f leave 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F1910516D5Eh 0x00000017 sbb eax, 5FFADFF8h 0x0000001d jmp 00007F1910516D5Bh 0x00000022 popfd 0x00000023 mov dh, cl 0x00000025 popad 0x00000026 retn 0004h 0x00000029 nop 0x0000002a sub esp, 04h 0x0000002d xor ebx, ebx 0x0000002f cmp eax, 00000000h 0x00000032 je 00007F1910516EA3h 0x00000038 xor eax, eax 0x0000003a mov dword ptr [esp], 00000000h 0x00000041 mov dword ptr [esp+04h], 00000000h 0x00000049 call 00007F1914E652EBh 0x0000004e mov edi, edi 0x00000050 pushad 0x00000051 movzx ecx, bx 0x00000054 call 00007F1910516D63h 0x00000059 pushfd 0x0000005a jmp 00007F1910516D68h 0x0000005f sbb si, 4648h 0x00000064 jmp 00007F1910516D5Bh 0x00000069 popfd 0x0000006a pop ecx 0x0000006b popad 0x0000006c push ebx 0x0000006d jmp 00007F1910516D64h 0x00000072 mov dword ptr [esp], ebp 0x00000075 push eax 0x00000076 push edx 0x00000077 push eax 0x00000078 push edx 0x00000079 pushad 0x0000007a popad 0x0000007b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A10063 second address: 4A10067 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A10067 second address: 4A1006D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A1006D second address: 4A10073 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A10073 second address: 4A10077 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A10077 second address: 4A100D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007F19111E380Ah 0x0000000f push FFFFFFFEh 0x00000011 pushad 0x00000012 call 00007F19111E380Eh 0x00000017 pop ebx 0x00000018 pushfd 0x00000019 jmp 00007F19111E380Eh 0x0000001e add ah, 00000068h 0x00000021 jmp 00007F19111E380Bh 0x00000026 popfd 0x00000027 popad 0x00000028 push 56CEDDF1h 0x0000002d push eax 0x0000002e push edx 0x0000002f jmp 00007F19111E3812h 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A100D5 second address: 4A10124 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1910516D5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 205443B9h 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F1910516D64h 0x00000017 or esi, 12F07228h 0x0000001d jmp 00007F1910516D5Bh 0x00000022 popfd 0x00000023 popad 0x00000024 push 6B87351Ch 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c mov eax, ebx 0x0000002e mov edx, 6F69D36Eh 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A10124 second address: 4A10133 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F19111E380Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A10133 second address: 4A1015C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xor dword ptr [esp], 1D121E6Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 mov cl, 05h 0x00000014 call 00007F1910516D63h 0x00000019 pop eax 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A10275 second address: 4A1027B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A1027B second address: 4A1027F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A1027F second address: 4A1028E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, esi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A1028E second address: 4A10292 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A10292 second address: 4A10298 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A10298 second address: 4A1029E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A1029E second address: 4A1031E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 jmp 00007F19111E3816h 0x0000000e mov dword ptr [esp], edi 0x00000011 jmp 00007F19111E3810h 0x00000016 mov eax, dword ptr [769B4538h] 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007F19111E380Dh 0x00000024 and cl, FFFFFFC6h 0x00000027 jmp 00007F19111E3811h 0x0000002c popfd 0x0000002d pushfd 0x0000002e jmp 00007F19111E3810h 0x00000033 adc cx, C368h 0x00000038 jmp 00007F19111E380Bh 0x0000003d popfd 0x0000003e popad 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A1031E second address: 4A1039F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1910516D69h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [ebp-08h], eax 0x0000000c jmp 00007F1910516D5Eh 0x00000011 xor eax, ebp 0x00000013 pushad 0x00000014 pushfd 0x00000015 jmp 00007F1910516D67h 0x0000001a sbb ch, FFFFFFBEh 0x0000001d jmp 00007F1910516D69h 0x00000022 popfd 0x00000023 mov edi, eax 0x00000025 popad 0x00000026 nop 0x00000027 pushad 0x00000028 mov ebx, ecx 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007F1910516D62h 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A1039F second address: 4A103CE instructions: 0x00000000 rdtsc 0x00000002 movzx esi, bx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 push eax 0x00000009 jmp 00007F19111E380Ch 0x0000000e nop 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F19111E3817h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A103CE second address: 4A103F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1910516D69h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea eax, dword ptr [ebp-10h] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A103F4 second address: 4A103F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A103F8 second address: 4A103FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A103FE second address: 4A104C6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, eax 0x00000005 mov dx, cx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr fs:[00000000h], eax 0x00000011 jmp 00007F19111E3816h 0x00000016 mov dword ptr [ebp-18h], esp 0x00000019 pushad 0x0000001a call 00007F19111E380Eh 0x0000001f pushad 0x00000020 popad 0x00000021 pop esi 0x00000022 pushfd 0x00000023 