Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1562133
MD5: 5032eea68452ff054956add942d03697
SHA1: dc28bb50951074ec5d823e4bc94ba520796cc88f
SHA256: 940581abda4098f8858edda4080cff127a179db5c7ac9d6f357881569b703fdb
Tags: exeuser-Bitsight
Infos:

Detection

LummaC Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Detected potential crypto function
Entry point lies outside standard sections
Found inlined nop instructions (likely shell or obfuscated code)
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

AV Detection

barindex
Source: file.exe Avira: detected
Source: https://frogs-severz.sbs/apial Avira URL Cloud: Label: malware
Source: https://frogs-severz.sbs/api= Avira URL Cloud: Label: malware
Source: https://frogs-severz.sbs/apiz Avira URL Cloud: Label: malware
Source: https://frogs-severz.sbs/4R Avira URL Cloud: Label: malware
Source: https://frogs-severz.sbs/apisi Avira URL Cloud: Label: malware
Source: https://frogs-severz.sbs:443/api Avira URL Cloud: Label: malware
Source: https://frogs-severz.sbs/apig Avira URL Cloud: Label: malware
Source: https://frogs-severz.sbs/api) Avira URL Cloud: Label: malware
Source: https://frogs-severz.sbs/TR Avira URL Cloud: Label: malware
Source: https://frogs-severz.sbs/apii Avira URL Cloud: Label: malware
Source: https://frogs-severz.sbs/apiX Avira URL Cloud: Label: malware
Source: https://frogs-severz.sbs/apia Avira URL Cloud: Label: malware
Source: file.exe.7660.0.memstrmin Malware Configuration Extractor: LummaC {"C2 url": "https://frogs-severz.sbs/api", "Build Version": "LOGS11--LiveTraffi"}
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Source: file.exe Joe Sandbox ML: detected
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 104.21.88.250:443 -> 192.168.2.9:49722 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.88.250:443 -> 192.168.2.9:49728 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.88.250:443 -> 192.168.2.9:49734 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.88.250:443 -> 192.168.2.9:49740 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.88.250:443 -> 192.168.2.9:49746 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.88.250:443 -> 192.168.2.9:49756 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.88.250:443 -> 192.168.2.9:49765 version: TLS 1.2
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax+14h] 0_2_003A98F0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov edx, eax 0_2_003DB8E0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov edx, ecx 0_2_003DB8E0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx eax, byte ptr [esp+esi+000001E8h] 0_2_003AE0D8
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx esi, byte ptr [esp+eax-65h] 0_2_003AE35B
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov edx, ecx 0_2_003ABC9D
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov byte ptr [eax], bl 0_2_003ACF05
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov ecx, eax 0_2_003AC02B
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov byte ptr [ebx], al 0_2_003C0870
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then push eax 0_2_003DB860
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], 98D5A07Fh 0_2_003DC040
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [edi+esi*8], C18BC4BAh 0_2_003DC040
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [edi+esi*8], 6DBC3610h 0_2_003DC040
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], 98D5A07Fh 0_2_003DC040
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then push eax 0_2_003DF8D0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov edi, eax 0_2_003DF8D0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx edi, byte ptr [esp+edx+14h] 0_2_003AE970
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [esi], cx 0_2_003AEA38
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov byte ptr [esi], cl 0_2_003C8CB0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, ebp 0_2_003A5C90
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, ebp 0_2_003A5C90
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [ebx+edi*8], 4C697C35h 0_2_003DBCE0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx edx, byte ptr [eax+ecx] 0_2_003AAD00
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx edx, byte ptr [edi] 0_2_003C5E90
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax-58FA0F6Ch] 0_2_003E0F60
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx edx, byte ptr [eax+ecx+00008F12h] 0_2_003A77D0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [ebp+ebx*4+00h], ax 0_2_003A77D0

Networking

barindex
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.9:49728 -> 104.21.88.250:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.9:49728 -> 104.21.88.250:443
Source: Network traffic Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.9:49756 -> 104.21.88.250:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.9:49722 -> 104.21.88.250:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.9:49722 -> 104.21.88.250:443
Source: Malware configuration extractor URLs: https://frogs-severz.sbs/api
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49740 -> 104.21.88.250:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49756 -> 104.21.88.250:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49734 -> 104.21.88.250:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49728 -> 104.21.88.250:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49776 -> 104.21.88.250:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49765 -> 104.21.88.250:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49746 -> 104.21.88.250:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49722 -> 104.21.88.250:443
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: frogs-severz.sbs
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 53Host: frogs-severz.sbs
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=A5K45MZSF13LUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12815Host: frogs-severz.sbs
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=P14SZ2J0R2C1792User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15051Host: frogs-severz.sbs
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=A8CHGFSQ06VHXG923TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20585Host: frogs-severz.sbs
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=03GZDEUNUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1162Host: frogs-severz.sbs
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=DH8RDUB2KBUNUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 551295Host: frogs-severz.sbs
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: property-imper.sbs
Source: global traffic DNS traffic detected: DNS query: frogs-severz.sbs
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: frogs-severz.sbs
Source: file.exe, 00000000.00000003.1497341173.00000000056E6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: file.exe, 00000000.00000003.1497341173.00000000056E6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: file.exe, 00000000.00000003.1497341173.00000000056E6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: file.exe, 00000000.00000003.1497341173.00000000056E6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: file.exe, 00000000.00000003.1497341173.00000000056E6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: file.exe, 00000000.00000003.1497341173.00000000056E6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: file.exe, 00000000.00000003.1497341173.00000000056E6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: file.exe, 00000000.00000003.1497341173.00000000056E6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: file.exe, 00000000.00000003.1497341173.00000000056E6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: file.exe, 00000000.00000003.1497341173.00000000056E6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: file.exe, 00000000.00000003.1497341173.00000000056E6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: file.exe, 00000000.00000003.1448114148.0000000005679000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1448280145.0000000005676000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1448206732.0000000005676000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: file.exe, 00000000.00000003.1499442298.000000000109B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696495411400900000.2&ci=1696495411208.
Source: file.exe, 00000000.00000003.1545525829.0000000001092000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1545581901.0000000001096000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1524856660.0000000001096000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1524775025.000000000108C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1546302886.0000000001092000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1546336555.0000000001096000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696495411400900000.1&ci=1696495411208.12791&cta
Source: file.exe, 00000000.00000003.1448114148.0000000005679000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1448280145.0000000005676000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1448206732.0000000005676000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000000.00000003.1448114148.0000000005679000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1448280145.0000000005676000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1448206732.0000000005676000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000003.1448114148.0000000005679000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1448280145.0000000005676000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1448206732.0000000005676000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: file.exe, 00000000.00000003.1499442298.000000000109B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
Source: file.exe, 00000000.00000003.1545525829.0000000001092000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1602899683.0000000001099000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1545581901.0000000001096000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1600188579.0000000001099000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1524856660.0000000001096000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1524775025.000000000108C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1546302886.0000000001092000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1546336555.0000000001096000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_b
Source: file.exe, 00000000.00000003.1448114148.0000000005679000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1448280145.0000000005676000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1448206732.0000000005676000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000000.00000003.1448114148.0000000005679000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1448280145.0000000005676000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1448206732.0000000005676000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: file.exe, 00000000.00000003.1448114148.0000000005679000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1448280145.0000000005676000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1448206732.0000000005676000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: file.exe, 00000000.00000003.1600305728.0000000001077000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://frogs-severz.sbs/
Source: file.exe, 00000000.00000002.1602899683.0000000001078000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1600305728.0000000001077000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://frogs-severz.sbs/4R
Source: file.exe, 00000000.00000002.1602899683.0000000001078000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://frogs-severz.sbs/TR
Source: file.exe, file.exe, 00000000.00000003.1497468228.000000000109B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1600086581.0000000001091000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1545638694.0000000001081000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1524819084.0000000001085000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1551144110.00000000056CD000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1604459516.00000000056D3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1600343002.00000000056D2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1545660464.0000000001085000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1600238733.0000000001085000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1600086581.000000000107F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1600238733.0000000001091000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1524792305.000000000107D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1524775025.000000000108C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1447764366.000000000107D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1602899683.0000000001086000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1496386073.000000000109C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1499442298.000000000109B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://frogs-severz.sbs/api
Source: file.exe, 00000000.00000003.1545638694.0000000001081000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1545660464.0000000001085000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://frogs-severz.sbs/api)
Source: file.exe, 00000000.00000002.1602899683.0000000001086000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://frogs-severz.sbs/api=
Source: file.exe, 00000000.00000003.1600238733.0000000001085000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1600086581.000000000107F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1602899683.0000000001086000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://frogs-severz.sbs/apiX
Source: file.exe, 00000000.00000003.1545525829.0000000001092000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://frogs-severz.sbs/apia
Source: file.exe, 00000000.00000003.1545525829.0000000001092000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1600086581.0000000001091000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1602899683.0000000001091000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1600238733.0000000001091000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1546302886.0000000001092000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://frogs-severz.sbs/apial
Source: file.exe, 00000000.00000003.1545638694.0000000001081000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1545660464.0000000001085000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://frogs-severz.sbs/apig
Source: file.exe, 00000000.00000002.1602996314.000000000109D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://frogs-severz.sbs/apii
Source: file.exe, 00000000.00000003.1545581901.000000000109C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://frogs-severz.sbs/apisi
Source: file.exe, 00000000.00000002.1602899683.0000000001086000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://frogs-severz.sbs/apiz
Source: file.exe, 00000000.00000003.1524775025.000000000108C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://frogs-severz.sbs:443/api
Source: file.exe, 00000000.00000003.1499442298.000000000109B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqd4plX4pbW1CbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: file.exe, 00000000.00000003.1498963197.0000000005766000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: file.exe, 00000000.00000003.1498963197.0000000005766000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: file.exe, 00000000.00000003.1545525829.0000000001092000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1545581901.0000000001096000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1524856660.0000000001096000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1524775025.000000000108C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1546302886.0000000001092000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1546336555.0000000001096000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_e149f5d53c9263616797a13067f7a114fa287709b159d0a5
Source: file.exe, 00000000.00000003.1448114148.0000000005679000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1448280145.0000000005676000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1448206732.0000000005676000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: file.exe, 00000000.00000003.1448114148.0000000005679000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1448280145.0000000005676000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1448206732.0000000005676000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: file.exe, 00000000.00000003.1499442298.000000000109B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
Source: file.exe, 00000000.00000003.1498963197.0000000005766000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.HCe2hc5EPKfq
Source: file.exe, 00000000.00000003.1498963197.0000000005766000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.oX6J3D7V9Efv
Source: file.exe, 00000000.00000003.1498963197.0000000005766000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: file.exe, 00000000.00000003.1498963197.0000000005766000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: file.exe, 00000000.00000003.1498963197.0000000005766000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: file.exe, 00000000.00000003.1498963197.0000000005766000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown HTTPS traffic detected: 104.21.88.250:443 -> 192.168.2.9:49722 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.88.250:443 -> 192.168.2.9:49728 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.88.250:443 -> 192.168.2.9:49734 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.88.250:443 -> 192.168.2.9:49740 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.88.250:443 -> 192.168.2.9:49746 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.88.250:443 -> 192.168.2.9:49756 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.88.250:443 -> 192.168.2.9:49765 version: TLS 1.2

System Summary

barindex
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_0106E8C6 0_3_0106E8C6
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003D9030 0_2_003D9030
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003A98F0 0_2_003A98F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003DB8E0 0_2_003DB8E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003AE0D8 0_2_003AE0D8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003A89A0 0_2_003A89A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003E0C80 0_2_003E0C80
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003B9530 0_2_003B9530
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003C3D70 0_2_003C3D70
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003E1580 0_2_003E1580
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003ACF05 0_2_003ACF05
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003C8770 0_2_003C8770
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003C1790 0_2_003C1790
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003C0870 0_2_003C0870
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003A4040 0_2_003A4040
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003A6840 0_2_003A6840
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003DC040 0_2_003DC040
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005738E9 0_2_005738E9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003DF8D0 0_2_003DF8D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0059A11D 0_2_0059A11D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003AE970 0_2_003AE970
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005D99DE 0_2_005D99DE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003A61A0 0_2_003A61A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0056E9CC 0_2_0056E9CC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0050B18F 0_2_0050B18F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003D41D0 0_2_003D41D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003AB210 0_2_003AB210
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003A9210 0_2_003A9210
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003A4AC0 0_2_003A4AC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005E935F 0_2_005E935F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003BDB30 0_2_003BDB30
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040830B 0_2_0040830B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0055CB0C 0_2_0055CB0C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003BFB60 0_2_003BFB60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003A2B80 0_2_003A2B80
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0056639A 0_2_0056639A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00506BA7 0_2_00506BA7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004E041B 0_2_004E041B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003C8CB0 0_2_003C8CB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003A5C90 0_2_003A5C90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003D24E0 0_2_003D24E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003A94D0 0_2_003A94D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003A6CC0 0_2_003A6CC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003AAD00 0_2_003AAD00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003A3580 0_2_003A3580
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003C7E20 0_2_003C7E20
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003C0650 0_2_003C0650
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00563ED1 0_2_00563ED1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00567ECA 0_2_00567ECA
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003C5E90 0_2_003C5E90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003E0F60 0_2_003E0F60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004FDFCA 0_2_004FDFCA
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003D87B0 0_2_003D87B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0042CFFF 0_2_0042CFFF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003DC780 0_2_003DC780
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003A77D0 0_2_003A77D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003A27D0 0_2_003A27D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0056CFA2 0_2_0056CFA2
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exe Static PE information: Section: ZLIB complexity 0.9992955942622951
Source: file.exe Static PE information: Section: qozugtow ZLIB complexity 0.9945777757578077
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@1/0@2/1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003D27B0 CoCreateInstance, 0_2_003D27B0
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: file.exe, 00000000.00000003.1448813585.0000000005649000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1448392633.0000000005664000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1471828980.000000000564A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1472178462.00000000056E1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: file.exe Static file information: File size 1844224 > 1048576
Source: file.exe Static PE information: Raw size of qozugtow is bigger than: 0x100000 < 0x198400

Data Obfuscation

barindex
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.3a0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;qozugtow:EW;qlsbilts:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;qozugtow:EW;qlsbilts:EW;.taggant:EW;
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
Source: file.exe Static PE information: real checksum: 0x1c557e should be: 0x1c95c9
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: qozugtow
Source: file.exe Static PE information: section name: qlsbilts
Source: file.exe Static PE information: section name: .taggant
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_0106E163 push FFFFFFDBh; iretd 0_3_0106E174
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_0106E5E1 push esi; retf 0_3_0106E5E4
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_0108C350 push eax; ret 0_3_0108C351
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_0108CB50 push eax; retf 0_3_0108CB51
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_0108CF50 push eax; iretd 0_3_0108CF51
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_0108C354 push eax; ret 0_3_0108C355
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_0108CB54 push eax; retf 0_3_0108CB55
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_0108CF54 push eax; iretd 0_3_0108CF55
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_0108C368 push 680108C3h; ret 0_3_0108C36D
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_0108CB68 push 680108CBh; retf 0_3_0108CB6D
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_0108CF68 push 680108CFh; iretd 0_3_0108CF6D
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_0108C360 pushad ; ret 0_3_0108C361
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_0108CB60 pushad ; retf 0_3_0108CB61
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_0108CF60 pushad ; iretd 0_3_0108CF61
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_0108C364 pushad ; ret 0_3_0108C365
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_0108CB64 pushad ; retf 0_3_0108CB65
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_0108CF64 pushad ; iretd 0_3_0108CF65
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0059A058 push eax; mov dword ptr [esp], ebp 0_2_0059A0B6
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005ED851 push 7358FF57h; mov dword ptr [esp], ebp 0_2_005ED8B4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003B8028 push esp; ret 0_2_003B802B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005DA06B push ecx; mov dword ptr [esp], esi 0_2_005DA0CD
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005DA06B push 25A65661h; mov dword ptr [esp], eax 0_2_005DA10B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005E901F push 510B6672h; mov dword ptr [esp], ebp 0_2_005E9047
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005E901F push 7BCEEF41h; mov dword ptr [esp], edi 0_2_005E9070
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003B5057 push eax; iretd 0_2_003B5058
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005E78CA push ebx; mov dword ptr [esp], 3A8859BFh 0_2_005E791D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005E78CA push eax; mov dword ptr [esp], esp 0_2_005E7961
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0062E0F7 push edx; mov dword ptr [esp], ebx 0_2_0062E15A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005738E9 push 050445EDh; mov dword ptr [esp], edx 0_2_00573923
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005738E9 push ebx; mov dword ptr [esp], edx 0_2_00573995
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005738E9 push 5ADCF211h; mov dword ptr [esp], ebx 0_2_005739A5
Source: file.exe Static PE information: section name: entropy: 7.98162486605094
Source: file.exe Static PE information: section name: qozugtow entropy: 7.953498445966998