jmp 00007F19111E3811h 0x00000028 xor ecx, 3626D5D6h 0x0000002e jmp 00007F19111E3811h 0x00000033 popfd 0x00000034 popad 0x00000035 mov eax, dword ptr fs:[00000018h] 0x0000003b pushad 0x0000003c push ecx 0x0000003d mov si, di 0x00000040 pop ebx 0x00000041 mov al, AFh 0x00000043 popad 0x00000044 mov ecx, dword ptr [eax+00000FDCh] 0x0000004a jmp 00007F19111E3817h 0x0000004f test ecx, ecx 0x00000051 jmp 00007F19111E3816h 0x00000056 jns 00007F19111E3844h 0x0000005c pushad 0x0000005d mov si, E05Dh 0x00000061 jmp 00007F19111E380Ah 0x00000066 popad 0x00000067 add eax, ecx 0x00000069 pushad 0x0000006a push eax 0x0000006b push edx 0x0000006c push eax 0x0000006d push edx 0x0000006e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A104C6 second address: 4A104CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A104CA second address: 4A104E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F19111E3816h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A104E8 second address: 4A10538 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov ecx, dword ptr [ebp+08h] 0x00000008 jmp 00007F1910516D5Ch 0x0000000d test ecx, ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007F1910516D5Dh 0x00000018 add ax, 5CB6h 0x0000001d jmp 00007F1910516D61h 0x00000022 popfd 0x00000023 call 00007F1910516D60h 0x00000028 pop esi 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A10538 second address: 4A10553 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F19111E3817h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A00031 second address: 4A00041 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1910516D5Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A00041 second address: 4A00045 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A00045 second address: 4A00078 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F1910516D5Eh 0x0000000e xchg eax, ebp 0x0000000f pushad 0x00000010 movzx ecx, di 0x00000013 push ebx 0x00000014 mov ax, D965h 0x00000018 pop eax 0x00000019 popad 0x0000001a mov ebp, esp 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F1910516D5Ch 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A00078 second address: 4A0007E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A0007E second address: 4A00082 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A00082 second address: 4A00086 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A00086 second address: 4A000E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 sub esp, 2Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F1910516D62h 0x00000014 and si, ADD8h 0x00000019 jmp 00007F1910516D5Bh 0x0000001e popfd 0x0000001f pushfd 0x00000020 jmp 00007F1910516D68h 0x00000025 adc esi, 1F66F838h 0x0000002b jmp 00007F1910516D5Bh 0x00000030 popfd 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A000E4 second address: 4A00142 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 2EDA805Ah 0x00000008 movsx edx, si 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, ebx 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007F19111E3818h 0x00000016 sub esi, 1E6431C8h 0x0000001c jmp 00007F19111E380Bh 0x00000021 popfd 0x00000022 call 00007F19111E3818h 0x00000027 mov ah, 95h 0x00000029 pop ebx 0x0000002a popad 0x0000002b push eax 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 pushad 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A00142 second address: 4A00158 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1910516D62h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A001B0 second address: 4A001C7 instructions: 0x00000000 rdtsc 0x00000002 mov bl, ch 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov ebx, 04FC4F42h 0x0000000b popad 0x0000000c mov ebx, 00000000h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A001C7 second address: 4A001E2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1910516D67h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A001E2 second address: 4A001E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A001E8 second address: 4A001EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A001EC second address: 4A00248 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov edi, 00000000h 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F19111E380Ah 0x00000014 xor cl, 00000038h 0x00000017 jmp 00007F19111E380Bh 0x0000001c popfd 0x0000001d push esi 0x0000001e mov ecx, edi 0x00000020 pop edx 0x00000021 popad 0x00000022 inc ebx 0x00000023 pushad 0x00000024 mov bx, ax 0x00000027 push eax 0x00000028 mov ecx, ebx 0x0000002a pop edx 0x0000002b popad 0x0000002c test al, al 0x0000002e jmp 00007F19111E380Eh 0x00000033 je 00007F19111E3A5Dh 0x00000039 pushad 0x0000003a push eax 0x0000003b push edx 0x0000003c jmp 00007F19111E380Ch 0x00000041 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A00248 second address: 4A002C7 instructions: 0x00000000 rdtsc 0x00000002 call 00007F1910516D62h 0x00000007 pop ecx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushfd 0x0000000b jmp 00007F1910516D5Bh 0x00000010 sbb ecx, 1AFBFBBEh 0x00000016 jmp 00007F1910516D69h 0x0000001b popfd 0x0000001c popad 0x0000001d lea ecx, dword ptr [ebp-14h] 0x00000020 pushad 0x00000021 pushad 0x00000022 movsx edi, ax 0x00000025 popad 0x00000026 popad 0x00000027 mov dword ptr [ebp-14h], edi 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d jmp 00007F1910516D68h 0x00000032 jmp 00007F1910516D62h 0x00000037 popad 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A002F2 second address: 4A00324 