Boot Survival

barindex
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Users\user\Desktop\file.exe System information queried: FirmwareTableInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 579237 second address: 57923B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 57923B second address: 579246 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5782F1 second address: 5782F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 57857D second address: 578583 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5786FD second address: 578701 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 578AC5 second address: 578ACF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F37B4535CD6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 57A473 second address: 57A479 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 57A479 second address: 57A50C instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F37B4535CD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push edi 0x00000012 call 00007F37B4535CD8h 0x00000017 pop edi 0x00000018 mov dword ptr [esp+04h], edi 0x0000001c add dword ptr [esp+04h], 0000001Bh 0x00000024 inc edi 0x00000025 push edi 0x00000026 ret 0x00000027 pop edi 0x00000028 ret 0x00000029 pushad 0x0000002a mov esi, dword ptr [ebp+122D20A6h] 0x00000030 mov dx, ax 0x00000033 popad 0x00000034 push 00000000h 0x00000036 or esi, dword ptr [ebp+122D382Ch] 0x0000003c call 00007F37B4535CD9h 0x00000041 jmp 00007F37B4535CDEh 0x00000046 push eax 0x00000047 jmp 00007F37B4535CDCh 0x0000004c mov eax, dword ptr [esp+04h] 0x00000050 jmp 00007F37B4535CDAh 0x00000055 mov eax, dword ptr [eax] 0x00000057 push eax 0x00000058 push edx 0x00000059 jc 00007F37B4535CE8h 0x0000005f jmp 00007F37B4535CE2h 0x00000064 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 57A50C second address: 57A512 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 57A512 second address: 57A5A2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c jmp 00007F37B4535CE4h 0x00000011 pop eax 0x00000012 movzx ecx, bx 0x00000015 push 00000003h 0x00000017 mov edx, dword ptr [ebp+122D38A0h] 0x0000001d push 00000000h 0x0000001f mov dword ptr [ebp+122D1BABh], eax 0x00000025 push 00000003h 0x00000027 push 96AFF87Fh 0x0000002c push esi 0x0000002d jmp 00007F37B4535CE9h 0x00000032 pop esi 0x00000033 add dword ptr [esp], 29500781h 0x0000003a push edi 0x0000003b xor dword ptr [ebp+122D2397h], esi 0x00000041 pop ecx 0x00000042 lea ebx, dword ptr [ebp+1245133Fh] 0x00000048 call 00007F37B4535CDAh 0x0000004d sub dword ptr [ebp+122D2DE6h], edx 0x00000053 pop edx 0x00000054 xchg eax, ebx 0x00000055 pushad 0x00000056 pushad 0x00000057 pushad 0x00000058 popad 0x00000059 jbe 00007F37B4535CD6h 0x0000005f popad 0x00000060 push eax 0x00000061 push edx 0x00000062 jo 00007F37B4535CD6h 0x00000068 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 57A5A2 second address: 57A5C5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B453709Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e jmp 00007F37B453709Eh 0x00000013 pop eax 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 57A764 second address: 57A786 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B4535CE4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jng 00007F37B4535CD6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 57A882 second address: 57A886 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 57A886 second address: 57A8B3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B4535CE4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jp 00007F37B4535CD6h 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 popad 0x00000013 popad 0x00000014 push eax 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 jbe 00007F37B4535CD6h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 57A8B3 second address: 57A8C1 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F37B4537096h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 59B2DB second address: 59B2FE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B4535CE8h 0x00000007 pushad 0x00000008 jnp 00007F37B4535CD6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5990A4 second address: 5990B5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B453709Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 56CB53 second address: 56CB57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 599206 second address: 59920A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 59920A second address: 599231 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F37B4535CE0h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F37B4535CE1h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 599231 second address: 599236 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 599236 second address: 59923C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 59938E second address: 599393 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 599393 second address: 5993A7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F37B4535CDFh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5993A7 second address: 5993C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F37B45370A6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5993C6 second address: 5993CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 599579 second address: 59957D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5996D0 second address: 5996D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5996D8 second address: 5996F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F37B453709Fh 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 599EFF second address: 599F05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 599F05 second address: 599F2C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B453709Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F37B45370A0h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 599F2C second address: 599F30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 599F30 second address: 599F56 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F37B4537096h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F37B45370A3h 0x00000010 pushad 0x00000011 popad 0x00000012 push esi 0x00000013 pop esi 0x00000014 popad 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 599F56 second address: 599F86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F37B4535CDCh 0x00000009 jnc 00007F37B4535CD6h 0x0000000f popad 0x00000010 popad 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F37B4535CE5h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 599F86 second address: 599F8C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 59A28C second address: 59A290 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 59A290 second address: 59A296 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 59A296 second address: 59A2F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F37B4535CE1h 0x0000000c jnp 00007F37B4535CD6h 0x00000012 popad 0x00000013 jl 00007F37B4535CDAh 0x00000019 push ebx 0x0000001a pop ebx 0x0000001b push eax 0x0000001c pop eax 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F37B4535CE6h 0x00000025 jmp 00007F37B4535CE3h 0x0000002a pop edx 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 59A2F0 second address: 59A2F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5627A1 second address: 5627C5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B4535CE8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jl 00007F37B4535CD6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 59A9F3 second address: 59AA1E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jno 00007F37B4537096h 0x00000009 jmp 00007F37B45370A8h 0x0000000e pop ebx 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 push edi 0x00000015 pop edi 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 59AA1E second address: 59AA34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F37B4535CE1h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 59ACD2 second address: 59ACD6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 59ACD6 second address: 59ACDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 59B133 second address: 59B157 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F37B453709Ch 0x00000009 pop edi 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F37B45370A0h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 59E55C second address: 59E560 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 59EB97 second address: 59EB9B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 59EB9B second address: 59EBC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b pushad 0x0000000c push esi 0x0000000d jbe 00007F37B4535CD6h 0x00000013 pop esi 0x00000014 jmp 00007F37B4535CDCh 0x00000019 popad 0x0000001a mov eax, dword ptr [eax] 0x0000001c push edx 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 59EBC2 second address: 59EBFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a pushad 0x0000000b pushad 0x0000000c jc 00007F37B4537096h 0x00000012 jmp 00007F37B45370A0h 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F37B45370A7h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 59DBB8 second address: 59DBCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F37B4535CD6h 0x0000000a popad 0x0000000b jo 00007F37B4535CDCh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 59DBCB second address: 59DBE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F37B45370A2h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 59DBE5 second address: 59DBEA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A000D second address: 5A0012 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A0012 second address: 5A0042 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F37B4535CE7h 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F37B4535CE2h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A0042 second address: 5A0046 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 56E521 second address: 56E527 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 56E527 second address: 56E532 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push ecx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 56E532 second address: 56E538 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A5A08 second address: 5A5A0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A5A0C second address: 5A5A17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A5B7C second address: 5A5B8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 jc 00007F37B4537096h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A5B8B second address: 5A5B8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A5B8F second address: 5A5BB7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B45370A6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jg 00007F37B45370A2h 0x0000000f jbe 00007F37B4537096h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A5BB7 second address: 5A5BBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A5BBF second address: 5A5BC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A5D37 second address: 5A5D50 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F37B4535CD6h 0x00000008 jnp 00007F37B4535CD6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 jns 00007F37B4535CD6h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A650C second address: 5A6545 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F37B4537096h 0x00000008 jmp 00007F37B45370A5h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jnl 00007F37B453709Ch 0x00000015 pop edx 0x00000016 pushad 0x00000017 push esi 0x00000018 push ebx 0x00000019 pop ebx 0x0000001a pop esi 0x0000001b jo 00007F37B453709Ch 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A82B7 second address: 5A82BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A82BC second address: 5A82C6 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F37B453709Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A82C6 second address: 5A82EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 xor dword ptr [esp], 398901C5h 0x0000000d je 00007F37B4535CDCh 0x00000013 mov edi, dword ptr [ebp+122D37BCh] 0x00000019 push 3F2ACDCCh 0x0000001e jc 00007F37B4535CF0h 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A8460 second address: 5A8481 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F37B453709Bh 0x00000009 popad 0x0000000a pop ecx 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e jmp 00007F37B453709Bh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A865F second address: 5A8665 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A8E42 second address: 5A8E4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A8E4A second address: 5A8E4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A8F2D second address: 5A8F31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A8F31 second address: 5A8F35 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A8F35 second address: 5A8F3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A93D3 second address: 5A93D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A93D7 second address: 5A93F6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F37B45370A7h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A99B0 second address: 5A9A08 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B4535CE5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F37B4535CDCh 0x0000000f nop 0x00000010 mov dword ptr [ebp+122D2288h], eax 0x00000016 push 00000000h 0x00000018 mov esi, eax 0x0000001a push 00000000h 0x0000001c push 00000000h 0x0000001e push edi 0x0000001f call 00007F37B4535CD8h 0x00000024 pop edi 0x00000025 mov dword ptr [esp+04h], edi 0x00000029 add dword ptr [esp+04h], 00000017h 0x00000031 inc edi 0x00000032 push edi 0x00000033 ret 0x00000034 pop edi 0x00000035 ret 0x00000036 push eax 0x00000037 pushad 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A9A08 second address: 5A9A0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5AA323 second address: 5AA32D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F37B4535CD6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5AA32D second address: 5AA331 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5AA1C9 second address: 5AA1E7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F37B4535CE0h 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push edx 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 pop edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5AA1E7 second address: 5AA1EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5AA3B9 second address: 5AA3BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5AA3BE second address: 5AA3C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F37B4537096h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5AA3C8 second address: 5AA3F2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b ja 00007F37B4535CEFh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5AB478 second address: 5AB4CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 push eax 0x00000007 jmp 00007F37B453709Dh 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push edi 0x00000010 call 00007F37B4537098h 0x00000015 pop edi 0x00000016 mov dword ptr [esp+04h], edi 0x0000001a add dword ptr [esp+04h], 00000019h 0x00000022 inc edi 0x00000023 push edi 0x00000024 ret 0x00000025 pop edi 0x00000026 ret 0x00000027 jmp 00007F37B453709Bh 0x0000002c push 00000000h 0x0000002e cmc 0x0000002f push 00000000h 0x00000031 add edi, dword ptr [ebp+122D3780h] 0x00000037 push eax 0x00000038 jnp 00007F37B453709Eh 0x0000003e push eax 0x0000003f push eax 0x00000040 push edx 0x00000041 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5AAB16 second address: 5AAB20 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F37B4535CD6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5AD416 second address: 5AD42D instructions: 0x00000000 rdtsc 0x00000002 je 00007F37B4537098h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jnc 00007F37B4537096h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5AD42D second address: 5AD43D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B4535CDCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B4333 second address: 5B4339 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B4339 second address: 5B433D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5AF313 second address: 5AF325 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B453709Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B44CB second address: 5B44D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B54A5 second address: 5B5526 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F37B4537098h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f mov dword ptr [ebp+122D356Eh], edx 0x00000015 push dword ptr fs:[00000000h] 0x0000001c push 00000000h 0x0000001e push esi 0x0000001f call 00007F37B4537098h 0x00000024 pop esi 0x00000025 mov dword ptr [esp+04h], esi 0x00000029 add dword ptr [esp+04h], 0000001Bh 0x00000031 inc esi 0x00000032 push esi 0x00000033 ret 0x00000034 pop esi 0x00000035 ret 0x00000036 mov dword ptr fs:[00000000h], esp 0x0000003d push 00000000h 0x0000003f push esi 0x00000040 call 00007F37B4537098h 0x00000045 pop esi 0x00000046 mov dword ptr [esp+04h], esi 0x0000004a add dword ptr [esp+04h], 00000018h 0x00000052 inc esi 0x00000053 push esi 0x00000054 ret 0x00000055 pop esi 0x00000056 ret 0x00000057 mov eax, dword ptr [ebp+122D06DDh] 0x0000005d sub ebx, 590A7652h 0x00000063 push FFFFFFFFh 0x00000065 add dword ptr [ebp+122D2159h], eax 0x0000006b nop 0x0000006c push eax 0x0000006d push edx 0x0000006e push esi 0x0000006f push esi 0x00000070 pop esi 0x00000071 pop esi 0x00000072 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B62EE second address: 5B62F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B5526 second address: 5B552D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B738F second address: 5B73B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B4535CE0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jmp 00007F37B4535CDDh 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 pop eax 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B8442 second address: 5B845D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B453709Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jng 00007F37B453709Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B9212 second address: 5B9217 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B845D second address: 5B8461 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5BD0A3 second address: 5BD0A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5BD0A7 second address: 5BD0AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5BD630 second address: 5BD636 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5BE568 second address: 5BE576 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F37B453709Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5BE576 second address: 5BE594 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F37B4535CE3h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5BE594 second address: 5BE61B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F37B45370A1h 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push ebx 0x0000000f call 00007F37B4537098h 0x00000014 pop ebx 0x00000015 mov dword ptr [esp+04h], ebx 0x00000019 add dword ptr [esp+04h], 00000018h 0x00000021 inc ebx 0x00000022 push ebx 0x00000023 ret 0x00000024 pop ebx 0x00000025 ret 0x00000026 push 00000000h 0x00000028 push edi 0x00000029 xor dword ptr [ebp+122D195Ah], esi 0x0000002f pop ebx 0x00000030 mov bl, 78h 0x00000032 push 00000000h 0x00000034 call 00007F37B45370A8h 0x00000039 mov edi, ebx 0x0000003b pop edi 0x0000003c xchg eax, esi 0x0000003d jng 00007F37B45370AEh 0x00000043 pushad 0x00000044 jmp 00007F37B45370A4h 0x00000049 push eax 0x0000004a pop eax 0x0000004b popad 0x0000004c push eax 0x0000004d push eax 0x0000004e push edx 0x0000004f push eax 0x00000050 pushad 0x00000051 popad 0x00000052 pop eax 0x00000053 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5BD88E second address: 5BD892 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5BD892 second address: 5BD8AB instructions: 0x00000000 rdtsc 0x00000002 jng 00007F37B4537098h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 ja 00007F37B4537096h 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5BE868 second address: 5BE89B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B4535CE3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b js 00007F37B4535CE6h 0x00000011 jmp 00007F37B4535CE0h 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5BF696 second address: 5BF69C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5C250B second address: 5C25D4 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F37B4535CE1h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jno 00007F37B4535CE0h 0x00000011 nop 0x00000012 push 00000000h 0x00000014 push edi 0x00000015 call 00007F37B4535CD8h 0x0000001a pop edi 0x0000001b mov dword ptr [esp+04h], edi 0x0000001f add dword ptr [esp+04h], 0000001Dh 0x00000027 inc edi 0x00000028 push edi 0x00000029 ret 0x0000002a pop edi 0x0000002b ret 0x0000002c xor dword ptr [ebp+122D20ACh], ebx 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push eax 0x00000037 call 00007F37B4535CD8h 0x0000003c pop eax 0x0000003d mov dword ptr [esp+04h], eax 0x00000041 add dword ptr [esp+04h], 00000014h 0x00000049 inc eax 0x0000004a push eax 0x0000004b ret 0x0000004c pop eax 0x0000004d ret 0x0000004e call 00007F37B4535CE4h 0x00000053 call 00007F37B4535CE2h 0x00000058 ja 00007F37B4535CD6h 0x0000005e pop edi 0x0000005f pop ebx 0x00000060 push 00000000h 0x00000062 jns 00007F37B4535CDCh 0x00000068 xchg eax, esi 0x00000069 push edi 0x0000006a push eax 0x0000006b jmp 00007F37B4535CDAh 0x00000070 pop eax 0x00000071 pop edi 0x00000072 push eax 0x00000073 push eax 0x00000074 push edx 0x00000075 jmp 00007F37B4535CDBh 0x0000007a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5C1600 second address: 5C160A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5C160A second address: 5C160E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5C160E second address: 5C1696 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007F37B45370A4h 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push edi 0x00000011 call 00007F37B4537098h 0x00000016 pop edi 0x00000017 mov dword ptr [esp+04h], edi 0x0000001b add dword ptr [esp+04h], 00000015h 0x00000023 inc edi 0x00000024 push edi 0x00000025 ret 0x00000026 pop edi 0x00000027 ret 0x00000028 call 00007F37B453709Ch 0x0000002d pushad 0x0000002e xor esi, dword ptr [ebp+122D3A08h] 0x00000034 movsx edx, si 0x00000037 popad 0x00000038 pop edi 0x00000039 push dword ptr fs:[00000000h] 0x00000040 mov dword ptr [ebp+122D328Ah], edx 0x00000046 mov dword ptr fs:[00000000h], esp 0x0000004d mov dword ptr [ebp+1244C01Ah], ebx 0x00000053 mov eax, dword ptr [ebp+122D0565h] 0x00000059 mov dword ptr [ebp+122D2DE6h], ebx 0x0000005f push FFFFFFFFh 0x00000061 mov ebx, dword ptr [ebp+122D396Ch] 0x00000067 nop 0x00000068 push eax 0x00000069 push edx 0x0000006a pushad 0x0000006b push ebx 0x0000006c pop ebx 0x0000006d push eax 0x0000006e push edx 0x0000006f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5C1696 second address: 5C169B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5C169B second address: 5C16C8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B45370A3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jl 00007F37B45370AFh 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F37B453709Dh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5C8DDD second address: 5C8E02 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F37B4535CD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F37B4535CE9h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5C8E02 second address: 5C8E06 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5CDBFE second address: 5CDC10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F37B4535CDAh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5CDD83 second address: 5CDDA0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B45370A7h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5CDDA0 second address: 5CDDA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5CDF15 second address: 5CDF1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5CE099 second address: 5CE0B3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B4535CE6h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5D5AC4 second address: 5D5ACE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5D952C second address: 5D9532 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5D9B25 second address: 5D9B3C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F37B45370A1h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5D9B3C second address: 5D9B46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F37B4535CD6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5D9B46 second address: 5D9B50 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F37B4537096h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5D9C8A second address: 5D9CAF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B4535CE6h 0x00000007 jmp 00007F37B4535CDBh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5D9CAF second address: 5D9CC3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B453709Ch 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b push eax 0x0000000c pop eax 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5D9CC3 second address: 5D9CC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5DA289 second address: 5DA294 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007F37B4537096h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5DA3E0 second address: 5DA3F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F37B4535CD6h 0x0000000a jng 00007F37B4535CD6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5DA3F0 second address: 5DA3F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5DA6CC second address: 5DA6D1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5DF34B second address: 5DF375 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B45370A0h 0x00000007 jmp 00007F37B453709Ch 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jbe 00007F37B4537096h 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5DF375 second address: 5DF37B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5DF37B second address: 5DF37F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E3989 second address: 5E39CA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B4535CE5h 0x00000007 jc 00007F37B4535CDCh 0x0000000d jng 00007F37B4535CD6h 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push edx 0x00000016 pushad 0x00000017 jmp 00007F37B4535CE4h 0x0000001c push edx 0x0000001d pop edx 0x0000001e popad 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E39CA second address: 5E39E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F37B45370A6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5AFC29 second address: 5AFC9C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B4535CDFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jmp 00007F37B4535CE8h 0x00000010 jmp 00007F37B4535CDAh 0x00000015 popad 0x00000016 nop 0x00000017 push 00000000h 0x00000019 push ebx 0x0000001a call 00007F37B4535CD8h 0x0000001f pop ebx 0x00000020 mov dword ptr [esp+04h], ebx 0x00000024 add dword ptr [esp+04h], 00000014h 0x0000002c inc ebx 0x0000002d push ebx 0x0000002e ret 0x0000002f pop ebx 0x00000030 ret 0x00000031 lea eax, dword ptr [ebp+124869D2h] 0x00000037 mov dword ptr [ebp+122D2326h], eax 0x0000003d nop 0x0000003e pushad 0x0000003f push eax 0x00000040 jc 00007F37B4535CD6h 0x00000046 pop eax 0x00000047 jo 00007F37B4535CDCh 0x0000004d push eax 0x0000004e push edx 0x0000004f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5AFC9C second address: 5AFCA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5AFCA7 second address: 5AFCAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5AFCAB second address: 5AFCB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jno 00007F37B4537096h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5AFE8F second address: 5AFEA4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F37B4535CE1h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B01F6 second address: 5B0204 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 jng 00007F37B4537096h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B0338 second address: 5B033C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B033C second address: 5B034C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B034C second address: 5B0351 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B0488 second address: 5B048C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B0566 second address: 5B059B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c jmp 00007F37B4535CE0h 0x00000011 mov eax, dword ptr [eax] 0x00000013 push eax 0x00000014 jnl 00007F37B4535CDCh 0x0000001a jg 00007F37B4535CD6h 0x00000020 pop eax 0x00000021 mov dword ptr [esp+04h], eax 0x00000025 pushad 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B059B second address: 5B059F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B059F second address: 5B05A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B079D second address: 5B07A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B07A1 second address: 5B07A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B07A7 second address: 5B07AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B07AD second address: 5B07B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B07B1 second address: 5B07C3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jbe 00007F37B453709Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B07C3 second address: 5B07DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F37B4535CE5h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B0F32 second address: 5B0F8F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push esi 0x00000006 pop esi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ebp 0x00000010 call 00007F37B4537098h 0x00000015 pop ebp 0x00000016 mov dword ptr [esp+04h], ebp 0x0000001a add dword ptr [esp+04h], 00000016h 0x00000022 inc ebp 0x00000023 push ebp 0x00000024 ret 0x00000025 pop ebp 0x00000026 ret 0x00000027 sbb dx, D0F1h 0x0000002c lea eax, dword ptr [ebp+12486A16h] 0x00000032 call 00007F37B45370A1h 0x00000037 jmp 00007F37B453709Ch 0x0000003c pop edx 0x0000003d push eax 0x0000003e push eax 0x0000003f push edx 0x00000040 pushad 0x00000041 pushad 0x00000042 popad 0x00000043 pushad 0x00000044 popad 0x00000045 popad 0x00000046 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B0F8F second address: 591331 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007F37B4535CD6h 0x00000009 jmp 00007F37B4535CDFh 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov dword ptr [esp], eax 0x00000014 push 00000000h 0x00000016 push ebx 0x00000017 call 00007F37B4535CD8h 0x0000001c pop ebx 0x0000001d mov dword ptr [esp+04h], ebx 0x00000021 add dword ptr [esp+04h], 0000001Ah 0x00000029 inc ebx 0x0000002a push ebx 0x0000002b ret 0x0000002c pop ebx 0x0000002d ret 0x0000002e call 00007F37B4535CE8h 0x00000033 jns 00007F37B4535CE6h 0x00000039 pop ecx 0x0000003a lea eax, dword ptr [ebp+124869D2h] 0x00000040 push 00000000h 0x00000042 push ebx 0x00000043 call 00007F37B4535CD8h 0x00000048 pop ebx 0x00000049 mov dword ptr [esp+04h], ebx 0x0000004d add dword ptr [esp+04h], 00000017h 0x00000055 inc ebx 0x00000056 push ebx 0x00000057 ret 0x00000058 pop ebx 0x00000059 ret 0x0000005a push eax 0x0000005b push edi 0x0000005c jmp 00007F37B4535CDBh 0x00000061 pop edi 0x00000062 mov dword ptr [esp], eax 0x00000065 or edx, 05421700h 0x0000006b call dword ptr [ebp+122D3389h] 0x00000071 push eax 0x00000072 push eax 0x00000073 push edx 0x00000074 jo 00007F37B4535CD6h 0x0000007a push eax 0x0000007b push edx 0x0000007c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 591331 second address: 591335 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 591335 second address: 591339 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 591339 second address: 59134E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pushad 0x0000000b popad 0x0000000c pop edi 0x0000000d je 00007F37B4537098h 0x00000013 push edx 0x00000014 pop edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E2A1E second address: 5E2A36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 je 00007F37B4535CDEh 0x0000000b pushad 0x0000000c popad 0x0000000d jc 00007F37B4535CD6h 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E2A36 second address: 5E2A3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E2FC8 second address: 5E2FDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F37B4535CE0h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E2FDE second address: 5E3030 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F37B4537096h 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e js 00007F37B45370B3h 0x00000014 jmp 00007F37B45370A7h 0x00000019 jng 00007F37B4537096h 0x0000001f jbe 00007F37B45370B1h 0x00000025 jmp 00007F37B45370A5h 0x0000002a jnp 00007F37B4537096h 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E3030 second address: 5E3035 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E3035 second address: 5E303B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E333B second address: 5E3369 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007F37B4535CD6h 0x00000009 jc 00007F37B4535CD6h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 jmp 00007F37B4535CE8h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E3369 second address: 5E336D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E7B2A second address: 5E7B71 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jo 00007F37B4535CD6h 0x0000000d pushad 0x0000000e popad 0x0000000f pop eax 0x00000010 popad 0x00000011 pushad 0x00000012 push ecx 0x00000013 jmp 00007F37B4535CE2h 0x00000018 pop ecx 0x00000019 pushad 0x0000001a jmp 00007F37B4535CDBh 0x0000001f push edi 0x00000020 pop edi 0x00000021 pushad 0x00000022 popad 0x00000023 popad 0x00000024 jmp 00007F37B4535CDDh 0x00000029 push edi 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E7CE4 second address: 5E7CEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E8117 second address: 5E811D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E811D second address: 5E8125 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E8125 second address: 5E812F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E8294 second address: 5E82A4 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F37B4537096h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E82A4 second address: 5E82A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E82A8 second address: 5E82E2 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F37B4537096h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b pushad 0x0000000c jmp 00007F37B453709Dh 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F37B45370A9h 0x00000018 jnp 00007F37B4537096h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E82E2 second address: 5E82F4 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jnc 00007F37B4535CD6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E82F4 second address: 5E82F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E86EF second address: 5E86F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E86F5 second address: 5E8730 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007F37B45370A7h 0x0000000a jmp 00007F37B45370A1h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 pushad 0x00000016 popad 0x00000017 pushad 0x00000018 popad 0x00000019 popad 0x0000001a push ecx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E8730 second address: 5E8735 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E8735 second address: 5E873B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E873B second address: 5E873F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E8882 second address: 5E888D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E888D second address: 5E8893 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E8893 second address: 5E8897 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5EE819 second address: 5EE822 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push edx 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5ED640 second address: 5ED646 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5ED646 second address: 5ED64C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5EDCF8 second address: 5EDD03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5EDD03 second address: 5EDD07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5EE289 second address: 5EE28E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F1443 second address: 5F1465 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F37B4535CF4h 0x00000008 jmp 00007F37B4535CE8h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F1465 