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F19111E3811h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F19111E3818h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A00324 second address: 4A00328 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A00328 second address: 4A0032E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A0032E second address: 4A0033F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1910516D5Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A0033F second address: 4A00343 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A0037E second address: 4A0040B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, bx 0x00000006 pushfd 0x00000007 jmp 00007F1910516D5Bh 0x0000000c sbb ah, FFFFFFBEh 0x0000000f jmp 00007F1910516D69h 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 test eax, eax 0x0000001a jmp 00007F1910516D5Eh 0x0000001f jg 00007F1982474E22h 0x00000025 pushad 0x00000026 movzx esi, bx 0x00000029 pushfd 0x0000002a jmp 00007F1910516D63h 0x0000002f or esi, 3A84817Eh 0x00000035 jmp 00007F1910516D69h 0x0000003a popfd 0x0000003b popad 0x0000003c js 00007F1910516DE1h 0x00000042 push eax 0x00000043 push edx 0x00000044 push eax 0x00000045 push edx 0x00000046 push eax 0x00000047 push edx 0x00000048 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A0040B second address: 4A0040F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A0040F second address: 4A00422 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1910516D5Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A00422 second address: 4A004E9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F19111E3819h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp dword ptr [ebp-14h], edi 0x0000000c jmp 00007F19111E380Eh 0x00000011 jne 00007F1983141851h 0x00000017 pushad 0x00000018 mov cl, B6h 0x0000001a pushad 0x0000001b pushfd 0x0000001c jmp 00007F19111E3819h 0x00000021 adc eax, 6E40E926h 0x00000027 jmp 00007F19111E3811h 0x0000002c popfd 0x0000002d mov bh, al 0x0000002f popad 0x00000030 popad 0x00000031 mov ebx, dword ptr [ebp+08h] 0x00000034 jmp 00007F19111E3813h 0x00000039 lea eax, dword ptr [ebp-2Ch] 0x0000003c pushad 0x0000003d pushfd 0x0000003e jmp 00007F19111E3814h 0x00000043 add esi, 3C6AAD28h 0x00000049 jmp 00007F19111E380Bh 0x0000004e popfd 0x0000004f push eax 0x00000050 push edx 0x00000051 jmp 00007F19111E3816h 0x00000056 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A004E9 second address: 4A00513 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, esi 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b pop esi 0x0000000c pop edi 0x0000000d jmp 00007F1910516D64h 0x00000012 popad 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A00513 second address: 4A00518 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A00518 second address: 4A00538 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ch, bl 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, esi 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F1910516D63h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A005FE second address: 4A00602 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A00602 second address: 4A00608 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F0DCC second address: 49F0E31 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F19111E3819h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov eax, ebx 0x0000000d pushfd 0x0000000e jmp 00007F19111E3813h 0x00000013 adc ax, D57Eh 0x00000018 jmp 00007F19111E3819h 0x0000001d popfd 0x0000001e popad 0x0000001f xchg eax, ecx 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F19111E380Dh 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F0E31 second address: 49F0E37 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F0E37 second address: 49F0E82 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [ebp-04h], 55534552h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007F19111E3817h 0x00000018 sbb esi, 54C224EEh 0x0000001e jmp 00007F19111E3819h 0x00000023 popfd 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F0EB9 second address: 49F0ED2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, edx 0x00000005 movsx edx, si 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b leave 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F1910516D5Bh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F0ED2 second address: 49F0ED8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F0ED8 second address: 49F0EDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49F0EDC second address: 49F0EE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A00A6A second address: 4A00A6E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A00A6E second address: 4A00A74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A00A74 second address: 4A00A79 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A00A79 second address: 4A00ACF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop ebx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push ebx 0x0000000c pushad 0x0000000d popad 0x0000000e pop ecx 0x0000000f pushad 0x00000010 push edi 0x00000011 pop esi 0x00000012 mov dh, EDh 0x00000014 popad 0x00000015 popad 0x00000016 xchg eax, ebp 0x00000017 jmp 00007F19111E380Ah 0x0000001c mov ebp, esp 0x0000001e jmp 00007F19111E3810h 0x00000023 cmp dword ptr [769B459Ch], 05h 0x0000002a jmp 00007F19111E3810h 0x0000002f je 00007F1983131742h 0x00000035 push eax 0x00000036 push edx 0x00000037 pushad 0x00000038 push edx 0x00000039 pop eax 0x0000003a popad 0x0000003b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A00ACF second address: 4A00AD5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A00AD5 second address: 4A00AD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A00B0D second address: 4A00B16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov bx, 7D6Eh 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A00B16 second address: 4A00B1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A00B1C second address: 4A00BA1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1910516D5Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push 5175A833h 0x00000010 jmp 00007F1910516D61h 0x00000015 xor dword ptr [esp], 27EF341Bh 0x0000001c pushad 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007F1910516D5Ah 0x00000024 sbb si, 5418h 0x00000029 jmp 00007F1910516D5Bh 0x0000002e popfd 0x0000002f mov ah, EFh 0x00000031 popad 0x00000032 push edi 0x00000033 movzx esi, bx 0x00000036 pop edi 0x00000037 popad 0x00000038 call 00007F198246BD54h 0x0000003d push 76952B70h 0x00000042 push dword ptr fs:[00000000h] 0x00000049 mov eax, dword ptr [esp+10h] 0x0000004d mov dword ptr [esp+10h], ebp 0x00000051 lea ebp, dword ptr [esp+10h] 0x00000055 sub esp, eax 0x00000057 push ebx 0x00000058 push esi 0x00000059 push edi 0x0000005a mov eax, dword ptr [769B4538h] 0x0000005f xor dword ptr [ebp-04h], eax 0x00000062 xor eax, ebp 0x00000064 push eax 0x00000065 mov dword ptr [ebp-18h], esp 0x00000068 push dword ptr [ebp-08h] 0x0000006b mov eax, dword ptr [ebp-04h] 0x0000006e mov dword ptr [ebp-04h], FFFFFFFEh 0x00000075 mov dword ptr [ebp-08h], eax 0x00000078 lea eax, dword ptr [ebp-10h] 0x0000007b mov dword ptr fs:[00000000h], eax 0x00000081 ret 0x00000082 jmp 00007F1910516D68h 0x00000087 sub esi, esi 0x00000089 push eax 0x0000008a push edx 0x0000008b jmp 00007F1910516D5Ch 0x00000090 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A00BE3 second address: 4A00BE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A00BE7 second address: 4A00BEB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A00BEB second address: 4A00BF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A00BF1 second address: 4A00C54 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1910516D64h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F198245AAD2h 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007F1910516D5Dh 0x00000016 sub eax, 131ECB36h 0x0000001c jmp 00007F1910516D61h 0x00000021 popfd 0x00000022 popad 0x00000023 cmp dword ptr [ebp+08h], 00002000h 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d push edi 0x0000002e pop ecx 0x0000002f call 00007F1910516D5Fh 0x00000034 pop ecx 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A109CB second address: 4A109CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A109CF second address: 4A109D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A109D5 second address: 4A10A28 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, 57691263h 0x00000008 pushfd 0x00000009 jmp 00007F19111E3818h 0x0000000e xor cx, 20A8h 0x00000013 jmp 00007F19111E380Bh 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c xchg eax, esi 0x0000001d jmp 00007F19111E3816h 0x00000022 push eax 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A10A28 second address: 4A10A2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A10A2C second address: 4A10A48 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F19111E3818h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A10A48 second address: 4A10AB3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1910516D5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F1910516D64h 0x00000011 or ax, 07C8h 0x00000016 jmp 00007F1910516D5Bh 0x0000001b popfd 0x0000001c push esi 0x0000001d mov edi, 161DE56Ah 0x00000022 pop edi 0x00000023 popad 0x00000024 mov esi, dword ptr [ebp+0Ch] 0x00000027 jmp 00007F1910516D5Eh 0x0000002c test esi, esi 0x0000002e push eax 0x0000002f push edx 0x00000030 jmp 00007F1910516D67h 0x00000035 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A10AB3 second address: 4A10ACB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F19111E3814h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A10ACB second address: 4A10ACF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A10ACF second address: 4A10B55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F19831210E6h 0x0000000e jmp 00007F19111E3817h 0x00000013 cmp dword ptr [769B459Ch], 05h 0x0000001a jmp 00007F19111E3816h 0x0000001f je 00007F198313918Ch 0x00000025 jmp 00007F19111E3810h 0x0000002a xchg eax, esi 0x0000002b pushad 0x0000002c push esi 0x0000002d jmp 00007F19111E380Dh 0x00000032 pop ecx 0x00000033 mov ah, dh 0x00000035 popad 0x00000036 push eax 0x00000037 push eax 0x00000038 push edx 0x00000039 push eax 0x0000003a push edx 0x0000003b jmp 00007F19111E3815h 0x00000040 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A10B55 second address: 4A10B5B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A10B5B second address: 4A10B80 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, ax 0x00000006 mov edx, esi 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, esi 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F19111E3817h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A10B80 second address: 4A10B86 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A10B86 second address: 4A10B8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A10BBB second address: 4A10BC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A10BC1 second address: 4A10BC5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A10BC5 second address: 4A10BDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F1910516D5Dh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A10C0D second address: 4A10C13 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A10C13 second address: 4A10C19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A10C19 second address: 4A10C1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4A10C1D second address: 4A10C21 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5D5E408 second address: 5D5E40C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5D5E40C second address: 5D5E41A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnp 00007F1910516D56h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5D5DD02 second address: 5D5DD08 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5D5DD08 second address: 5D5DD12 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F1910516D5Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5ECC92A second address: 5ECC930 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5ED1289 second address: 5ED12A3 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F1910516D56h 0x00000008 jmp 00007F1910516D5Ch 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5ED12A3 second address: 5ED12A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5ED12A9 second address: 5ED12AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5ED12AD second address: 5ED12B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5ED140D second address: 5ED1431 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jc 00007F1910516D56h 0x0000000c popad 0x0000000d pushad 0x0000000e jng 00007F1910516D56h 0x00000014 jmp 00007F1910516D5Ah 0x00000019 pushad 0x0000001a popad 0x0000001b popad 0x0000001c push esi 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5ED16CC second address: 5ED16D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5ED16D4 second address: 5ED16DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5ED16DA second address: 5ED16E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5ED186E second address: 5ED1874 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5ED1984 second address: 5ED1988 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5ED1988 second address: 5ED19A4 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F1910516D56h 0x00000008 jmp 00007F1910516D62h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5ED5463 second address: 5ED546D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F19111E3806h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5ED546D second address: 5ED5481 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F1910516D56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [eax] 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5ED5481 second address: 5ED548B instructions: 0x00000000 rdtsc 0x00000002 je 00007F19111E3806h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5ED548B second address: 5ED5495 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F1910516D56h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5ED5495 second address: 5ED54AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c jnl 00007F19111E380Eh 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5ED558B second address: 5ED55B0 instructions: 0x00000000 rdtsc 0x00000002 js 00007F1910516D56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F1910516D69h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5ED55B0 second address: 5ED55B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5ED55B4 second address: 5ED55EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xor dword ptr [esp], 239CC6C3h 0x0000000e pushad 0x0000000f mov si, 18C1h 0x00000013 jmp 00007F1910516D5Bh 0x00000018 popad 0x00000019 lea ebx, dword ptr [ebp+1244B312h] 0x0000001f mov esi, edx 0x00000021 mov edi, dword ptr [ebp+122D2D6Fh] 0x00000027 xchg eax, ebx 0x00000028 jg 00007F1910516D64h 0x0000002e push eax 0x0000002f push edx 0x00000030 push edi 0x00000031 pop edi 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5ED55EC second address: 5ED55F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5ED55F0 second address: 5ED5610 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 jmp 00007F1910516D60h 0x0000000d jns 00007F1910516D5Ch 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5ED5649 second address: 5ED56B5 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F19111E3808h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007F19111E3810h 0x00000010 nop 0x00000011 pushad 0x00000012 mov eax, dword ptr [ebp+122D2620h] 0x00000018 movzx eax, ax 0x0000001b popad 0x0000001c push 00000000h 0x0000001e jmp 00007F19111E3814h 0x00000023 mov edx, dword ptr [ebp+122D39F9h] 0x00000029 call 00007F19111E3809h 0x0000002e push ebx 0x0000002f push ebx 0x00000030 jmp 00007F19111E3814h 0x00000035 pop ebx 0x00000036 pop ebx 0x00000037 push eax 0x00000038 pushad 0x00000039 push eax 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5ED56B5 second address: 5ED56B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5ED56B9 second address: 5ED570D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jno 00007F19111E3806h 0x0000000d jmp 00007F19111E3817h 0x00000012 popad 0x00000013 popad 0x00000014 mov eax, dword ptr [esp+04h] 0x00000018 js 00007F19111E3810h 0x0000001e jmp 00007F19111E380Ah 0x00000023 mov eax, dword ptr [eax] 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007F19111E3816h 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5ED570D second address: 5ED5713 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5ED5713 second address: 5ED5717 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5ED5717 second address: 5ED571B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5ED571B