second address: 5F146D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F146D second address: 5F1471 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 564332 second address: 56434C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F37B45370A6h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F65AD second address: 5F65EB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B4535CE5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a jmp 00007F37B4535CE8h 0x0000000f pop ecx 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push edx 0x00000014 push edi 0x00000015 pop edi 0x00000016 pop edx 0x00000017 push eax 0x00000018 pushad 0x00000019 popad 0x0000001a pop eax 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F65EB second address: 5F65F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F65F1 second address: 5F65F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F61AD second address: 5F61B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F61B1 second address: 5F61C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c jng 00007F37B4535CD6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5FB0EE second address: 5FB0F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5FAD66 second address: 5FAD80 instructions: 0x00000000 rdtsc 0x00000002 je 00007F37B4535CD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F37B4535CDEh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5FF2F2 second address: 5FF2F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5FF71E second address: 5FF722 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5FF722 second address: 5FF745 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007F37B45370A5h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jne 00007F37B4537096h 0x00000012 pop eax 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5FF745 second address: 5FF74B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5FF74B second address: 5FF751 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5FF751 second address: 5FF755 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5FF755 second address: 5FF76E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B453709Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007F37B453709Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B0A00 second address: 5B0A0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 pushad 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B0A0A second address: 5B0A37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jo 00007F37B4537098h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e nop 0x0000000f mov dx, ax 0x00000012 push 00000004h 0x00000014 mov ecx, esi 0x00000016 nop 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a push esi 0x0000001b pop esi 0x0000001c jmp 00007F37B45370A0h 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5FFA36 second address: 5FFA56 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F37B4535CE6h 0x00000008 jo 00007F37B4535CDEh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5FFB8B second address: 5FFBAB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B45370A2h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b js 00007F37B4537098h 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 603A70 second address: 603A76 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 603A76 second address: 603A7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 603EFC second address: 603F03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 603F03 second address: 603F0F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F37B4537096h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 603F0F second address: 603F2C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B4535CE9h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 603F2C second address: 603F4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F37B45370A6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 604097 second address: 6040B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 jmp 00007F37B4535CE3h 0x0000000b push eax 0x0000000c pop eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6040B3 second address: 6040D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007F37B4537096h 0x00000009 push esi 0x0000000a pop esi 0x0000000b popad 0x0000000c push ecx 0x0000000d jmp 00007F37B45370A5h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 604242 second address: 60424A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 60424A second address: 604254 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 604254 second address: 604269 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 pop eax 0x00000008 jmp 00007F37B4535CDCh 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 604269 second address: 604281 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 js 00007F37B4537096h 0x0000000b je 00007F37B4537096h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 push edi 0x00000015 pop edi 0x00000016 push ebx 0x00000017 pop ebx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 604281 second address: 604291 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B4535CDCh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 60A7CE second address: 60A7D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 60A7D2 second address: 60A7EA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B4535CE1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 60A7EA second address: 60A7FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 popad 0x00000009 push eax 0x0000000a push eax 0x0000000b pop eax 0x0000000c pushad 0x0000000d popad 0x0000000e pop eax 0x0000000f popad 0x00000010 pushad 0x00000011 push ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 60A7FE second address: 60A807 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 60A807 second address: 60A80B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 60AF71 second address: 60AF75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 60B224 second address: 60B228 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 60B228 second address: 60B232 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F37B4535CD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 60B7E3 second address: 60B7EF instructions: 0x00000000 rdtsc 0x00000002 je 00007F37B4537096h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 60BDF7 second address: 60BE0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F37B4535CD6h 0x0000000a pushad 0x0000000b popad 0x0000000c jng 00007F37B4535CD6h 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 60C41A second address: 60C433 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F37B45370A3h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 60C433 second address: 60C444 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007F37B4535CD6h 0x00000009 jng 00007F37B4535CD6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 612486 second address: 612492 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push edi 0x00000006 push edi 0x00000007 pop edi 0x00000008 pop edi 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 616314 second address: 616318 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 615373 second address: 615380 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jnc 00007F37B4537098h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 615380 second address: 615385 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6156E6 second address: 615709 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B453709Ah 0x00000007 jmp 00007F37B453709Dh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e js 00007F37B453709Eh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 615709 second address: 615721 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jng 00007F37B4535CE6h 0x0000000c jmp 00007F37B4535CDAh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 615878 second address: 61587C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 61587C second address: 61588C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jng 00007F37B4535CD6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f pop ecx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6159CC second address: 6159D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6159D0 second address: 6159E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F37B4535CD6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jne 00007F37B4535CE6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 615B61 second address: 615B65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 615D1A second address: 615D24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F37B4535CD6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 615D24 second address: 615D28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 615D28 second address: 615D31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 615D31 second address: 615D4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 js 00007F37B45370D4h 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F37B453709Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 615D4C second address: 615D50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 616050 second address: 616054 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 61F3D3 second address: 61F3D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 61D8BC second address: 61D8F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F37B45370A4h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F37B45370A7h 0x00000014 jnp 00007F37B4537098h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 61D8F9 second address: 61D90B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F37B4535CDEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 61DA23 second address: 61DA29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 61DA29 second address: 61DA3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007F37B4535CDCh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 61DA3A second address: 61DA40 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 61DA40 second address: 61DA44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 61DA44 second address: 61DA61 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B45370A9h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 61E16D second address: 61E173 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 61E173 second address: 61E179 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 61E179 second address: 61E17D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 61E17D second address: 61E183 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 61E2A7 second address: 61E2AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 61E2AB second address: 61E2DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F37B45370A5h 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F37B45370A3h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 61E2DB second address: 61E312 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F37B4535CDEh 0x0000000c jmp 00007F37B4535CE0h 0x00000011 popad 0x00000012 popad 0x00000013 pushad 0x00000014 pushad 0x00000015 ja 00007F37B4535CD6h 0x0000001b jc 00007F37B4535CD6h 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 61E312 second address: 61E31F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jl 00007F37B45370A2h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 61E31F second address: 61E32C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F37B4535CD6h 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 61EA61 second address: 61EA80 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jns 00007F37B4537096h 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 jc 00007F37B4537096h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 61EA80 second address: 61EA84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 61EA84 second address: 61EA8A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 61EA8A second address: 61EAA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F37B4535CE0h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 61EAA3 second address: 61EAAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 61D055 second address: 61D05B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 61D05B second address: 61D08B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F37B4537098h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d pushad 0x0000000e pushad 0x0000000f jnl 00007F37B4537096h 0x00000015 jns 00007F37B4537096h 0x0000001b push edi 0x0000001c pop edi 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F37B45370A0h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 624ED6 second address: 624EDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62493E second address: 624944 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 624C4C second address: 624C54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 56797A second address: 567986 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F37B4537096h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 567986 second address: 56799B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jg 00007F37B4535CDCh 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 56799B second address: 5679B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F37B45370A6h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5679B5 second address: 5679CC instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F37B4535CDBh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5679CC second address: 5679D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5679D0 second address: 567A00 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007F37B4535CDDh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jo 00007F37B4535CD6h 0x00000013 jmp 00007F37B4535CE5h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 633B00 second address: 633B0A instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F37B4537096h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 633C6D second address: 633C7D instructions: 0x00000000 rdtsc 0x00000002 jl 00007F37B4535CD6h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 633C7D second address: 633C81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 63AEBE second address: 63AECF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007F37B4535CDCh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 63C518 second address: 63C542 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B453709Fh 0x00000007 jmp 00007F37B45370A0h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 63C542 second address: 63C548 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 643A58 second address: 643A5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 646CFA second address: 646D1B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F37B4535CE5h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 646D1B second address: 646D1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 646D1F second address: 646D2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 646D2B second address: 646D32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 646BB3 second address: 646BB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 64D0CC second address: 64D0D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 64BB48 second address: 64BB51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 64C1BB second address: 64C1C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F37B4537096h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 64C1C7 second address: 64C1DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F37B4535CDCh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 64C1DC second address: 64C1E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 64C1E0 second address: 64C1E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 64C39E second address: 64C3A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 64CDBD second address: 64CDCB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 64CDCB second address: 64CDDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007F37B453709Fh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 64CDDF second address: 64CDFD instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F37B4535CE7h 0x00000008 pop ebx 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 651532 second address: 65153C instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F37B45370ACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6516E1 second address: 6516E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6516E5 second address: 6516EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6611B5 second address: 6611C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F37B4535CD6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6611C0 second address: 6611D4 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F37B453709Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6611D4 second address: 6611D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6714ED second address: 6714F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6714F1 second address: 671500 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B4535CDBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 671500 second address: 671508 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 671508 second address: 67150C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 67150C second address: 67151A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 67151A second address: 67151E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 67151E second address: 671528 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F37B4537096h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 671057 second address: 671068 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b jl 00007F37B4535CD6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 671068 second address: 671094 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B453709Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F37B45370A5h 0x00000011 push esi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 671094 second address: 671099 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 671099 second address: 6710AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F37B453709Dh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 68720B second address: 687222 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B4535CE3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 68D2D4 second address: 68D2F2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 mov eax, dword ptr [eax] 0x00000009 jmp 00007F37B453709Ch 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 push edi 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 68ED74 second address: 68ED78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 68ED78 second address: 68ED84 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 js 00007F37B4537096h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5AB03E second address: 5AB057 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F37B4535CE5h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5AB057 second address: 5AB06E instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F37B4537096h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jl 00007F37B45370A0h 0x00000013 push eax 0x00000014 push edx 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5AB238 second address: 5AB23C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5AB23C second address: 5AB246 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CF0345 second address: 4CF0362 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, 36D3A4EFh 0x00000008 movzx esi, bx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp], ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F37B4535CDAh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CF0362 second address: 4CF03A5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B453709Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F37B453709Bh 0x00000014 xor esi, 78882BDEh 0x0000001a jmp 00007F37B45370A9h 0x0000001f popfd 0x00000020 pushad 0x00000021 popad 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CF03A5 second address: 4CF03B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F37B4535CDAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CF03B3 second address: 4CF03D5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B453709Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov edx, dword ptr [ebp+0Ch] 0x0000000e pushad 0x0000000f movsx edi, cx 0x00000012 popad 0x00000013 mov ecx, dword ptr [ebp+08h] 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CF03D5 second address: 4CF03D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CF03D9 second address: 4CF03DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CF03DF second address: 4CF03E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CF03E5 second address: 4CF03E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CF03E9 second address: 4CF03ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CF0402 second address: 4CF0408 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CF0408 second address: 4CF040C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CF040C second address: 4CF0410 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D10629 second address: 4D1062E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D1062E second address: 4D10692 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, ecx 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jmp 00007F37B453709Fh 0x0000000f pushfd 0x00000010 jmp 00007F37B45370A8h 0x00000015 adc esi, 62E79FC8h 0x0000001b jmp 00007F37B453709Bh 0x00000020 popfd 0x00000021 popad 0x00000022 xchg eax, ebp 0x00000023 jmp 00007F37B45370A6h 0x00000028 mov ebp, esp 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D10692 second address: 4D10698 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D10698 second address: 4D1069E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D1069E second address: 4D106A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D106A2 second address: 4D106CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B453709Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ecx 0x0000000c jmp 00007F37B45370A0h 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 mov edx, eax 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D106CF second address: 4D106D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D106D4 second address: 4D1070C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B453709Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a pushad 0x0000000b mov edx, esi 0x0000000d mov si, 0AD7h 0x00000011 popad 0x00000012 xchg eax, esi 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F37B45370A9h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D1070C second address: 4D10765 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B4535CE1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F37B4535CE1h 0x0000000f xchg eax, esi 0x00000010 pushad 0x00000011 push eax 0x00000012 pushad 0x00000013 popad 0x00000014 pop edi 0x00000015 pushad 0x00000016 call 00007F37B4535CE4h 0x0000001b pop eax 0x0000001c jmp 00007F37B4535CDBh 0x00000021 popad 0x00000022 popad 0x00000023 lea eax, dword ptr [ebp-04h] 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D10765 second address: 4D10780 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B45370A7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D10780 second address: 4D107BA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B4535CE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F37B4535CE8h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D107BA second address: 4D107C9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B453709Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D107C9 second address: 4D10808 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B4535CE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F37B4535CE1h 0x0000000f nop 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F37B4535CDDh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D10808 second address: 4D1082F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B45370A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+08h] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F37B453709Dh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D10911 second address: 4D10917 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D10917 second address: 4D1093C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F37B45370A8h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D1093C second address: 4D1094B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B4535CDBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D1094B second address: 4D10963 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F37B45370A4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D10963 second address: 4D10972 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 leave 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D10972 second address: 4D10976 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D10976 second address: 4D1097C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D1097C second address: 4D10982 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D10982 second address: 4D10986 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D10986 second address: 4D1098A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D1098A second address: 4D10044 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 retn 0004h 0x0000000b nop 0x0000000c sub esp, 04h 0x0000000f xor ebx, ebx 0x00000011 cmp eax, 00000000h 0x00000014 je 00007F37B4535E25h 0x0000001a xor eax, eax 0x0000001c mov dword ptr [esp], 00000000h 0x00000023 mov dword ptr [esp+04h], 00000000h 0x0000002b call 00007F37B8E7182Bh 0x00000030 mov edi, edi 0x00000032 jmp 00007F37B4535CE0h 0x00000037 xchg eax, ebp 0x00000038 jmp 00007F37B4535CE0h 0x0000003d push eax 0x0000003e jmp 00007F37B4535CDBh 0x00000043 xchg eax, ebp 0x00000044 push eax 0x00000045 push edx 0x00000046 push eax 0x00000047 push edx 0x00000048 jmp 00007F37B4535CE0h 0x0000004d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D10044 second address: 4D10048 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D10048 second address: 4D1004E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D1004E second address: 4D10054 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D10054 second address: 4D10058 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D10058 second address: 4D10091 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007F37B45370A4h 0x0000000f push FFFFFFFEh 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F37B45370A7h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D10091 second address: 4D100D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, dx 0x00000006 push edi 0x00000007 pop ecx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b call 00007F37B4535CD9h 0x00000010 pushad 0x00000011 call 00007F37B4535CE3h 0x00000016 jmp 00007F37B4535CE8h 0x0000001b pop ecx 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D100D5 second address: 4D1016C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov si, dx 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a jmp 00007F37B45370A8h 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 pushad 0x00000014 mov edx, 7B16A2F4h 0x00000019 mov bx, FA60h 0x0000001d popad 0x0000001e mov eax, dword ptr [eax] 0x00000020 jmp 00007F37B45370A6h 0x00000025 mov dword ptr [esp+04h], eax 0x00000029 pushad 0x0000002a mov bh, ABh 0x0000002c mov ebx, ecx 0x0000002e popad 0x0000002f pop eax 0x00000030 pushad 0x00000031 pushfd 0x00000032 jmp 00007F37B45370A2h 0x00000037 add ch, 00000008h 0x0000003a jmp 00007F37B453709Bh 0x0000003f popfd 0x00000040 mov edi, ecx 0x00000042 popad 0x00000043 push 0584E1DBh 0x00000048 jmp 00007F37B453709Bh 0x0000004d add dword ptr [esp], 6FB94995h 0x00000054 push eax 0x00000055 push edx 0x00000056 push eax 0x00000057 push edx 0x00000058 pushad 0x00000059 popad 0x0000005a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D1016C second address: 4D10187 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B4535CE7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D10187 second address: 4D101DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F37B453709Fh 0x00000008 pop esi 0x00000009 pushfd 0x0000000a jmp 00007F37B45370A9h 0x0000000f adc cx, 7CE6h 0x00000014 jmp 00007F37B45370A1h 0x00000019 popfd 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d mov eax, dword ptr fs:[00000000h] 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 mov ch, bh 0x00000028 pushad 0x00000029 popad 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D101DC second address: 4D101E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D101E2 second address: 4D101E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D101E6 second address: 4D1024C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B4535CDDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c jmp 00007F37B4535CDEh 0x00000011 push eax 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007F37B4535CE1h 0x00000019 sub ax, 1E56h 0x0000001e jmp 00007F37B4535CE1h 0x00000023 popfd 0x00000024 mov di, cx 0x00000027 popad 0x00000028 nop 0x00000029 jmp 00007F37B4535CDAh 0x0000002e sub esp, 18h 0x00000031 pushad 0x00000032 push eax 0x00000033 push edx 0x00000034 mov si, 3553h 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D1024C second address: 4D102B5 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F37B45370A8h 0x00000008 or cx, E2D8h 0x0000000d jmp 00007F37B453709Bh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 jmp 00007F37B45370A8h 0x0000001a popad 0x0000001b xchg eax, ebx 0x0000001c jmp 00007F37B45370A0h 0x00000021 push eax 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F37B453709Eh 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D102B5 second address: 4D102F5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B4535CDBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a jmp 00007F37B4535CE6h 0x0000000f xchg eax, esi 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F37B4535CE7h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D102F5 second address: 4D102FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D102FB second address: 4D10318 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F37B4535CDEh 0x0000000e xchg eax, esi 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D10318 second address: 4D1031F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D1031F second address: 4D1037E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F37B4535CE2h 0x00000009 or cx, 3DE8h 0x0000000e jmp 00007F37B4535CDBh 0x00000013 popfd 0x00000014 pushfd 0x00000015 jmp 00007F37B4535CE8h 0x0000001a sub si, D048h 0x0000001f jmp 00007F37B4535CDBh 0x00000024 popfd 0x00000025 popad 0x00000026 pop edx 0x00000027 pop eax 0x00000028 xchg eax, edi 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c pushad 0x0000002d popad 0x0000002e mov di, 3724h 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D1037E second address: 4D10383 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D10383 second address: 4D103DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ax, 9645h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d movsx ebx, ax 0x00000010 push esi 0x00000011 call 00007F37B4535CE9h 0x00000016 pop eax 0x00000017 pop edx 0x00000018 popad 0x00000019 xchg eax, edi 0x0000001a jmp 00007F37B4535CDCh 0x0000001f mov eax, dword ptr [75444538h] 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F37B4535CE7h 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D103DB second address: 4D1042C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B45370A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [ebp-08h], eax 0x0000000c jmp 00007F37B453709Eh 0x00000011 xor eax, ebp 0x00000013 jmp 00007F37B45370A1h 0x00000018 nop 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F37B453709Dh 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D1042C second address: 4D1047E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, di 0x00000006 pushfd 0x00000007 jmp 00007F37B4535CE3h 0x0000000c and ch, 0000001Eh 0x0000000f jmp 00007F37B4535CE9h 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push eax 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F37B4535CE3h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D1047E second address: 4D10482 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D10482 second address: 4D10488 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D10488 second address: 4D1048E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D1048E second address: 4D104A0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push ebx 0x0000000d pop esi 0x0000000e movsx ebx, ax 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D104A0 second address: 4D104C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B453709Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea eax, dword ptr [ebp-10h] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F37B453709Dh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D104C3 second address: 4D104D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F37B4535CDCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D104D3 second address: 4D104D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D104D7 second address: 4D1050B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr fs:[00000000h], eax 0x0000000e pushad 0x0000000f mov cl, dh 0x00000011 mov bx, si 0x00000014 popad 0x00000015 mov dword ptr [ebp-18h], esp 0x00000018 jmp 00007F37B4535CE0h 0x0000001d mov eax, dword ptr fs:[00000018h] 0x00000023 pushad 0x00000024 pushad 0x00000025 mov edx, esi 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D1050B second address: 4D1055C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov ax, AB75h 0x00000009 popad 0x0000000a mov ecx, dword ptr [eax+00000FDCh] 0x00000010 jmp 00007F37B45370A0h 0x00000015 test ecx, ecx 0x00000017 jmp 00007F37B45370A0h 0x0000001c jns 00007F37B45370DEh 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F37B45370A7h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D1055C second address: 4D10562 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D10562 second address: 4D10566 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D10566 second address: 4D1056A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D0002D second address: 4D00033 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D00033 second address: 4D000B0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B4535CDDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d push ecx 0x0000000e movsx ebx, ax 0x00000011 pop ecx 0x00000012 mov edi, 3B6559E8h 0x00000017 popad 0x00000018 mov ebp, esp 0x0000001a pushad 0x0000001b call 00007F37B4535CDDh 0x00000020 call 00007F37B4535CE0h 0x00000025 pop esi 0x00000026 pop edx 0x00000027 pushfd 0x00000028 jmp 00007F37B4535CE0h 0x0000002d sub esi, 259EF778h 0x00000033 jmp 00007F37B4535CDBh 0x00000038 popfd 0x00000039 popad 0x0000003a sub esp, 2Ch 0x0000003d push eax 0x0000003e push edx 0x0000003f push eax 0x00000040 push edx 0x00000041 jmp 00007F37B4535CE0h 0x00000046 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D000B0 second address: 4D000BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B453709Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D000BF second address: 4D000FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B4535CE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a jmp 00007F37B4535CDEh 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F37B4535CDEh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D000FC second address: 4D00102 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D00102 second address: 4D00154 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebx 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007F37B4535CDFh 0x00000010 sbb ecx, 55C28F5Eh 0x00000016 jmp 00007F37B4535CE9h 0x0000001b popfd 0x0000001c mov ecx, 7B959C27h 0x00000021 popad 0x00000022 xchg eax, edi 0x00000023 jmp 00007F37B4535CDAh 0x00000028 push eax 0x00000029 pushad 0x0000002a mov bh, 55h 0x0000002c push eax 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D00154 second address: 4D0016E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 xchg eax, edi 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F37B45370A1h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D0016E second address: 4D00174 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D00174 second address: 4D00178 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D0022A second address: 4D00230 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D00230 second address: 4D00281 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B453709Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007F37B453729Ah 0x00000011 pushad 0x00000012 call 00007F37B453709Ch 0x00000017 mov ch, C0h 0x00000019 pop edx 0x0000001a pushfd 0x0000001b jmp 00007F37B453709Ch 