second address: 5ED57B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c jmp 00007F19111E3815h 0x00000011 pop eax 0x00000012 or esi, dword ptr [ebp+122D2CCBh] 0x00000018 push 00000003h 0x0000001a mov dword ptr [ebp+122D1E1Fh], ebx 0x00000020 push 00000000h 0x00000022 sbb cl, FFFFFFF6h 0x00000025 push 00000003h 0x00000027 push 00000000h 0x00000029 push edx 0x0000002a call 00007F19111E3808h 0x0000002f pop edx 0x00000030 mov dword ptr [esp+04h], edx 0x00000034 add dword ptr [esp+04h], 00000017h 0x0000003c inc edx 0x0000003d push edx 0x0000003e ret 0x0000003f pop edx 0x00000040 ret 0x00000041 je 00007F19111E3806h 0x00000047 push A4F8F337h 0x0000004c jmp 00007F19111E3818h 0x00000051 add dword ptr [esp], 1B070CC9h 0x00000058 adc dx, 4B16h 0x0000005d lea ebx, dword ptr [ebp+1244B31Bh] 0x00000063 or edx, dword ptr [ebp+122D1FD7h] 0x00000069 push eax 0x0000006a je 00007F19111E3814h 0x00000070 push eax 0x00000071 push edx 0x00000072 push eax 0x00000073 push edx 0x00000074 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5ED57B7 second address: 5ED57BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5ED580E second address: 5ED5813 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5ED5813 second address: 5ED5818 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5EF46B5 second address: 5EF46CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F19111E3815h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5EF484F second address: 5EF4855 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5EF4855 second address: 5EF4859 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5EF4859 second address: 5EF486E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1910516D5Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push edi 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5EF498F second address: 5EF499A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5EF499A second address: 5EF499E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5EF499E second address: 5EF49A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5EF49A2 second address: 5EF49A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5EF5088 second address: 5EF50AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F19111E3815h 0x00000009 pushad 0x0000000a popad 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d popad 0x0000000e push eax 0x0000000f jp 00007F19111E3806h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5EF5201 second address: 5EF5205 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5EF5328 second address: 5EF5337 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F19111E3806h 0x0000000a push eax 0x0000000b pop eax 0x0000000c push eax 0x0000000d pop eax 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5EF5337 second address: 5EF534F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1910516D64h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5EF534F second address: 5EF538D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F19111E3812h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 jmp 00007F19111E3816h 0x00000015 jns 00007F19111E3806h 0x0000001b pop esi 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5EF538D second address: 5EF5393 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5EF5393 second address: 5EF5397 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5EF5397 second address: 5EF539B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: E8A80 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 29989D instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 2AF478 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 327F3A instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 5D5DC42 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 5D5DD58 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 5D5DC4E instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 5EF7F43 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 5F99D3B instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D5DFD9 rdtsc 0_2_05D5DFD9
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\file.exe TID: 5952 Thread sleep time: -44022s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 340 Thread sleep time: -32016s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 4412 Thread sleep time: -32000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 3660 Thread sleep time: -240000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5392 Thread sleep time: -30015s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 4016 Thread sleep time: -42021s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\file.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: file.exe, file.exe, 00000000.00000002.2583109600.0000000005EDA000.00000040.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2578846156.0000000000278000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.2582742277.0000000005C1E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000003.2189860535.0000000005380000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: file.exe, 00000000.00000003.2189860535.0000000005380000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
Source: file.exe, 00000000.00000003.2189860535.0000000005380000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: file.exe, 00000000.00000003.2189860535.0000000005380000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696487552f
Source: file.exe, 00000000.00000003.2189860535.0000000005380000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: file.exe, 00000000.00000003.2189860535.0000000005380000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: file.exe, 00000000.00000003.2239268803.0000000000B55000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2579497100.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2237871217.0000000000B55000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2239058013.0000000000B55000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2237491903.0000000000B53000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2240546025.0000000000B56000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2238596385.0000000000B55000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2446364692.0000000000B55000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2238110756.0000000000B55000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2165412620.0000000000B53000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2240259411.0000000000B56000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000003.2189860535.0000000005380000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: file.exe, 00000000.00000003.2189860535.0000000005380000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: file.exe, 00000000.00000003.2189860535.0000000005380000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: file.exe, 00000000.00000003.2189860535.0000000005380000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696487552
Source: file.exe, 00000000.00000003.2189860535.0000000005380000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696487552o
Source: file.exe, 00000000.00000003.2189860535.0000000005385000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: - GDCDYNVMware20,11696487552p
Source: file.exe, 00000000.00000003.2189860535.0000000005380000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696487552
Source: file.exe, 00000000.00000003.2189860535.0000000005380000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: file.exe, 00000000.00000003.2189860535.0000000005380000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: file.exe, 00000000.00000003.2189860535.0000000005380000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696487552j
Source: file.exe, 00000000.00000003.2189860535.0000000005380000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: file.exe, 00000000.00000003.2189860535.0000000005380000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: file.exe, 00000000.00000003.2189860535.0000000005380000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: file.exe, 00000000.00000003.2189860535.0000000005380000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: file.exe, 00000000.00000003.2189860535.0000000005380000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: file.exe, 00000000.00000003.2189860535.0000000005380000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: file.exe, 00000000.00000003.2189860535.0000000005380000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: file.exe, 00000000.00000003.2189860535.0000000005380000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: file.exe, 00000000.00000003.2189860535.0000000005380000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: file.exe, 00000000.00000003.2189860535.0000000005380000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: file.exe, 00000000.00000003.2189860535.0000000005380000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696487552s
Source: file.exe, 00000000.00000003.2189860535.0000000005380000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: file.exe, 00000000.00000003.2189860535.0000000005380000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: file.exe, 00000000.00000003.2189860535.0000000005380000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: file.exe, 00000000.00000002.2583109600.0000000005EDA000.00000040.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2578846156.0000000000278000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.2582742277.0000000005C1E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: file.exe, 00000000.00000003.2189860535.0000000005380000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: file.exe, 00000000.00000003.2189860535.0000000005380000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\file.exe Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\Desktop\file.exe File opened: NTICE
Source: C:\Users\user\Desktop\file.exe File opened: SICE
Source: C:\Users\user\Desktop\file.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05D5DFD9 rdtsc 0_2_05D5DFD9
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=file.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=file.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0 Jump to behavior
Source: file.exe, file.exe, 00000000.00000002.2578846156.0000000000278000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 4Program Manager
Source: file.exe, file.exe, 00000000.00000002.2583109600.0000000005EDA000.00000040.00000800.00020000.00000000.sdmp Binary or memory string: $WProgram Manager
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: file.exe, 00000000.00000003.2264719548.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\Desktop\file.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: file.exe PID: 1596, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: file.exe, 00000000.00000003.2239268803.0000000000B55000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Wallets/Electrum-LTC
Source: file.exe, 00000000.00000003.2239268803.0000000000B55000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Wallets/ElectronCash
Source: file.exe, 00000000.00000003.2239268803.0000000000B55000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: window-state.json
Source: file.exe, 00000000.00000003.2165412620.0000000000BBC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Jaxx Libertyv
Source: file.exe, 00000000.00000003.2165412620.0000000000B53000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: file.exe, 00000000.00000003.2240607679.0000000000BA7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ExodusWeb3
Source: file.exe, 00000000.00000003.2239268803.0000000000B55000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %appdata%\Ethereum
Source: file.exe, 00000000.00000003.2237871217.0000000000BA1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: file.exe, 00000000.00000003.2237871217.0000000000BA1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: keystore
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\logins.json Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cert9.db Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.js Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\formhistory.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.db Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\FTPInfo Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\FTPbox Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\FTPRush Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\FTPGetter Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\ProgramData\SiteDesigner\3D-FTP Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB Jump to behavior
Searches for user specific document files
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\IPKGELNTQY Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\IPKGELNTQY Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\ZGGKNSUKOP Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\ZGGKNSUKOP Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\LSBIHQFDVT Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\LSBIHQFDVT Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\NEBFQQYWPS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\NEBFQQYWPS Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000000.00000003.2237871217.0000000000BA1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2240046403.0000000000BA1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2238596385.0000000000BA1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2165412620.0000000000BA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2240167156.0000000000BAA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2238110756.0000000000BA1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2239504789.0000000000BA1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2238832656.0000000000BA1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2239744184.0000000000BA1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2239268803.0000000000BA1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2237491903.0000000000BA1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2239058013.0000000000BA1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 1596, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: file.exe PID: 1596, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1572053 Sample: file.exe Startdate: 10/12/2024 Architecture: WINDOWS Score: 100 28 atten-supporse.biz 2->28 38 Suricata IDS alerts for network traffic 2->38 40 Found malware configuration 2->40 42 Antivirus detection for URL or domain 2->42 44 8 other signatures 2->44 8 file.exe 12 2->8         started        signatures3 process4 dnsIp5 30 185.215.113.16, 49752, 80 WHOLESALECONNECTIONSNL Portugal 8->30 32 atten-supporse.biz 104.21.16.1, 443, 49707, 49708 CLOUDFLARENETUS United States 8->32 46 Detected unpacking (changes PE section rights) 8->46 48 Query firmware table information (likely to detect VMs) 8->48 50 Tries to detect sandboxes and other dynamic analysis tools (window names) 8->50 52 9 other signatures 8->52 12 chrome.exe 1 8->12         started        15 chrome.exe 8->15         started        signatures6 process7 dnsIp8 34 192.168.2.6, 443, 49701, 49702 unknown unknown 12->34 36 239.255.255.250 unknown Reserved 12->36 17 chrome.exe 12->17         started        20 chrome.exe 15->20         started        process9 dnsIp10 22 www.google.com 172.217.21.36, 443, 49804, 50032 GOOGLEUS United States 17->22 24 shed.dual-low.s-part-0035.t-0009.t-msedge.net 17->24 26 6 other IPs or domains 17->26
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.21.16.1
 atten-supporse.biz United States
13335 CLOUDFLARENETUS false
185.215.113.16
 unknown Portugal
206894 WHOLESALECONNECTIONSNL false
239.255.255.250
 unknown Reserved
unknown unknown false
172.217.21.36
 www.google.com United States
15169 GOOGLEUS false

Private

IP
192.168.2.6

Contacted Domains

Name IP Active
atten-supporse.biz 104.21.16.1 true
www.google.com 172.217.21.36 true
s-part-0035.t-0009.t-msedge.net 13.107.246.63 true
js.monitor.azure.com unknown unknown
mdec.nelreports.net unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
dare-curbys.biz false
    		high
    impend-differ.biz false
      		high
      dwell-exclaim.biz false
        		high
        zinc-sneark.biz false
          		high
          formy-spill.biz false
            		high
            se-blurry.biz false
              		high
              covery-mover.biz false
                		high
                https://atten-supporse.biz/api false
                  		high
                  atten-supporse.biz false
                    		high
                    print-vexer.biz false
                      		high