0x00000020 adc si, EB28h 0x00000025 jmp 00007F37B453709Bh 0x0000002a popfd 0x0000002b popad 0x0000002c lea ecx, dword ptr [ebp-14h] 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D00281 second address: 4D00285 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D00285 second address: 4D0028B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D002CA second address: 4D0031B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F37B4535CDFh 0x00000009 and ecx, 16609F2Eh 0x0000000f jmp 00007F37B4535CE9h 0x00000014 popfd 0x00000015 mov bx, ax 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b nop 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f call 00007F37B4535CE2h 0x00000024 pop ecx 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D00367 second address: 4D003DC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B45370A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test eax, eax 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F37B453709Ch 0x00000012 adc ah, 00000028h 0x00000015 jmp 00007F37B453709Bh 0x0000001a popfd 0x0000001b pushfd 0x0000001c jmp 00007F37B45370A8h 0x00000021 sub al, FFFFFF88h 0x00000024 jmp 00007F37B453709Bh 0x00000029 popfd 0x0000002a popad 0x0000002b jg 00007F3824C25156h 0x00000031 push eax 0x00000032 push edx 0x00000033 pushad 0x00000034 mov dx, 94F6h 0x00000038 pushad 0x00000039 popad 0x0000003a popad 0x0000003b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D003DC second address: 4D0041D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B4535CDAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 js 00007F37B4535D33h 0x0000000f jmp 00007F37B4535CE0h 0x00000014 cmp dword ptr [ebp-14h], edi 0x00000017 jmp 00007F37B4535CE0h 0x0000001c jne 00007F3824C23D5Eh 0x00000022 pushad 0x00000023 push eax 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D0041D second address: 4D00457 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushfd 0x00000006 jmp 00007F37B45370A8h 0x0000000b and ax, A7A8h 0x00000010 jmp 00007F37B453709Bh 0x00000015 popfd 0x00000016 popad 0x00000017 mov ebx, dword ptr [ebp+08h] 0x0000001a pushad 0x0000001b mov edi, ecx 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D00457 second address: 4D0045B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D0045B second address: 4D004DF instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F37B453709Ch 0x00000008 sbb ecx, 1FA01A08h 0x0000000e jmp 00007F37B453709Bh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 popad 0x00000017 lea eax, dword ptr [ebp-2Ch] 0x0000001a jmp 00007F37B45370A6h 0x0000001f xchg eax, esi 0x00000020 pushad 0x00000021 mov al, 3Bh 0x00000023 pushfd 0x00000024 jmp 00007F37B45370A3h 0x00000029 sbb ax, 1FAEh 0x0000002e jmp 00007F37B45370A9h 0x00000033 popfd 0x00000034 popad 0x00000035 push eax 0x00000036 push eax 0x00000037 push edx 0x00000038 jmp 00007F37B453709Ch 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D004DF second address: 4D00546 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, 398930C3h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, esi 0x0000000c jmp 00007F37B4535CE6h 0x00000011 nop 0x00000012 pushad 0x00000013 push eax 0x00000014 mov eax, edx 0x00000016 pop ebx 0x00000017 mov al, 0Ch 0x00000019 popad 0x0000001a push eax 0x0000001b jmp 00007F37B4535CE0h 0x00000020 nop 0x00000021 jmp 00007F37B4535CE0h 0x00000026 xchg eax, ebx 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007F37B4535CE7h 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D00546 second address: 4D0054C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D0054C second address: 4D00550 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D00550 second address: 4D00554 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D00554 second address: 4D00563 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D00563 second address: 4D00567 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D00567 second address: 4D0056D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D0056D second address: 4D00573 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D00573 second address: 4D0058D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F37B4535CDFh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D0058D second address: 4D00593 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D005ED second address: 4CF0E15 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B4535CE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F3824C23D21h 0x0000000f xor eax, eax 0x00000011 jmp 00007F37B450F40Ah 0x00000016 pop esi 0x00000017 pop edi 0x00000018 pop ebx 0x00000019 leave 0x0000001a retn 0004h 0x0000001d nop 0x0000001e sub esp, 04h 0x00000021 mov esi, eax 0x00000023 cmp esi, 00000000h 0x00000026 setne al 0x00000029 xor ebx, ebx 0x0000002b test al, 01h 0x0000002d jne 00007F37B4535CD7h 0x0000002f jmp 00007F37B4535DDFh 0x00000034 call 00007F37B8E524E0h 0x00000039 mov edi, edi 0x0000003b jmp 00007F37B4535CE3h 0x00000040 xchg eax, ebp 0x00000041 push eax 0x00000042 push edx 0x00000043 push eax 0x00000044 push edx 0x00000045 jmp 00007F37B4535CE0h 0x0000004a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CF0E15 second address: 4CF0E19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CF0E19 second address: 4CF0E1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CF0E1F second address: 4CF0E4B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, 75B3h 0x00000007 mov ah, BAh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jmp 00007F37B45370A7h 0x00000015 mov cx, 6BEFh 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CF0E4B second address: 4CF0E5D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bh, FBh 0x00000005 movzx ecx, bx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CF0E5D second address: 4CF0E61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CF0E61 second address: 4CF0E67 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CF0E67 second address: 4CF0E7B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop eax 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b mov edi, 7DF14960h 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CF0E7B second address: 4CF0E7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CF0E7F second address: 4CF0EB1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B45370A5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a xchg eax, ecx 0x0000000b pushad 0x0000000c mov al, A5h 0x0000000e mov bh, CFh 0x00000010 popad 0x00000011 push eax 0x00000012 pushad 0x00000013 mov edi, 6A8C3084h 0x00000018 popad 0x00000019 xchg eax, ecx 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d pushad 0x0000001e popad 0x0000001f push edi 0x00000020 pop ecx 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CF0F07 second address: 4CF0F0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CF0F0B second address: 4CF0F0F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CF0F0F second address: 4CF0F15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CF0F15 second address: 4CF0F1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CF0F1B second address: 4CF0F1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D00910 second address: 4D00946 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, ecx 0x00000005 pushfd 0x00000006 jmp 00007F37B45370A4h 0x0000000b adc ecx, 00196608h 0x00000011 jmp 00007F37B453709Bh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebp 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D00946 second address: 4D0094A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D0094A second address: 4D0094E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D0094E second address: 4D00954 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D00954 second address: 4D00987 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B453709Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007F37B45370A0h 0x00000010 cmp dword ptr [7544459Ch], 05h 0x00000017 pushad 0x00000018 mov eax, 30CBAA2Dh 0x0000001d pushad 0x0000001e mov bx, ax 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D00987 second address: 4D009BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 je 00007F3824C13D48h 0x0000000c jmp 00007F37B4535CE0h 0x00000011 pop ebp 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F37B4535CE7h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D00A39 second address: 4D00A96 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B45370A0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d jmp 00007F37B453709Bh 0x00000012 mov eax, dword ptr [eax] 0x00000014 pushad 0x00000015 pushad 0x00000016 jmp 00007F37B45370A5h 0x0000001b mov edx, esi 0x0000001d popad 0x0000001e movzx ecx, di 0x00000021 popad 0x00000022 mov dword ptr [esp+04h], eax 0x00000026 pushad 0x00000027 mov edi, esi 0x00000029 popad 0x0000002a pop eax 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e mov al, F4h 0x00000030 jmp 00007F37B453709Bh 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D10A03 second address: 4D10A07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D10A07 second address: 4D10A0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D10A0B second address: 4D10A11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D10A11 second address: 4D10A4F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F37B45370A0h 0x00000009 sbb esi, 1CA51B28h 0x0000000f jmp 00007F37B453709Bh 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 mov ebp, esp 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F37B45370A1h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D10A4F second address: 4D10A84 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 4AE8BDD2h 0x00000008 mov ah, bl 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, esi 0x0000000e pushad 0x0000000f mov dx, si 0x00000012 call 00007F37B4535CDCh 0x00000017 movzx ecx, bx 0x0000001a pop edx 0x0000001b popad 0x0000001c push eax 0x0000001d pushad 0x0000001e mov ax, dx 0x00000021 mov cx, bx 0x00000024 popad 0x00000025 xchg eax, esi 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 push esi 0x0000002a pop edx 0x0000002b pushad 0x0000002c popad 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D10A84 second address: 4D10A9F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop ecx 0x00000005 mov dx, 8C92h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov esi, dword ptr [ebp+0Ch] 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 mov cx, BC51h 0x00000016 mov si, CC8Dh 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D10A9F second address: 4D10ADA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B4535CE3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test esi, esi 0x0000000b jmp 00007F37B4535CE6h 0x00000010 je 00007F3824C035BFh 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D10ADA second address: 4D10ADE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D10ADE second address: 4D10AFB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B4535CE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D10AFB second address: 4D10B9D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cl, dl 0x00000005 pushfd 0x00000006 jmp 00007F37B45370A8h 0x0000000b add ax, EBC8h 0x00000010 jmp 00007F37B453709Bh 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 cmp dword ptr [7544459Ch], 05h 0x00000020 pushad 0x00000021 pushfd 0x00000022 jmp 00007F37B45370A4h 0x00000027 jmp 00007F37B45370A5h 0x0000002c popfd 0x0000002d popad 0x0000002e je 00007F3824C1C9CCh 0x00000034 pushad 0x00000035 mov ch, dh 0x00000037 mov bh, cl 0x00000039 popad 0x0000003a push ebp 0x0000003b pushad 0x0000003c call 00007F37B453709Ah 0x00000041 jmp 00007F37B45370A2h 0x00000046 pop ecx 0x00000047 mov esi, edx 0x00000049 popad 0x0000004a mov dword ptr [esp], esi 0x0000004d push eax 0x0000004e push edx 0x0000004f pushad 0x00000050 pushad 0x00000051 popad 0x00000052 mov eax, 590FC5FBh 0x00000057 popad 0x00000058 rdtsc
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 3FCB0F instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 626419 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7852 Thread sleep time: -210000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7852 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: file.exe, file.exe, 00000000.00000002.1601932848.0000000000582000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000003.1471508248.00000000056DE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696497155j
Source: file.exe, 00000000.00000003.1521304357.00000000056D1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1522746550.00000000056D1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1525055106.00000000056CD000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1524670338.00000000056D1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: multipart/form-data; boundary=A8CHGFSQ06VHXG923TMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Keep-Alive
Source: file.exe, 00000000.00000003.1471508248.00000000056DE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696497155
Source: file.exe, 00000000.00000003.1471508248.00000000056DE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696497155t
Source: file.exe, 00000000.00000003.1471508248.00000000056DE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
Source: file.exe, 00000000.00000002.1602655677.0000000000FD9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW0
Source: file.exe, 00000000.00000002.1602655677.0000000001027000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000003.1522907213.00000000056CD000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1524670338.00000000056CD000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1551144110.00000000056CD000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1545484064.00000000056CD000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1521304357.00000000056C2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1550281901.00000000056CD000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1525055106.00000000056CD000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1521426602.00000000056C9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1521591921.00000000056C2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: --A8CHGFSQ06VHXG923T
Source: file.exe, 00000000.00000003.1471508248.00000000056DE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696497155]
Source: file.exe, 00000000.00000003.1471508248.00000000056DE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696497155|UE
Source: file.exe, 00000000.00000003.1471508248.00000000056DE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696497155o
Source: file.exe, 00000000.00000003.1471508248.00000000056DE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155
Source: file.exe, 00000000.00000003.1471508248.00000000056DE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
Source: file.exe, 00000000.00000003.1471508248.00000000056DE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696497155x
Source: file.exe, 00000000.00000003.1471508248.00000000056DE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696497155
Source: file.exe, 00000000.00000003.1471508248.00000000056DE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696497155h
Source: file.exe, 00000000.00000003.1471508248.00000000056DE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
Source: file.exe, 00000000.00000003.1471508248.00000000056DE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
Source: file.exe, 00000000.00000003.1471508248.00000000056DE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696497155d
Source: file.exe, 00000000.00000003.1471508248.00000000056DE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696497155x
Source: file.exe, 00000000.00000003.1471508248.00000000056DE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696497155
Source: file.exe, 00000000.00000003.1471508248.00000000056E3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: - GDCDYNVMware20,11696497155p
Source: file.exe, 00000000.00000003.1471508248.00000000056DE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696497155
Source: file.exe, 00000000.00000003.1471508248.00000000056DE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696497155
Source: file.exe, 00000000.00000003.1523408821.000000000109D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1525293509.000000000109D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1521705021.000000000109C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Content-Type: multipart/form-data; boundary=A8CHGFSQ06VHXG923T
Source: file.exe, 00000000.00000003.1471508248.00000000056DE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
Source: file.exe, 00000000.00000003.1471508248.00000000056DE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696497155}
Source: file.exe, 00000000.00000003.1471508248.00000000056DE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
Source: file.exe, 00000000.00000003.1471508248.00000000056DE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696497155u
Source: file.exe, 00000000.00000003.1471508248.00000000056DE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696497155f
Source: file.exe, 00000000.00000003.1471508248.00000000056DE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696497155
Source: file.exe, 00000000.00000003.1471508248.00000000056DE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
Source: file.exe, 00000000.00000003.1471508248.00000000056DE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696497155t
Source: file.exe, 00000000.00000003.1471508248.00000000056DE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696497155s
Source: file.exe, 00000000.00000002.1601932848.0000000000582000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: file.exe, 00000000.00000003.1471508248.00000000056DE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696497155}
Source: file.exe, 00000000.00000003.1471508248.00000000056DE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
Source: file.exe, 00000000.00000003.1521304357.00000000056D1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1522746550.00000000056D1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1525055106.00000000056CD000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1524670338.00000000056D1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: multipart/form-data; boundary=A8CHGFSQ06VHXG923T
Source: file.exe, 00000000.00000003.1471508248.00000000056DE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696497155x
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging

barindex
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\file.exe Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe File opened: NTICE
Source: C:\Users\user\Desktop\file.exe File opened: SICE
Source: C:\Users\user\Desktop\file.exe File opened: SIWVID
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003DDF70 LdrInitializeThunk, 0_2_003DDF70
Source: file.exe, file.exe, 00000000.00000002.1601932848.0000000000582000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: xZProgram Manager
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: file.exe, 00000000.00000003.1551144110.00000000056B8000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1602655677.0000000001027000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: file.exe, file.exe, 00000000.00000003.1600238733.0000000001085000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1600086581.000000000107F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1546353038.0000000001085000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Defender\MsMpeng.exe
Source: C:\Users\user\Desktop\file.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

barindex
Source: Yara match File source: Process Memory Space: file.exe PID: 7660, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Source: file.exe, 00000000.00000003.1524856660.0000000001096000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: s/Electrum-LTC
Source: file.exe, 00000000.00000003.1524856660.0000000001096000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: s/ElectronCash
Source: file.exe String found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
Source: file.exe String found in binary or memory: Wallets/Exodus
Source: file.exe String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: file.exe String found in binary or memory: keystore
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\prefs.js Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\logins.json Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\formhistory.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cert9.db Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\key4.db Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\FTPGetter Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\FTPRush Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\FTPbox Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\ProgramData\SiteDesigner\3D-FTP Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\FTPInfo Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ Jump to behavior
Source: Yara match File source: Process Memory Space: file.exe PID: 7660, type: MEMORYSTR

Remote Access Functionality

barindex
Source: Yara match File source: Process Memory Space: file.exe PID: 7660, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs