Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1562727
MD5: ae35cd7c9be6be3a150f903ddd1e411d
SHA1: 8ed830ee8e571e05afb58dd8755936eba832b72b
SHA256: 8be6a98bd5d89cf4adc715b3f0cd7914a47812086c13098f8bdb3fda1094b812
Tags: exeuser-Bitsight
Infos:

Detection

LummaC Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Detected potential crypto function
Entry point lies outside standard sections
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Antivirus detection for URL or domain
Source: https://occupy-blushi.sbs/5 Avira URL Cloud: Label: malware
Source: https://occupy-blushi.sbs/apintel Avira URL Cloud: Label: malware
Source: https://occupy-blushi.sbs/api46k Avira URL Cloud: Label: malware
Source: https://occupy-blushi.sbs/apie Avira URL Cloud: Label: malware
Source: https://occupy-blushi.sbs/api?k Avira URL Cloud: Label: malware
Found malware configuration
Source: file.exe.5380.0.memstrmin Malware Configuration Extractor: LummaC {"C2 url": "https://occupy-blushi.sbs/api", "Build Version": "LOGS11--LiveTraffi"}
Multi AV Scanner detection for submitted file
Source: file.exe ReversingLabs: Detection: 39%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AA8395 CryptUnprotectData, 0_2_00AA8395
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 172.67.187.240:443 -> 192.168.2.7:49700 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.187.240:443 -> 192.168.2.7:49701 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.187.240:443 -> 192.168.2.7:49703 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.187.240:443 -> 192.168.2.7:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.187.240:443 -> 192.168.2.7:49715 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.187.240:443 -> 192.168.2.7:49721 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.187.240:443 -> 192.168.2.7:49729 version: TLS 1.2
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx esi, byte ptr [esp+eax+0576C96Fh] 0_2_00AC83C0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx edx, byte ptr [esi+eax+18DEF997h] 0_2_00ABC6B7
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then add ecx, edx 0_2_00AC8690
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], 61813E67h 0_2_00AB67C0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [ebx+esi*8], 61813E67h 0_2_00AB67C0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx edx, byte ptr [esp+ecx-4EFF805Ch] 0_2_00AB67C0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx ebp, word ptr [eax] 0_2_00AD07C0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov edx, ecx 0_2_00A9EAEB
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx ebx, byte ptr [ebp+edx-05DD6E63h] 0_2_00A9AA50
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov byte ptr [edx], cl 0_2_00ABD44F
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [eax], cx 0_2_00AB3730
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov byte ptr [eax], bl 0_2_00A9DBE5
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov byte ptr [eax], dl 0_2_00A9DBE5
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then lea ecx, dword ptr [eax+eax] 0_2_00ACDC1F
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, ebx 0_2_00ACC0C0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx ebx, byte ptr [eax+edi] 0_2_00ACC0C0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx edx, byte ptr [esp+eax+78h] 0_2_00AB42E2
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx edx, byte ptr [esp+ecx-781FA937h] 0_2_00AB8328
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h 0_2_00AB2320
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov dword ptr [ebp+00h], 00000022h 0_2_00ABA5B0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx ebx, byte ptr [esp+ecx-20h] 0_2_00AB2580
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx edx, byte ptr [eax+ecx+00008F12h] 0_2_00A98520
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [ebp+edx*4+00h], ax 0_2_00A98520
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then add eax, dword ptr [esp+ecx*4+34h] 0_2_00A98520
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 0_2_00ABA510
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx esi, byte ptr [ebp+edx+00h] 0_2_00A92620
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov ecx, eax 0_2_00AB6660
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then inc eax 0_2_00AAE7A0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov ecx, edx 0_2_00AAE7A0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp edx 0_2_00A948EF
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp ecx 0_2_00A948EF
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then push esi 0_2_00AACA60
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp ecx 0_2_00A94BF8
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax-278BA32Fh] 0_2_00AB6B30
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx ebp, word ptr [eax] 0_2_00AD0B00
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp eax 0_2_00AB2C6C
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [edx], si 0_2_00AB0DFC
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov byte ptr [ecx], dl 0_2_00ABCDF3
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx edi, byte ptr [esp+edx] 0_2_00ACEE70
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h 0_2_00AA8F1F
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx edi, byte ptr [esp+ebx+0576C973h] 0_2_00AC90C0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx edx, byte ptr [eax+edi] 0_2_00AAF1D0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then add ebp, dword ptr [esp+0Ch] 0_2_00ABB120
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [eax], cx 0_2_00AB910B
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp+58h] 0_2_00AB910B
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx edi, byte ptr [esp+edx+00000100h] 0_2_00AA929E
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [esi+edi*8], 2AFA9B37h 0_2_00AB32E2
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp eax 0_2_00AB32E2
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [eax], cx 0_2_00AB32E2
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [esi+edi*8], 2AFA9B37h 0_2_00AB3247
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp eax 0_2_00AB3247
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [eax], cx 0_2_00AB3247
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov edx, ecx 0_2_00A9F3EF
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov word ptr [eax], cx 0_2_00AB910B
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov eax, dword ptr [esp+58h] 0_2_00AB910B
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov dword ptr [esp+2Ch], ebp 0_2_00ACF3C0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx edi, byte ptr [esp+edx+00000100h] 0_2_00AA929E
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp byte ptr [eax+edi+23h], 00000000h 0_2_00A9B432
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx ebx, byte ptr [edx] 0_2_00AC5580
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov byte ptr [eax], cl 0_2_00ABD6F0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx esi, byte ptr [ecx] 0_2_00AB5672
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov byte ptr [eax], cl 0_2_00ABD65E
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then push esi 0_2_00AB17A3
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then add ecx, eax 0_2_00AB579D
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp ecx 0_2_00ABD72F
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], 98D5A07Fh 0_2_00ACB840
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov esi, ecx 0_2_00ACB840
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx edi, byte ptr [esp+ecx+20h] 0_2_00AB9970
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then add ecx, eax 0_2_00AB579D
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov byte ptr [ecx], al 0_2_00AAB940
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov byte ptr [edx], cl 0_2_00AAB940
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov ecx, eax 0_2_00AABAA8
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h 0_2_00AA7AF1
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov byte ptr [ebx], cl 0_2_00ABBA11
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov esi, ebx 0_2_00AB9A43
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx eax, byte ptr [esp+edx-0000009Ah] 0_2_00ACDA5A
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx ebp, byte ptr [esp+esi-56FE73B9h] 0_2_00AB5BD0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h 0_2_00AA51D8
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then mov byte ptr [edi], cl 0_2_00ABDB6C
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp eax 0_2_00AB5EC0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then cmp dword ptr [eax+esi*8], 1B6183F2h 0_2_00AB5EC0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then jmp ecx 0_2_00ABDE25
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx edi, byte ptr [esp+edx+04h] 0_2_00AA9FF0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx esi, byte ptr [esp+ecx-45h] 0_2_00AA9FF0
Source: C:\Users\user\Desktop\file.exe Code function: 4x nop then movzx edi, byte ptr [esp+edx+64h] 0_2_00AA9FF0

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49700 -> 172.67.187.240:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49700 -> 172.67.187.240:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.7:49701 -> 172.67.187.240:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49701 -> 172.67.187.240:443
Source: Network traffic Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.7:49703 -> 172.67.187.240:443
Source: Network traffic Suricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.7:49729 -> 172.67.187.240:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://occupy-blushi.sbs/api
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 172.67.187.240 172.67.187.240
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49709 -> 172.67.187.240:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49701 -> 172.67.187.240:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49700 -> 172.67.187.240:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49729 -> 172.67.187.240:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49721 -> 172.67.187.240:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49703 -> 172.67.187.240:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49715 -> 172.67.187.240:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49748 -> 172.67.187.240:443
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: occupy-blushi.sbs
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 53Host: occupy-blushi.sbs
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=8AE9VENNN7RYOCYOZ7PUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12856Host: occupy-blushi.sbs
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=63DCI6ZSNTA8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15046Host: occupy-blushi.sbs
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=SIWABCLOLDE61LUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20383Host: occupy-blushi.sbs
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=PNCJJ9DMPVDVZRUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1205Host: occupy-blushi.sbs
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=K6F7MVXO0IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 552792Host: occupy-blushi.sbs
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: property-imper.sbs
Source: global traffic DNS traffic detected: DNS query: frogs-severz.sbs
Source: global traffic DNS traffic detected: DNS query: occupy-blushi.sbs
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: occupy-blushi.sbs
Source: file.exe, 00000000.00000003.1359535887.000000000553D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: file.exe, 00000000.00000003.1359535887.000000000553D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: file.exe, 00000000.00000003.1491953508.00000000007DD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.microh
Source: file.exe, 00000000.00000003.1359535887.000000000553D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: file.exe, 00000000.00000003.1359535887.000000000553D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: file.exe, 00000000.00000003.1359535887.000000000553D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: file.exe, 00000000.00000003.1359535887.000000000553D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: file.exe, 00000000.00000003.1359535887.000000000553D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: file.exe, 00000000.00000003.1359535887.000000000553D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: file.exe, 00000000.00000003.1359535887.000000000553D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: file.exe, 00000000.00000003.1359535887.000000000553D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: file.exe, 00000000.00000003.1359535887.000000000553D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: file.exe, 00000000.00000003.1311823430.0000000005479000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1311582608.000000000547B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1311679121.0000000005479000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: file.exe, 00000000.00000003.1311823430.0000000005479000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1311582608.000000000547B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1311679121.0000000005479000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000000.00000003.1311823430.0000000005479000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1311582608.000000000547B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1311679121.0000000005479000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000003.1311823430.0000000005479000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1311582608.000000000547B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1311679121.0000000005479000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: file.exe, 00000000.00000003.1311823430.0000000005479000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1311582608.000000000547B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1311679121.0000000005479000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000000.00000003.1311823430.0000000005479000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1311582608.000000000547B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1311679121.0000000005479000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: file.exe, 00000000.00000003.1311823430.0000000005479000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1311582608.000000000547B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1311679121.0000000005479000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: file.exe, 00000000.00000003.1491953508.00000000007DD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1492796351.00000000007E9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1494390752.00000000007EB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1415146010.0000000000806000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1415016129.0000000000805000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://occupy-blushi.sbs/
Source: file.exe, 00000000.00000003.1491953508.00000000007DD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1492796351.00000000007E9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1494390752.00000000007EB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://occupy-blushi.sbs/5
Source: file.exe, 00000000.00000003.1359202911.00000000007F3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1359393322.00000000007F4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1335705631.000000000080D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://occupy-blushi.sbs/api
Source: file.exe, 00000000.00000002.1494469265.0000000000805000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1432900868.0000000000804000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1432784543.0000000000803000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://occupy-blushi.sbs/api46k
Source: file.exe, 00000000.00000002.1494469265.0000000000805000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1432900868.0000000000804000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1415146010.0000000000806000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1432784543.0000000000803000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1415016129.0000000000805000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://occupy-blushi.sbs/api?k
Source: file.exe, 00000000.00000003.1383847377.00000000007F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://occupy-blushi.sbs/apie
Source: file.exe, 00000000.00000003.1491953508.00000000007DD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1492796351.00000000007E9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1494390752.00000000007EB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://occupy-blushi.sbs/apintel
Source: file.exe, 00000000.00000003.1360495340.000000000575C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: file.exe, 00000000.00000003.1360495340.000000000575C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: file.exe, 00000000.00000003.1311823430.0000000005479000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1311582608.000000000547B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1311679121.0000000005479000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: file.exe, 00000000.00000003.1311823430.0000000005479000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1311582608.000000000547B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1311679121.0000000005479000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: file.exe, 00000000.00000003.1360495340.000000000575C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.jXqaKJMO4ZEP
Source: file.exe, 00000000.00000003.1360495340.000000000575C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.NYz0wxyUaYSW
Source: file.exe, 00000000.00000003.1360495340.000000000575C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/gro.allizom.www.d
Source: file.exe, 00000000.00000003.1360495340.000000000575C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: file.exe, 00000000.00000003.1360495340.000000000575C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49701
Source: unknown HTTPS traffic detected: 172.67.187.240:443 -> 192.168.2.7:49700 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.187.240:443 -> 192.168.2.7:49701 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.187.240:443 -> 192.168.2.7:49703 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.187.240:443 -> 192.168.2.7:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.187.240:443 -> 192.168.2.7:49715 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.187.240:443 -> 192.168.2.7:49721 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.187.240:443 -> 192.168.2.7:49729 version: TLS 1.2

System Summary
barindex
PE file contains section with special chars
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00ACE16C 0_2_00ACE16C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AC83C0 0_2_00AC83C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00ABC4D7 0_2_00ABC4D7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AC8690 0_2_00AC8690
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AD07C0 0_2_00AD07C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A9EAEB 0_2_00A9EAEB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00ABCD4F 0_2_00ABCD4F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00ACAF20 0_2_00ACAF20
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AD11B0 0_2_00AD11B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AA151A 0_2_00AA151A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A9D69D 0_2_00A9D69D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AB3730 0_2_00AB3730
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AAF700 0_2_00AAF700
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A9B890 0_2_00A9B890
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AB19C0 0_2_00AB19C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A9DBE5 0_2_00A9DBE5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AFE0AD 0_2_00AFE0AD
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B3C0B4 0_2_00B3C0B4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B7C0A1 0_2_00B7C0A1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BC20AA 0_2_00BC20AA
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B6008D 0_2_00B6008D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BA80D3 0_2_00BA80D3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B860D2 0_2_00B860D2
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B460CC 0_2_00B460CC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A960D0 0_2_00A960D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BCA038 0_2_00BCA038
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BB0035 0_2_00BB0035
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BF4023 0_2_00BF4023
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B7601F 0_2_00B7601F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B20019 0_2_00B20019
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B64001 0_2_00B64001
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B04074 0_2_00B04074
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B9207D 0_2_00B9207D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B4C07E 0_2_00B4C07E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BFA059 0_2_00BFA059
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B2C05C 0_2_00B2C05C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B1A1BD 0_2_00B1A1BD
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B361A5 0_2_00B361A5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BE0194 0_2_00BE0194
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BB2189 0_2_00BB2189
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BC4188 0_2_00BC4188
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BBE18E 0_2_00BBE18E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BDA186 0_2_00BDA186
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BC01F3 0_2_00BC01F3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BF61F0 0_2_00BF61F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BCC1DA 0_2_00BCC1DA
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A9A1C0 0_2_00A9A1C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BD01D4 0_2_00BD01D4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AAE1D0 0_2_00AAE1D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AF61D3 0_2_00AF61D3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B9C138 0_2_00B9C138
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B66134 0_2_00B66134
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B3213C 0_2_00B3213C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C0015B 0_2_00C0015B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BEE11F 0_2_00BEE11F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BCE108 0_2_00BCE108
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BF2108 0_2_00BF2108
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B9E161 0_2_00B9E161
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A92170 0_2_00A92170
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AF8147 0_2_00AF8147
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B0E15D 0_2_00B0E15D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BD414C 0_2_00BD414C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BF814E 0_2_00BF814E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BFE14E 0_2_00BFE14E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B9614B 0_2_00B9614B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B1014C 0_2_00B1014C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BE62AB 0_2_00BE62AB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BBA298 0_2_00BBA298
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BA629D 0_2_00BA629D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B2029C 0_2_00B2029C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BEC280 0_2_00BEC280
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AB42E2 0_2_00AB42E2
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B4A2E6 0_2_00B4A2E6
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B822EB 0_2_00B822EB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B5422F 0_2_00B5422F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AC020C 0_2_00AC020C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BAA21B 0_2_00BAA21B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A9E218 0_2_00A9E218
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B52200 0_2_00B52200
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B1C206 0_2_00B1C206
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B2E20C 0_2_00B2E20C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B74208 0_2_00B74208
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BDE202 0_2_00BDE202
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BF227C 0_2_00BF227C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BC8265 0_2_00BC8265
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B90262 0_2_00B90262
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B2226E 0_2_00B2226E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B3826F 0_2_00B3826F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AA6274 0_2_00AA6274
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B2626D 0_2_00B2626D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B0A240 0_2_00B0A240
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B3E24A 0_2_00B3E24A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B48248 0_2_00B48248
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C003C3 0_2_00C003C3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AA8385 0_2_00AA8385
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BE438E 0_2_00BE438E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BD2381 0_2_00BD2381
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BB63F3 0_2_00BB63F3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B063FD 0_2_00B063FD
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B943E9 0_2_00B943E9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B883EF 0_2_00B883EF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B183EF 0_2_00B183EF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A9C3D4 0_2_00A9C3D4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AB8328 0_2_00AB8328
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B84330 0_2_00B84330
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B58325 0_2_00B58325
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B9E30D 0_2_00B9E30D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B92305 0_2_00B92305
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B52372 0_2_00B52372
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B56372 0_2_00B56372
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B02379 0_2_00B02379
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AC2360 0_2_00AC2360
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B2C37D 0_2_00B2C37D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BE636E 0_2_00BE636E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BC636E 0_2_00BC636E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B3A365 0_2_00B3A365
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B8C36F 0_2_00B8C36F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BF64BE 0_2_00BF64BE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BA04B3 0_2_00BA04B3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B304B8 0_2_00B304B8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B5A4AD 0_2_00B5A4AD
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AF648D 0_2_00AF648D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B4C48C 0_2_00B4C48C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BD8485 0_2_00BD8485
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AFA494 0_2_00AFA494
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B764E6 0_2_00B764E6
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B1E4E4 0_2_00B1E4E4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BFE4E8 0_2_00BFE4E8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AA24F0 0_2_00AA24F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BAE434 0_2_00BAE434
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C04451 0_2_00C04451
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AF8407 0_2_00AF8407
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B9C408 0_2_00B9C408
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B6A471 0_2_00B6A471
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B8A470 0_2_00B8A470
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B1247F 0_2_00B1247F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B64467 0_2_00B64467
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BF4465 0_2_00BF4465
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B8245F 0_2_00B8245F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B965B3 0_2_00B965B3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BCE5B7 0_2_00BCE5B7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B085BE 0_2_00B085BE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00ABA5B0 0_2_00ABA5B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BDE598 0_2_00BDE598
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AB2580 0_2_00AB2580
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B7859C 0_2_00B7859C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B6258F 0_2_00B6258F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A9A5E0 0_2_00A9A5E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BBA5F6 0_2_00BBA5F6
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B3E5FD 0_2_00B3E5FD
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BCA5EF 0_2_00BCA5EF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B445E0 0_2_00B445E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AC05C0 0_2_00AC05C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B2A5C6 0_2_00B2A5C6
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BAA5C4 0_2_00BAA5C4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BBE533 0_2_00BBE533
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A98520 0_2_00A98520
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B5E53F 0_2_00B5E53F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B66524 0_2_00B66524
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BF8525 0_2_00BF8525
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BEE520 0_2_00BEE520
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C6A563 0_2_00C6A563
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B5C518 0_2_00B5C518
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B86509 0_2_00B86509
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B32500 0_2_00B32500
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B8E507 0_2_00B8E507
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B0057C 0_2_00B0057C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B72579 0_2_00B72579
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BE256A 0_2_00BE256A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AAE570 0_2_00AAE570
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B7E56A 0_2_00B7E56A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BC055A 0_2_00BC055A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AA0542 0_2_00AA0542
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B3655C 0_2_00B3655C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B606A5 0_2_00B606A5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B2E6A8 0_2_00B2E6A8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B0A69B 0_2_00B0A69B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B806FA 0_2_00B806FA
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C5E694 0_2_00C5E694
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B906C8 0_2_00B906C8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B7C632 0_2_00B7C632
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A92620 0_2_00A92620
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B98614 0_2_00B98614
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B22608 0_2_00B22608
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B54673 0_2_00B54673
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BDC66C 0_2_00BDC66C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BEC662 0_2_00BEC662
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B9A65E 0_2_00B9A65E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AC2640 0_2_00AC2640
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BFC64E 0_2_00BFC64E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B4664E 0_2_00B4664E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B92645 0_2_00B92645
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AA67AA 0_2_00AA67AA
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AAE7A0 0_2_00AAE7A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BB07AD 0_2_00BB07AD
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AF4784 0_2_00AF4784
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AFA79A 0_2_00AFA79A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BB478E 0_2_00BB478E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B2C784 0_2_00B2C784
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BB8783 0_2_00BB8783
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A96790 0_2_00A96790
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B187EC 0_2_00B187EC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BA87DA 0_2_00BA87DA
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B8E7D6 0_2_00B8E7D6
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BCC7D3 0_2_00BCC7D3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AF47D9 0_2_00AF47D9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B267CF 0_2_00B267CF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BAE7C7 0_2_00BAE7C7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B8C7C7 0_2_00B8C7C7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BC6736 0_2_00BC6736
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C6874D 0_2_00C6874D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AF8724 0_2_00AF8724
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BB272F 0_2_00BB272F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B34719 0_2_00B34719
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B5671A 0_2_00B5671A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B02706 0_2_00B02706
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B4C767 0_2_00B4C767
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BE4763 0_2_00BE4763
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BA2765 0_2_00BA2765
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B3E754 0_2_00B3E754
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B6E742 0_2_00B6E742
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B9E745 0_2_00B9E745
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BE48B4 0_2_00BE48B4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C048E4 0_2_00C048E4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C608EB 0_2_00C608EB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BBC886 0_2_00BBC886
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A948EF 0_2_00A948EF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B648FA 0_2_00B648FA
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B288E4 0_2_00B288E4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BD08EB 0_2_00BD08EB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BD88E1 0_2_00BD88E1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B568D9 0_2_00B568D9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B908C8 0_2_00B908C8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B408C8 0_2_00B408C8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B5C82A 0_2_00B5C82A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B20819 0_2_00B20819
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BA6804 0_2_00BA6804
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BB687C 0_2_00BB687C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AFE874 0_2_00AFE874
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B66853 0_2_00B66853
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B0485C 0_2_00B0485C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BA4855 0_2_00BA4855
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B0284A 0_2_00B0284A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BC4847 0_2_00BC4847
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B009B9 0_2_00B009B9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B169AD 0_2_00B169AD
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B0C9AE 0_2_00B0C9AE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B22997 0_2_00B22997
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B5E99A 0_2_00B5E99A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B86982 0_2_00B86982
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B349FB 0_2_00B349FB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BFA9F7 0_2_00BFA9F7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B389FF 0_2_00B389FF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B4C9E6 0_2_00B4C9E6
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B129CA 0_2_00B129CA
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B329CE 0_2_00B329CE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B70937 0_2_00B70937
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C00948 0_2_00C00948
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BAA933 0_2_00BAA933
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00ACE93D 0_2_00ACE93D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B68924 0_2_00B68924
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B2A905 0_2_00B2A905
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AFA915 0_2_00AFA915
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BEE905 0_2_00BEE905
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B76979 0_2_00B76979
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B7C96E 0_2_00B7C96E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BBA960 0_2_00BBA960
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BAE945 0_2_00BAE945
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C5CAD3 0_2_00C5CAD3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BDCAAB 0_2_00BDCAAB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B1EA9B 0_2_00B1EA9B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B62A8F 0_2_00B62A8F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BA6A84 0_2_00BA6A84
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A92AC0 0_2_00A92AC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B7AA3F 0_2_00B7AA3F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BCAA2E 0_2_00BCAA2E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BE2A23 0_2_00BE2A23
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BDEA23 0_2_00BDEA23
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BA0A14 0_2_00BA0A14
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B0EA01 0_2_00B0EA01
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BC0A03 0_2_00BC0A03
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AACA60 0_2_00AACA60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B74A68 0_2_00B74A68
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B98A5F 0_2_00B98A5F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B14A58 0_2_00B14A58
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B9AA4C 0_2_00B9AA4C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BF4A46 0_2_00BF4A46
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BB0BA9 0_2_00BB0BA9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B8ABA2 0_2_00B8ABA2
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B96B9C 0_2_00B96B9C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B46B9E 0_2_00B46B9E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B52B81 0_2_00B52B81
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00ABAB90 0_2_00ABAB90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B5ABF1 0_2_00B5ABF1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B1CBF7 0_2_00B1CBF7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BE8BF4 0_2_00BE8BF4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A94BF8 0_2_00A94BF8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BCCBE7 0_2_00BCCBE7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B60BC5 0_2_00B60BC5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B26BCA 0_2_00B26BCA
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B88BC7 0_2_00B88BC7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B20B37 0_2_00B20B37
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BC2B29 0_2_00BC2B29
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B80B25 0_2_00B80B25
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B5EB2B 0_2_00B5EB2B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BA2B25 0_2_00BA2B25
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AD0B00 0_2_00AD0B00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AA4B10 0_2_00AA4B10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BB8B7F 0_2_00BB8B7F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B54B73 0_2_00B54B73
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AF4B72 0_2_00AF4B72
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B6EB6B 0_2_00B6EB6B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B68B5E 0_2_00B68B5E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AFCB43 0_2_00AFCB43
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BD6B50 0_2_00BD6B50
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B0AB5E 0_2_00B0AB5E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B16B41 0_2_00B16B41
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B0EB43 0_2_00B0EB43
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B30B40 0_2_00B30B40
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B4ECB3 0_2_00B4ECB3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BEEC9F 0_2_00BEEC9F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B70C94 0_2_00B70C94
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BC0C9F 0_2_00BC0C9F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B3AC80 0_2_00B3AC80
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B92C8F 0_2_00B92C8F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B86CF4 0_2_00B86CF4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BD8CEE 0_2_00BD8CEE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B34CE5 0_2_00B34CE5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B12CED 0_2_00B12CED
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BFECCC 0_2_00BFECCC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B48CC0 0_2_00B48CC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B6CCCA 0_2_00B6CCCA
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BA4CC6 0_2_00BA4CC6
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BB6C3D 0_2_00BB6C3D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B3EC3E 0_2_00B3EC3E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BA8C28 0_2_00BA8C28
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B44C20 0_2_00B44C20
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B02C11 0_2_00B02C11
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B36C03 0_2_00B36C03
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B8EC08 0_2_00B8EC08
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B7EC06 0_2_00B7EC06
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C66C78 0_2_00C66C78
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BB4C05 0_2_00BB4C05
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BF0C7F 0_2_00BF0C7F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BC8C7A 0_2_00BC8C7A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AB2C6C 0_2_00AB2C6C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B6AC57 0_2_00B6AC57
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B58C45 0_2_00B58C45
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B66C49 0_2_00B66C49
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BCADBD 0_2_00BCADBD
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B64D98 0_2_00B64D98
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B3CD8D 0_2_00B3CD8D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B76D88 0_2_00B76D88
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AC8DE0 0_2_00AC8DE0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AB0DFC 0_2_00AB0DFC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BDCDDE 0_2_00BDCDDE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B24D29 0_2_00B24D29
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AB6D18 0_2_00AB6D18
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BE4D03 0_2_00BE4D03
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BC2D7D 0_2_00BC2D7D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AF6D65 0_2_00AF6D65
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C00D0D 0_2_00C00D0D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B82D6A 0_2_00B82D6A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B8AD6A 0_2_00B8AD6A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B78D61 0_2_00B78D61
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B5AD53 0_2_00B5AD53
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BDED55 0_2_00BDED55
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B40D45 0_2_00B40D45
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B68D40 0_2_00B68D40
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B72D41 0_2_00B72D41
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BF6EA9 0_2_00BF6EA9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BFAE91 0_2_00BFAE91
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BBEE8B 0_2_00BBEE8B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B90E8D 0_2_00B90E8D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B86E80 0_2_00B86E80
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B9AE86 0_2_00B9AE86
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B3EEE5 0_2_00B3EEE5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B24ED6 0_2_00B24ED6
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B80ED7 0_2_00B80ED7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BE2E3E 0_2_00BE2E3E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BF4E3F 0_2_00BF4E3F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BA0E32 0_2_00BA0E32
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B54E39 0_2_00B54E39
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BA2E21 0_2_00BA2E21
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B9CE11 0_2_00B9CE11
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BD4E0F 0_2_00BD4E0F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BDAE07 0_2_00BDAE07
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B4CE61 0_2_00B4CE61
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BEEE69 0_2_00BEEE69
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00ACEE70 0_2_00ACEE70
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B1AE6E 0_2_00B1AE6E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AD0E50 0_2_00AD0E50
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BECFB2 0_2_00BECFB2
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AA6F8E 0_2_00AA6F8E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B94F9E 0_2_00B94F9E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B12F9E 0_2_00B12F9E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C5AFF5 0_2_00C5AFF5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B0AF88 0_2_00B0AF88
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B0EF8F 0_2_00B0EF8F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B64FFA 0_2_00B64FFA
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B06FD2 0_2_00B06FD2
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B96FDE 0_2_00B96FDE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B0CFD8 0_2_00B0CFD8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AEFAD6 0_2_00AEFAD6
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B84FC7 0_2_00B84FC7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B4AF34 0_2_00B4AF34
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B98F2E 0_2_00B98F2E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B66F77 0_2_00B66F77
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B20F71 0_2_00B20F71
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C02F0A 0_2_00C02F0A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B48F60 0_2_00B48F60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B60F53 0_2_00B60F53
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BB8F5C 0_2_00BB8F5C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AF4F41 0_2_00AF4F41
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BDCF49 0_2_00BDCF49
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B230BA 0_2_00B230BA
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BB5095 0_2_00BB5095
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BD308A 0_2_00BD308A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B390F7 0_2_00B390F7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B770FC 0_2_00B770FC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B7F0FA 0_2_00B7F0FA
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B450EE 0_2_00B450EE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BC90E2 0_2_00BC90E2
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BC10DE 0_2_00BC10DE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B1D0D4 0_2_00B1D0D4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BF10CE 0_2_00BF10CE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B430C7 0_2_00B430C7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BA90C9 0_2_00BA90C9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BDF0C9 0_2_00BDF0C9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D530A0 0_2_00D530A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B2903B 0_2_00B2903B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AFF024 0_2_00AFF024
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BEB07D 0_2_00BEB07D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BE107B 0_2_00BE107B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00ABD067 0_2_00ABD067
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B9D066 0_2_00B9D066
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B5D050 0_2_00B5D050
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B3B054 0_2_00B3B054
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B93050 0_2_00B93050
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BAF055 0_2_00BAF055
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00ABD052 0_2_00ABD052
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B731B3 0_2_00B731B3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B3D1A2 0_2_00B3D1A2
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BE91AD 0_2_00BE91AD
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B2F1A7 0_2_00B2F1A7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BE319D 0_2_00BE319D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B371F4 0_2_00B371F4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C0118A 0_2_00C0118A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B871EC 0_2_00B871EC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B051E7 0_2_00B051E7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B1F1EF 0_2_00B1F1EF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B331DE 0_2_00B331DE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B3F1C6 0_2_00B3F1C6
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B791CF 0_2_00B791CF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00ACF1D0 0_2_00ACF1D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BD1130 0_2_00BD1130
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BE712B 0_2_00BE712B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AF9137 0_2_00AF9137
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AB910B 0_2_00AB910B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BAB11D 0_2_00BAB11D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B4F106 0_2_00B4F106
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B31108 0_2_00B31108
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BA517E 0_2_00BA517E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B13163 0_2_00B13163
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B09162 0_2_00B09162
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B1B15C 0_2_00B1B15C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BB1143 0_2_00BB1143
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B59149 0_2_00B59149
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B1514C 0_2_00B1514C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BE52B0 0_2_00BE52B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B852AB 0_2_00B852AB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B6F2AF 0_2_00B6F2AF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BD529E 0_2_00BD529E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BED295 0_2_00BED295
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B83286 0_2_00B83286
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AB32E2 0_2_00AB32E2
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00ACF2E0 0_2_00ACF2E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B692C7 0_2_00B692C7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B632CF 0_2_00B632CF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BA7236 0_2_00BA7236
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BAD235 0_2_00BAD235
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B35220 0_2_00B35220
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B1B228 0_2_00B1B228
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BFB223 0_2_00BFB223
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B9F20D 0_2_00B9F20D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BA3206 0_2_00BA3206
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B25264 0_2_00B25264
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C6521A 0_2_00C6521A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AB3247 0_2_00AB3247
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BF9248 0_2_00BF9248
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B233A6 0_2_00B233A6
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B993AE 0_2_00B993AE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B6139A 0_2_00B6139A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AAB390 0_2_00AAB390
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BD3386 0_2_00BD3386
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BFF3E7 0_2_00BFF3E7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B473EF 0_2_00B473EF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BC33D4 0_2_00BC33D4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AB910B 0_2_00AB910B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00ACF3C0 0_2_00ACF3C0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\file.exe Code function: String function: 00AA4B00 appears 66 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 00A99080 appears 54 times
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exe Static PE information: Section: ZLIB complexity 1.0003633720930232
Source: file.exe Static PE information: Section: yjzienyf ZLIB complexity 0.9945862808549066
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@1/0@3/1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00ABE450 CoCreateInstance, 0_2_00ABE450
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: file.exe, 00000000.00000003.1312111877.0000000005466000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1336288565.0000000005448000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1312599913.0000000005448000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe ReversingLabs: Detection: 39%
Source: file.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: file.exe Static file information: File size 1870848 > 1048576
Source: file.exe Static PE information: Raw size of yjzienyf is bigger than: 0x100000 < 0x19f400

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.a90000.0.unpack :EW;.rsrc:W;.idata :W; :EW;yjzienyf:EW;xccchzgg:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;yjzienyf:EW;xccchzgg:EW;.taggant:EW;
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: file.exe Static PE information: real checksum: 0x1d6aef should be: 0x1d4c85
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: yjzienyf
Source: file.exe Static PE information: section name: xccchzgg
Source: file.exe Static PE information: section name: .taggant
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AF20A7 push 3EAA57E4h; mov dword ptr [esp], esi 0_2_00AF20AF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AF20F3 push eax; mov dword ptr [esp], ecx 0_2_00AF2106
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BB0035 push 5C17A471h; mov dword ptr [esp], ecx 0_2_00BB05DD
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BB0035 push 6AC719B5h; mov dword ptr [esp], edx 0_2_00BB0602
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BB0035 push esi; mov dword ptr [esp], ecx 0_2_00BB062A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D74076 push esi; mov dword ptr [esp], eax 0_2_00D740C7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D74076 push esi; mov dword ptr [esp], eax 0_2_00D740E6
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AF0001 push ecx; mov dword ptr [esp], ebx 0_2_00AF2805
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AF0001 push 6ABA8FBAh; mov dword ptr [esp], ebp 0_2_00AF280D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AEC01F push esi; mov dword ptr [esp], eax 0_2_00AEC20C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C1201C push edi; mov dword ptr [esp], eax 0_2_00C12077
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C1201C push ecx; mov dword ptr [esp], eax 0_2_00C12090
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C1201C push 5582F69Ah; mov dword ptr [esp], ebx 0_2_00C12159
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C1201C push edi; mov dword ptr [esp], 33A48DD4h 0_2_00C1215D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C1201C push ebx; mov dword ptr [esp], ebp 0_2_00C121AB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B4E182 push ebx; mov dword ptr [esp], ecx 0_2_00B4E1E6
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B4E182 push 3423EED2h; mov dword ptr [esp], edx 0_2_00B4E251
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B4E182 push ecx; mov dword ptr [esp], eax 0_2_00B4E2E5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B4E182 push ecx; mov dword ptr [esp], esi 0_2_00B4E2EC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00CE4180 push ecx; mov dword ptr [esp], esi 0_2_00CE4281
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C0015B push ebp; mov dword ptr [esp], edi 0_2_00C00218
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C0015B push 1429DF18h; mov dword ptr [esp], edi 0_2_00C00245
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C0015B push edi; mov dword ptr [esp], 3C9A7FA4h 0_2_00C00257
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C0015B push eax; mov dword ptr [esp], edx 0_2_00C00276
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C0015B push ebp; mov dword ptr [esp], 0BDFE2B0h 0_2_00C002F5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00CDE16C push edi; mov dword ptr [esp], edx 0_2_00CDE1DC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BD414C push eax; mov dword ptr [esp], 7FBFA0C8h 0_2_00BD46D8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BD414C push edx; mov dword ptr [esp], 2B97EAF5h 0_2_00BD47A4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BD414C push 69269A32h; mov dword ptr [esp], edx 0_2_00BD47E8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AF22A0 push 606CA96Ch; mov dword ptr [esp], ebp 0_2_00AF22AD
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AEC2ED push 791AABA7h; mov dword ptr [esp], ebp 0_2_00AEC2F8
Source: file.exe Static PE information: section name: entropy: 7.977158062158779
Source: file.exe Static PE information: section name: yjzienyf entropy: 7.9544746037347664

Boot Survival
barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\Desktop\file.exe System information queried: FirmwareTableInformation Jump to behavior
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6F33A second address: C6F35C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC518348h 0x00000007 jl 00007F29FC518342h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6F728 second address: C6F72D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6F72D second address: C6F73D instructions: 0x00000000 rdtsc 0x00000002 jne 00007F29FC51833Ah 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6F73D second address: C6F751 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FCD43470h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6F8AC second address: C6F8C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F29FC51833Fh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6F8C0 second address: C6F8C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C71335 second address: C7133B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C713C9 second address: C7141C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FCD4346Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ebx 0x0000000b jno 00007F29FCD43468h 0x00000011 pop ebx 0x00000012 nop 0x00000013 movzx esi, bx 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a push ecx 0x0000001b call 00007F29FCD43468h 0x00000020 pop ecx 0x00000021 mov dword ptr [esp+04h], ecx 0x00000025 add dword ptr [esp+04h], 00000015h 0x0000002d inc ecx 0x0000002e push ecx 0x0000002f ret 0x00000030 pop ecx 0x00000031 ret 0x00000032 mov esi, dword ptr [ebp+122D37FDh] 0x00000038 push EABA721Ah 0x0000003d push eax 0x0000003e push edx 0x0000003f pushad 0x00000040 ja 00007F29FCD43466h 0x00000046 push ebx 0x00000047 pop ebx 0x00000048 popad 0x00000049 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C715F6 second address: C71653 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop ecx 0x00000008 push eax 0x00000009 jmp 00007F29FC518346h 0x0000000e nop 0x0000000f push 00000000h 0x00000011 push ecx 0x00000012 call 00007F29FC518338h 0x00000017 pop ecx 0x00000018 mov dword ptr [esp+04h], ecx 0x0000001c add dword ptr [esp+04h], 00000019h 0x00000024 inc ecx 0x00000025 push ecx 0x00000026 ret 0x00000027 pop ecx 0x00000028 ret 0x00000029 mov dword ptr [ebp+122D25F0h], ebx 0x0000002f push 00000000h 0x00000031 sub cx, 4883h 0x00000036 call 00007F29FC518339h 0x0000003b push eax 0x0000003c push edx 0x0000003d push eax 0x0000003e push eax 0x0000003f pop eax 0x00000040 pop eax 0x00000041 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C71653 second address: C7168E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FCD43470h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F29FCD43478h 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 jc 00007F29FCD43466h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C7168E second address: C71692 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C71692 second address: C71698 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C71698 second address: C716CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC51833Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b jne 00007F29FC518340h 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 push eax 0x00000016 push edx 0x00000017 push edx 0x00000018 jmp 00007F29FC51833Ah 0x0000001d pop edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C716CE second address: C716D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C716D3 second address: C7175E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F29FC518336h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pop eax 0x0000000e or si, 1DD4h 0x00000013 push 00000003h 0x00000015 mov ecx, 60655A36h 0x0000001a jg 00007F29FC518339h 0x00000020 push 00000000h 0x00000022 push 00000003h 0x00000024 xor dword ptr [ebp+122D1B06h], edi 0x0000002a push 4B9198E1h 0x0000002f jmp 00007F29FC518348h 0x00000034 add dword ptr [esp], 746E671Fh 0x0000003b push 00000000h 0x0000003d push eax 0x0000003e call 00007F29FC518338h 0x00000043 pop eax 0x00000044 mov dword ptr [esp+04h], eax 0x00000048 add dword ptr [esp+04h], 00000016h 0x00000050 inc eax 0x00000051 push eax 0x00000052 ret 0x00000053 pop eax 0x00000054 ret 0x00000055 sub edx, dword ptr [ebp+122D37B5h] 0x0000005b lea ebx, dword ptr [ebp+12458266h] 0x00000061 mov edi, dword ptr [ebp+122D250Ch] 0x00000067 push eax 0x00000068 pushad 0x00000069 push eax 0x0000006a push edx 0x0000006b jng 00007F29FC518336h 0x00000071 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C7175E second address: C71768 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C93677 second address: C93681 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F29FC518336h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C93681 second address: C9368F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FCD4346Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9368F second address: C93694 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6679C second address: C667A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C917DE second address: C917E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C917E4 second address: C917EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C917EF second address: C917F4 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C91AD7 second address: C91ADB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C91ADB second address: C91AEF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F29FC51833Ch 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C91C89 second address: C91CA8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jno 00007F29FCD43466h 0x00000009 jmp 00007F29FCD4346Eh 0x0000000e pop ebx 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C91CA8 second address: C91CBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007F29FC51833Eh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C91F83 second address: C91F87 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9212D second address: C92131 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C92444 second address: C9247C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FCD43473h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a jnc 00007F29FCD43476h 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 pop eax 0x00000014 js 00007F29FCD43466h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C89EA8 second address: C89EAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C63130 second address: C63148 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FCD43474h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C63148 second address: C63168 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jnc 00007F29FC518336h 0x0000000d jmp 00007F29FC518342h 0x00000012 pop ecx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C63168 second address: C6316E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6316E second address: C63172 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C92D95 second address: C92DFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F29FCD4346Fh 0x00000009 popad 0x0000000a pushad 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d push edi 0x0000000e pop edi 0x0000000f push edi 0x00000010 pop edi 0x00000011 jmp 00007F29FCD43471h 0x00000016 popad 0x00000017 jmp 00007F29FCD43478h 0x0000001c jmp 00007F29FCD43477h 0x00000021 popad 0x00000022 push esi 0x00000023 push eax 0x00000024 push edx 0x00000025 jnp 00007F29FCD43466h 0x0000002b pushad 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C92F71 second address: C92F75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C930F2 second address: C930F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C96E0E second address: C96E12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C96E12 second address: C96E1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C96E1C second address: C96E52 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC518341h 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e jp 00007F29FC51833Ch 0x00000014 pushad 0x00000015 jc 00007F29FC518336h 0x0000001b jng 00007F29FC518336h 0x00000021 pushad 0x00000022 popad 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6821D second address: C68236 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F29FCD43472h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C68236 second address: C6823A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C99AD0 second address: C99ADC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C99ADC second address: C99AE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C99AE0 second address: C99AE4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA0003 second address: CA000B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA000B second address: CA0025 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F29FCD43471h 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9F6F7 second address: C9F705 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F29FC518336h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9F705 second address: C9F709 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9F709 second address: C9F724 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jbe 00007F29FC518336h 0x00000010 push edi 0x00000011 pop edi 0x00000012 push edi 0x00000013 pop edi 0x00000014 popad 0x00000015 push edi 0x00000016 pushad 0x00000017 popad 0x00000018 push edi 0x00000019 pop edi 0x0000001a pop edi 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9FCD5 second address: C9FD0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F29FCD43466h 0x0000000a popad 0x0000000b jmp 00007F29FCD4346Dh 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 jbe 00007F29FCD43466h 0x0000001a jmp 00007F29FCD4346Ah 0x0000001f pop eax 0x00000020 jl 00007F29FCD4346Ch 0x00000026 js 00007F29FCD43466h 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9FEAC second address: C9FEC8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F29FC518347h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9FEC8 second address: C9FEE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F29FCD43466h 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jg 00007F29FCD43466h 0x00000014 jmp 00007F29FCD4346Ah 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA200C second address: CA2026 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F29FC518346h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA27EB second address: CA27F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA2D8A second address: CA2D8E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA2D8E second address: CA2D9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA2D9A second address: CA2DA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F29FC518336h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA2DA9 second address: CA2DAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA2F67 second address: CA2F6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA301B second address: CA301F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA32B4 second address: CA32B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA521E second address: CA5222 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA5222 second address: CA5228 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA5C92 second address: CA5C96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA5A49 second address: CA5A4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA5A4D second address: CA5A72 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F29FCD43466h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F29FCD43479h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA731F second address: CA739B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push edx 0x0000000c call 00007F29FC518338h 0x00000011 pop edx 0x00000012 mov dword ptr [esp+04h], edx 0x00000016 add dword ptr [esp+04h], 00000018h 0x0000001e inc edx 0x0000001f push edx 0x00000020 ret 0x00000021 pop edx 0x00000022 ret 0x00000023 and di, 1387h 0x00000028 push 00000000h 0x0000002a push 00000000h 0x0000002c push 00000000h 0x0000002e push edx 0x0000002f call 00007F29FC518338h 0x00000034 pop edx 0x00000035 mov dword ptr [esp+04h], edx 0x00000039 add dword ptr [esp+04h], 0000001Bh 0x00000041 inc edx 0x00000042 push edx 0x00000043 ret 0x00000044 pop edx 0x00000045 ret 0x00000046 and di, 9FA1h 0x0000004b mov esi, dword ptr [ebp+12460ED6h] 0x00000051 jmp 00007F29FC518342h 0x00000056 xchg eax, ebx 0x00000057 pushad 0x00000058 push eax 0x00000059 push edx 0x0000005a ja 00007F29FC518336h 0x00000060 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA739B second address: CA739F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA709B second address: CA70B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F29FC518345h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CAC6F5 second address: CAC6FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F29FCD43466h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CAD94F second address: CAD955 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CAD955 second address: CAD968 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jc 00007F29FCD43468h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CAE9AC second address: CAE9B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CAD968 second address: CAD9F9 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 add dword ptr [ebp+122D3248h], eax 0x0000000f push dword ptr fs:[00000000h] 0x00000016 mov edi, dword ptr [ebp+122D1883h] 0x0000001c mov dword ptr fs:[00000000h], esp 0x00000023 mov ebx, dword ptr [ebp+122D3819h] 0x00000029 mov eax, dword ptr [ebp+122D0225h] 0x0000002f push 00000000h 0x00000031 push ebx 0x00000032 call 00007F29FCD43468h 0x00000037 pop ebx 0x00000038 mov dword ptr [esp+04h], ebx 0x0000003c add dword ptr [esp+04h], 00000019h 0x00000044 inc ebx 0x00000045 push ebx 0x00000046 ret 0x00000047 pop ebx 0x00000048 ret 0x00000049 mov dword ptr [ebp+1245A293h], edi 0x0000004f push FFFFFFFFh 0x00000051 push 00000000h 0x00000053 push ebx 0x00000054 call 00007F29FCD43468h 0x00000059 pop ebx 0x0000005a mov dword ptr [esp+04h], ebx 0x0000005e add dword ptr [esp+04h], 00000017h 0x00000066 inc ebx 0x00000067 push ebx 0x00000068 ret 0x00000069 pop ebx 0x0000006a ret 0x0000006b movzx edi, cx 0x0000006e push eax 0x0000006f pushad 0x00000070 push eax 0x00000071 push edx 0x00000072 jmp 00007F29FCD43473h 0x00000077 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CAF859 second address: CAF863 instructions: 0x00000000 rdtsc 0x00000002 js 00007F29FC518336h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CAE9B8 second address: CAE9BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB0694 second address: CB0698 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CAE9BE second address: CAE9C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB0698 second address: CB069C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CAE9C3 second address: CAE9CD instructions: 0x00000000 rdtsc 0x00000002 je 00007F29FCD4346Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB069C second address: CB06A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB06A9 second address: CB06AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB16DA second address: CB16DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB16DF second address: CB1788 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jns 00007F29FCD43470h 0x00000011 nop 0x00000012 mov edi, dword ptr [ebp+122D3951h] 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push ebp 0x0000001d call 00007F29FCD43468h 0x00000022 pop ebp 0x00000023 mov dword ptr [esp+04h], ebp 0x00000027 add dword ptr [esp+04h], 00000019h 0x0000002f inc ebp 0x00000030 push ebp 0x00000031 ret 0x00000032 pop ebp 0x00000033 ret 0x00000034 add dword ptr [ebp+122D2F4Bh], edi 0x0000003a mov edi, ebx 0x0000003c push 00000000h 0x0000003e push 00000000h 0x00000040 push eax 0x00000041 call 00007F29FCD43468h 0x00000046 pop eax 0x00000047 mov dword ptr [esp+04h], eax 0x0000004b add dword ptr [esp+04h], 0000001Dh 0x00000053 inc eax 0x00000054 push eax 0x00000055 ret 0x00000056 pop eax 0x00000057 ret 0x00000058 mov ebx, ecx 0x0000005a pushad 0x0000005b mov dword ptr [ebp+12452DD4h], edx 0x00000061 js 00007F29FCD43479h 0x00000067 jmp 00007F29FCD43473h 0x0000006c popad 0x0000006d push eax 0x0000006e push eax 0x0000006f push edx 0x00000070 jmp 00007F29FCD4346Fh 0x00000075 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB1788 second address: CB17A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F29FC518345h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB19B1 second address: CB19B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB19B7 second address: CB19D9 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F29FC518336h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e jc 00007F29FC51833Ch 0x00000014 jns 00007F29FC518336h 0x0000001a je 00007F29FC51833Ch 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB28DD second address: CB28EB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FCD4346Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB66D5 second address: CB66DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB875B second address: CB875F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB4822 second address: CB4828 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB6851 second address: CB6856 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB5778 second address: CB5805 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 mov dword ptr [esp], eax 0x0000000a mov bh, D8h 0x0000000c push dword ptr fs:[00000000h] 0x00000013 push ebx 0x00000014 mov dword ptr [ebp+12468E0Eh], eax 0x0000001a pop ebx 0x0000001b mov dword ptr fs:[00000000h], esp 0x00000022 call 00007F29FC518341h 0x00000027 mov di, B110h 0x0000002b pop ebx 0x0000002c jnc 00007F29FC51833Ch 0x00000032 mov eax, dword ptr [ebp+122D050Dh] 0x00000038 push 00000000h 0x0000003a push ecx 0x0000003b call 00007F29FC518338h 0x00000040 pop ecx 0x00000041 mov dword ptr [esp+04h], ecx 0x00000045 add dword ptr [esp+04h], 00000017h 0x0000004d inc ecx 0x0000004e push ecx 0x0000004f ret 0x00000050 pop ecx 0x00000051 ret 0x00000052 push FFFFFFFFh 0x00000054 mov bl, A0h 0x00000056 nop 0x00000057 push eax 0x00000058 push edx 0x00000059 pushad 0x0000005a jo 00007F29FC518336h 0x00000060 jmp 00007F29FC518345h 0x00000065 popad 0x00000066 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB77D9 second address: CB77DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB875F second address: CB876D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB6856 second address: CB686A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F29FCD43466h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push edi 0x00000013 pop edi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB5805 second address: CB5822 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007F29FC518336h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 ja 00007F29FC51833Ch 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB77DD second address: CB77E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB876D second address: CB8773 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB686A second address: CB686E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB77E3 second address: CB77E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB8773 second address: CB877E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007F29FCD43466h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB686E second address: CB6874 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB877E second address: CB87CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push 00000000h 0x0000000c push ebp 0x0000000d call 00007F29FCD43468h 0x00000012 pop ebp 0x00000013 mov dword ptr [esp+04h], ebp 0x00000017 add dword ptr [esp+04h], 00000019h 0x0000001f inc ebp 0x00000020 push ebp 0x00000021 ret 0x00000022 pop ebp 0x00000023 ret 0x00000024 mov edi, dword ptr [ebp+122D36D1h] 0x0000002a mov bl, 03h 0x0000002c mov edi, dword ptr [ebp+122D1883h] 0x00000032 push 00000000h 0x00000034 mov di, B98Ch 0x00000038 add dword ptr [ebp+122D2AFAh], edx 0x0000003e xchg eax, esi 0x0000003f push eax 0x00000040 push edx 0x00000041 push eax 0x00000042 push ecx 0x00000043 pop ecx 0x00000044 pop eax 0x00000045 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB87CA second address: CB87D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F29FC518336h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CBA95D second address: CBA961 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CBA961 second address: CBA96B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CBA96B second address: CBA96F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CBA96F second address: CBA97D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c push esi 0x0000000d pop esi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5C615 second address: C5C61B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5C61B second address: C5C630 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F29FC51833Ch 0x0000000a pop edi 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CBAF1C second address: CBAF3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F29FCD43466h 0x0000000a popad 0x0000000b jnl 00007F29FCD4346Ch 0x00000011 popad 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 jc 00007F29FCD43466h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CBAF3F second address: CBAF45 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CBBECF second address: CBBED3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CBB0B5 second address: CBB0D7 instructions: 0x00000000 rdtsc 0x00000002 je 00007F29FC518336h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F29FC518346h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CBC196 second address: CBC1A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CBC1A0 second address: CBC1A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CBF5E6 second address: CBF5F1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007F29FCD43466h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CBF5F1 second address: CBF613 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F29FC518344h 0x0000000f push eax 0x00000010 push edx 0x00000011 push esi 0x00000012 pop esi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CBD0DE second address: CBD0EC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FCD4346Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CBD0EC second address: CBD0F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CBD0F2 second address: CBD0F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC72CC second address: CC72E0 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F29FC518336h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b push edx 0x0000000c je 00007F29FC51833Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC6B71 second address: CC6B75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5AB0A second address: C5AB0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CCDCB8 second address: CCDCD7 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F29FCD43466h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnl 00007F29FCD4346Ch 0x00000010 popad 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 pushad 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CCDCD7 second address: CCDCDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CCDCDD second address: CCDCFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F29FCD43477h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD2C09 second address: CD2C0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD2C0D second address: CD2C13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C64CF4 second address: C64CF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C64CF8 second address: C64D02 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F29FCD43466h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C64D02 second address: C64D45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007F29FC518349h 0x0000000c jne 00007F29FC51833Ch 0x00000012 popad 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 jc 00007F29FC518336h 0x0000001c jmp 00007F29FC51833Eh 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C64D45 second address: C64D73 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FCD4346Eh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F29FCD43475h 0x00000010 pushad 0x00000011 push esi 0x00000012 pop esi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD19C4 second address: CD19ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F29FC518348h 0x00000009 jmp 00007F29FC51833Bh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD19ED second address: CD1A00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F29FCD4346Eh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD1A00 second address: CD1A08 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD233A second address: CD2340 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD2480 second address: CD249C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F29FC518341h 0x00000008 jg 00007F29FC518336h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD25E5 second address: CD25EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD2749 second address: CD2775 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC518348h 0x00000007 jmp 00007F29FC518340h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD2775 second address: CD27B3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FCD43478h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a ja 00007F29FCD43477h 0x00000010 jmp 00007F29FCD43471h 0x00000015 jnp 00007F29FCD4346Eh 0x0000001b pushad 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD28DE second address: CD2914 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC518346h 0x00000007 jmp 00007F29FC518341h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD2A5F second address: CD2A6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD87F4 second address: CD87F9 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD87F9 second address: CD882C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push esi 0x00000007 pop esi 0x00000008 jmp 00007F29FCD43478h 0x0000000d jnc 00007F29FCD43466h 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 jo 00007F29FCD4348Ch 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD882C second address: CD8830 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD8C61 second address: CD8C6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 popad 0x00000008 push edi 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD8C6D second address: CD8C77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD90AB second address: CD90B1 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD90B1 second address: CD90BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD90BB second address: CD90CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F29FCD43470h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD90CF second address: CD90D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD90D5 second address: CD90E5 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 pop ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a jnl 00007F29FCD43466h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDDE7A second address: CDDE7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDDFB4 second address: CDDFB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDE23D second address: CDE24B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F29FC518336h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDE24B second address: CDE266 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F29FCD4346Bh 0x00000009 jmp 00007F29FCD4346Bh 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDE266 second address: CDE26D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDE26D second address: CDE27C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 js 00007F29FCD4346Eh 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDE402 second address: CDE42A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jno 00007F29FC518336h 0x0000000f jmp 00007F29FC518349h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDE42A second address: CDE42E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDE6D4 second address: CDE6DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDEB94 second address: CDEB9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDEB9A second address: CDEBB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jbe 00007F29FC518338h 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 jg 00007F29FC518336h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDF038 second address: CDF042 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pop edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDD919 second address: CDD91D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDD91D second address: CDD935 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FCD43474h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDD935 second address: CDD952 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F29FC518345h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA0832 second address: C89EA8 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jo 00007F29FCD43478h 0x0000000f jmp 00007F29FCD43472h 0x00000014 nop 0x00000015 mov dword ptr [ebp+122D276Bh], eax 0x0000001b lea eax, dword ptr [ebp+124875CBh] 0x00000021 add dword ptr [ebp+122D1ABCh], edx 0x00000027 nop 0x00000028 jmp 00007F29FCD43479h 0x0000002d push eax 0x0000002e jmp 00007F29FCD4346Bh 0x00000033 nop 0x00000034 mov cl, 67h 0x00000036 call dword ptr [ebp+122D566Ch] 0x0000003c pushad 0x0000003d jo 00007F29FCD43477h 0x00000043 jmp 00007F29FCD4346Fh 0x00000048 push ecx 0x00000049 pop ecx 0x0000004a push eax 0x0000004b push edx 0x0000004c push eax 0x0000004d push edx 0x0000004e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA0D01 second address: CA0D08 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA0D08 second address: CA0D1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b jnp 00007F29FCD43466h 0x00000011 pop ebx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA0E20 second address: CA0E26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA0EEB second address: CA0EEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA0EEF second address: CA0EF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA1176 second address: CA117A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA12FA second address: CA135B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 ja 00007F29FC51834Ah 0x0000000e nop 0x0000000f push 00000000h 0x00000011 push ebp 0x00000012 call 00007F29FC518338h 0x00000017 pop ebp 0x00000018 mov dword ptr [esp+04h], ebp 0x0000001c add dword ptr [esp+04h], 00000019h 0x00000024 inc ebp 0x00000025 push ebp 0x00000026 ret 0x00000027 pop ebp 0x00000028 ret 0x00000029 mov dword ptr [ebp+122D1A29h], ebx 0x0000002f push 00000004h 0x00000031 mov edx, dword ptr [ebp+122D39F9h] 0x00000037 push eax 0x00000038 jc 00007F29FC518352h 0x0000003e push eax 0x0000003f push edx 0x00000040 jp 00007F29FC518336h 0x00000046 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA17E6 second address: CA17EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA17EC second address: CA17F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA17F0 second address: CA1822 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F29FCD4346Bh 0x0000000f pop edx 0x00000010 nop 0x00000011 or ecx, dword ptr [ebp+122D1A62h] 0x00000017 push 0000001Eh 0x00000019 pushad 0x0000001a and ebx, dword ptr [ebp+122D292Ah] 0x00000020 mov ebx, dword ptr [ebp+122D3789h] 0x00000026 popad 0x00000027 nop 0x00000028 push esi 0x00000029 pushad 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA19A8 second address: CA19C1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F29FC51833Fh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA1B4C second address: CA1B50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA1B50 second address: CA1B5C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA1B5C second address: CA1B60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA1B60 second address: CA1B8A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push eax 0x0000000c push edx 0x0000000d jng 00007F29FC51834Dh 0x00000013 jmp 00007F29FC518347h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA1B8A second address: CA1BB9 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F29FCD4346Fh 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [eax] 0x0000000d push esi 0x0000000e jns 00007F29FCD43468h 0x00000014 pop esi 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d jnl 00007F29FCD43466h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA1BB9 second address: CA1BD1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC518344h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE2FAD second address: CE2FB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE2FB3 second address: CE2FC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnp 00007F29FC51833Eh 0x0000000b jne 00007F29FC518336h 0x00000011 push edi 0x00000012 pop edi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE32D0 second address: CE32D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE32D4 second address: CE32D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE344D second address: CE3453 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE35B3 second address: CE35B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE35B7 second address: CE35BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE3728 second address: CE373C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F29FC51833Ah 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE385C second address: CE386C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FCD4346Ch 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE386C second address: CE389A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007F29FC518342h 0x0000000c jng 00007F29FC518336h 0x00000012 jnp 00007F29FC518336h 0x00000018 jo 00007F29FC51833Ah 0x0000001e pushad 0x0000001f popad 0x00000020 pushad 0x00000021 popad 0x00000022 popad 0x00000023 jc 00007F29FC51834Ch 0x00000029 push edi 0x0000002a pushad 0x0000002b popad 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE389A second address: CE38A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jng 00007F29FCD4346Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE39C5 second address: CE39E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F29FC518341h 0x0000000d jmp 00007F29FC51833Ah 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE39E8 second address: CE39F2 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F29FCD43466h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE39F2 second address: CE39F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE39F8 second address: CE3A0F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F29FCD43472h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CEAE24 second address: CEAE2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F29FC518336h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CEC561 second address: CEC56B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CEC56B second address: CEC571 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CEC571 second address: CEC576 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CEC576 second address: CEC591 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC518340h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push esi 0x0000000d pop esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CEC591 second address: CEC5A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jp 00007F29FCD43466h 0x0000000d jns 00007F29FCD43466h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CEC5A4 second address: CEC5A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CEC5A8 second address: CEC5AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CEC5AE second address: CEC5B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CEC5B4 second address: CEC5B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CEF73E second address: CEF77A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F29FC518347h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jg 00007F29FC51834Fh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CEF14E second address: CEF155 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CEF155 second address: CEF15A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CEF456 second address: CEF45C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CEF45C second address: CEF46B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CEF46B second address: CEF471 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CEF471 second address: CEF489 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F29FC51833Dh 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CEF489 second address: CEF493 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F29FCD43466h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF18BA second address: CF18DB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F29FC518347h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF1A6F second address: CF1A9B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 jmp 00007F29FCD43470h 0x0000000a jmp 00007F29FCD43475h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF88D6 second address: CF88F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F29FC518344h 0x0000000b jo 00007F29FC518336h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF88F6 second address: CF8900 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F29FCD43466h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF781D second address: CF7821 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF7821 second address: CF7825 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF7825 second address: CF7835 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F29FC518336h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF7835 second address: CF7839 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF7839 second address: CF7845 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F29FC518336h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA15B4 second address: CA15B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA15B9 second address: CA15BE instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA15BE second address: CA163A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push edx 0x0000000d call 00007F29FCD43468h 0x00000012 pop edx 0x00000013 mov dword ptr [esp+04h], edx 0x00000017 add dword ptr [esp+04h], 0000001Ah 0x0000001f inc edx 0x00000020 push edx 0x00000021 ret 0x00000022 pop edx 0x00000023 ret 0x00000024 mov dword ptr [ebp+1247D12Ah], ecx 0x0000002a push 00000004h 0x0000002c push 00000000h 0x0000002e push ebx 0x0000002f call 00007F29FCD43468h 0x00000034 pop ebx 0x00000035 mov dword ptr [esp+04h], ebx 0x00000039 add dword ptr [esp+04h], 00000017h 0x00000041 inc ebx 0x00000042 push ebx 0x00000043 ret 0x00000044 pop ebx 0x00000045 ret 0x00000046 sbb dh, 00000003h 0x00000049 pushad 0x0000004a add dword ptr [ebp+122D1AEDh], edi 0x00000050 popad 0x00000051 nop 0x00000052 jmp 00007F29FCD43478h 0x00000057 push eax 0x00000058 pushad 0x00000059 pushad 0x0000005a push eax 0x0000005b push edx 0x0000005c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA163A second address: CA165A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F29FC518347h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA165A second address: CA165E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF8658 second address: CF865D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF865D second address: CF8662 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CFB2B8 second address: CFB2BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CFB2BF second address: CFB2C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CFB2C5 second address: CFB2CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CFB2CB second address: CFB2CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CFB416 second address: CFB435 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push edi 0x00000006 jmp 00007F29FC518340h 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e jp 00007F29FC518336h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D084FF second address: D08509 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F29FCD43466h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D08509 second address: D08524 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F29FC518345h 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D08524 second address: D0853F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F29FCD43471h 0x0000000d push esi 0x0000000e pop esi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D06514 second address: D06518 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D06AEF second address: D06AFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F29FCD4346Eh 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0787F second address: D07885 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D07885 second address: D078B8 instructions: 0x00000000 rdtsc 0x00000002 js 00007F29FCD43466h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F29FCD4346Eh 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 jne 00007F29FCD43474h 0x00000018 push eax 0x00000019 push edx 0x0000001a push esi 0x0000001b pop esi 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D078B8 second address: D078BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D07EA9 second address: D07EAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D07EAE second address: D07EB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D081C2 second address: D081C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0D275 second address: D0D279 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0D279 second address: D0D2BC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FCD43476h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F29FCD43470h 0x0000000e jmp 00007F29FCD43473h 0x00000013 popad 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 push esi 0x00000018 pop esi 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0D2BC second address: D0D2C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0C663 second address: D0C668 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0C668 second address: D0C674 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F29FC518336h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0C674 second address: D0C678 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0CBDE second address: D0CC21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F29FC518336h 0x0000000a popad 0x0000000b push esi 0x0000000c jmp 00007F29FC518349h 0x00000011 push esi 0x00000012 pop esi 0x00000013 pop esi 0x00000014 pop esi 0x00000015 push eax 0x00000016 push edx 0x00000017 push edi 0x00000018 jmp 00007F29FC518344h 0x0000001d pushad 0x0000001e popad 0x0000001f pop edi 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1A97E second address: D1A98A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F29FCD4346Ch 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1A98A second address: D1A98E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1981F second address: D1983B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 jmp 00007F29FCD43473h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1983B second address: D19841 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1E00C second address: D1E016 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F29FCD4346Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D22A74 second address: D22A78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D22BEF second address: D22BF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D22BF5 second address: D22BF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D22BF9 second address: D22C3C instructions: 0x00000000 rdtsc 0x00000002 jo 00007F29FCD43466h 0x00000008 jmp 00007F29FCD4346Dh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 je 00007F29FCD43466h 0x00000016 pushad 0x00000017 popad 0x00000018 pushad 0x00000019 popad 0x0000001a popad 0x0000001b pop edi 0x0000001c push eax 0x0000001d push edx 0x0000001e push edi 0x0000001f pushad 0x00000020 popad 0x00000021 jmp 00007F29FCD43479h 0x00000026 pop edi 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D246E1 second address: D246E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D246E7 second address: D246F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D2FEEF second address: D2FEF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D2FEF8 second address: D2FEFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D2FEFE second address: D2FF02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D2FF02 second address: D2FF06 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D3C9E1 second address: D3C9E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D3C9E5 second address: D3C9E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4C334 second address: D4C360 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 pushad 0x00000008 pushad 0x00000009 jmp 00007F29FC518341h 0x0000000e jno 00007F29FC518336h 0x00000014 push edx 0x00000015 pop edx 0x00000016 popad 0x00000017 pushad 0x00000018 jo 00007F29FC518336h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4C360 second address: D4C36B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4C908 second address: D4C92D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC518344h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F29FC51833Ah 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4F0BB second address: D4F0C0 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4EF41 second address: D4EF4C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 js 00007F29FC518336h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D64679 second address: D6467F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D721C4 second address: D721EF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC518348h 0x00000007 pushad 0x00000008 ja 00007F29FC518336h 0x0000000e jnc 00007F29FC518336h 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8A175 second address: D8A17A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8A17A second address: D8A182 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push esi 0x00000007 pop esi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8A439 second address: D8A43D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8AAA9 second address: D8AAAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8AAAF second address: D8AAB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8AAB3 second address: D8AABD instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F29FC518336h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8C50D second address: D8C511 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8C511 second address: D8C522 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007F29FC518338h 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8F16D second address: D8F171 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8F171 second address: D8F17F instructions: 0x00000000 rdtsc 0x00000002 jc 00007F29FC518336h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8F17F second address: D8F183 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8F183 second address: D8F1A5 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F29FC518336h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push esi 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 pop esi 0x00000014 mov eax, dword ptr [esp+04h] 0x00000018 push eax 0x00000019 push edx 0x0000001a push edx 0x0000001b jnc 00007F29FC518336h 0x00000021 pop edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8F1A5 second address: D8F1F1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F29FCD43472h 0x00000008 jmp 00007F29FCD43472h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov eax, dword ptr [eax] 0x00000012 jo 00007F29FCD43472h 0x00000018 jl 00007F29FCD4346Ch 0x0000001e jns 00007F29FCD43466h 0x00000024 mov dword ptr [esp+04h], eax 0x00000028 push eax 0x00000029 push edx 0x0000002a push ecx 0x0000002b jnl 00007F29FCD43466h 0x00000031 pop ecx 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8F46E second address: D8F4D9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC518343h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push edx 0x0000000d call 00007F29FC518338h 0x00000012 pop edx 0x00000013 mov dword ptr [esp+04h], edx 0x00000017 add dword ptr [esp+04h], 00000018h 0x0000001f inc edx 0x00000020 push edx 0x00000021 ret 0x00000022 pop edx 0x00000023 ret 0x00000024 push dword ptr [ebp+122D2F5Dh] 0x0000002a xor dword ptr [ebp+124607DAh], edi 0x00000030 call 00007F29FC518339h 0x00000035 jmp 00007F29FC518344h 0x0000003a push eax 0x0000003b je 00007F29FC518344h 0x00000041 pushad 0x00000042 push eax 0x00000043 push edx 0x00000044 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8F4D9 second address: D8F521 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F29FCD43466h 0x0000000a popad 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f jmp 00007F29FCD43475h 0x00000014 mov eax, dword ptr [eax] 0x00000016 pushad 0x00000017 pushad 0x00000018 js 00007F29FCD43466h 0x0000001e jmp 00007F29FCD43475h 0x00000023 popad 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 pop eax 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D90ECF second address: D90ED3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D90ED3 second address: D90ED9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D90ED9 second address: D90EFE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F29FC51833Eh 0x00000009 jmp 00007F29FC518343h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA4F48 second address: CA4F65 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FCD43479h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA4F65 second address: CA4F9D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC518349h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push esi 0x0000000c pushad 0x0000000d popad 0x0000000e pop esi 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F29FC518343h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA4F9D second address: CA4FA1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AA03BB second address: 4AA03CA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC51833Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AA03CA second address: 4AA040A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, 300Ah 0x00000007 mov ax, bx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e pushad 0x0000000f mov eax, 3C561329h 0x00000014 mov si, B8E5h 0x00000018 popad 0x00000019 xchg eax, ebp 0x0000001a pushad 0x0000001b pushad 0x0000001c call 00007F29FCD4346Ch 0x00000021 pop ecx 0x00000022 jmp 00007F29FCD4346Bh 0x00000027 popad 0x00000028 mov ah, 6Eh 0x0000002a popad 0x0000002b mov ebp, esp 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AA040A second address: 4AA040E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AA040E second address: 4AA0414 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC066E second address: 4AC0674 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC0674 second address: 4AC0678 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC0678 second address: 4AC06DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 pushad 0x0000000a push eax 0x0000000b pushfd 0x0000000c jmp 00007F29FC51833Dh 0x00000011 add cx, 48C6h 0x00000016 jmp 00007F29FC518341h 0x0000001b popfd 0x0000001c pop eax 0x0000001d pushfd 0x0000001e jmp 00007F29FC518341h 0x00000023 add si, A226h 0x00000028 jmp 00007F29FC518341h 0x0000002d popfd 0x0000002e popad 0x0000002f mov dword ptr [esp], ebp 0x00000032 push eax 0x00000033 push edx 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC06DC second address: 4AC06E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC06E0 second address: 4AC06E6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC06E6 second address: 4AC06EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC06EC second address: 4AC0793 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC51833Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d pushad 0x0000000e mov edx, esi 0x00000010 pushfd 0x00000011 jmp 00007F29FC51833Ah 0x00000016 sub esi, 1A467E28h 0x0000001c jmp 00007F29FC51833Bh 0x00000021 popfd 0x00000022 popad 0x00000023 xchg eax, ecx 0x00000024 pushad 0x00000025 pushfd 0x00000026 jmp 00007F29FC518344h 0x0000002b xor cx, 3088h 0x00000030 jmp 00007F29FC51833Bh 0x00000035 popfd 0x00000036 popad 0x00000037 push eax 0x00000038 jmp 00007F29FC518344h 0x0000003d xchg eax, ecx 0x0000003e jmp 00007F29FC518340h 0x00000043 xchg eax, esi 0x00000044 jmp 00007F29FC518340h 0x00000049 push eax 0x0000004a push eax 0x0000004b push edx 0x0000004c push eax 0x0000004d push edx 0x0000004e jmp 00007F29FC51833Dh 0x00000053 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC0793 second address: 4AC0797 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC0797 second address: 4AC079D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC079D second address: 4AC0839 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F29FCD4346Ah 0x00000009 sbb ch, FFFFFFA8h 0x0000000c jmp 00007F29FCD4346Bh 0x00000011 popfd 0x00000012 mov esi, 59BD4E9Fh 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, esi 0x0000001b jmp 00007F29FCD43472h 0x00000020 lea eax, dword ptr [ebp-04h] 0x00000023 jmp 00007F29FCD43470h 0x00000028 nop 0x00000029 pushad 0x0000002a pushfd 0x0000002b jmp 00007F29FCD4346Eh 0x00000030 jmp 00007F29FCD43475h 0x00000035 popfd 0x00000036 movzx ecx, di 0x00000039 popad 0x0000003a push eax 0x0000003b jmp 00007F29FCD4346Ah 0x00000040 nop 0x00000041 jmp 00007F29FCD43470h 0x00000046 push dword ptr [ebp+08h] 0x00000049 push eax 0x0000004a push edx 0x0000004b pushad 0x0000004c mov esi, edi 0x0000004e push eax 0x0000004f push edx 0x00000050 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC0839 second address: 4AC083E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC088C second address: 4AC0890 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC0890 second address: 4AC08AD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC518349h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC08AD second address: 4AC08B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC08B3 second address: 4AC08B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC0953 second address: 4AC0957 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC0957 second address: 4AC095B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC095B second address: 4AC0961 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC0961 second address: 4AC0967 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC0967 second address: 4AC096B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC096B second address: 4AC000C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 retn 0004h 0x0000000b nop 0x0000000c cmp eax, 00000000h 0x0000000f setne al 0x00000012 xor ebx, ebx 0x00000014 test al, 01h 0x00000016 jne 00007F29FC518337h 0x00000018 xor eax, eax 0x0000001a sub esp, 08h 0x0000001d mov dword ptr [esp], 00000000h 0x00000024 mov dword ptr [esp+04h], 00000000h 0x0000002c call 00007F2A00515A93h 0x00000031 mov edi, edi 0x00000033 pushad 0x00000034 mov al, B3h 0x00000036 push eax 0x00000037 push edx 0x00000038 mov ebx, 5C9BBE2Ah 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC000C second address: 4AC0010 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC0010 second address: 4AC0047 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b call 00007F29FC518349h 0x00000010 pop ecx 0x00000011 jmp 00007F29FC518341h 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC0047 second address: 4AC004D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC004D second address: 4AC0051 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC0051 second address: 4AC00C6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FCD43473h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], ebp 0x0000000e jmp 00007F29FCD43476h 0x00000013 mov ebp, esp 0x00000015 jmp 00007F29FCD43470h 0x0000001a push FFFFFFFEh 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f pushfd 0x00000020 jmp 00007F29FCD43478h 0x00000025 sbb ecx, 55FC0A68h 0x0000002b jmp 00007F29FCD4346Bh 0x00000030 popfd 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC00C6 second address: 4AC0129 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, edx 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push 4FA6A50Ch 0x0000000d pushad 0x0000000e pushad 0x0000000f call 00007F29FC518345h 0x00000014 pop eax 0x00000015 pushfd 0x00000016 jmp 00007F29FC518341h 0x0000001b jmp 00007F29FC51833Bh 0x00000020 popfd 0x00000021 popad 0x00000022 popad 0x00000023 xor dword ptr [esp], 3A0C3B44h 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007F29FC518345h 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC0129 second address: 4AC012F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC012F second address: 4AC0133 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC0133 second address: 4AC017C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 call 00007F29FCD43469h 0x0000000d pushad 0x0000000e movsx ebx, cx 0x00000011 mov dh, cl 0x00000013 popad 0x00000014 push eax 0x00000015 jmp 00007F29FCD43478h 0x0000001a mov eax, dword ptr [esp+04h] 0x0000001e pushad 0x0000001f call 00007F29FCD43471h 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC017C second address: 4AC01EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 mov ecx, edi 0x00000007 popad 0x00000008 mov eax, dword ptr [eax] 0x0000000a jmp 00007F29FC518348h 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 pushfd 0x00000017 jmp 00007F29FC51833Ch 0x0000001c adc cx, 2BD8h 0x00000021 jmp 00007F29FC51833Bh 0x00000026 popfd 0x00000027 pushfd 0x00000028 jmp 00007F29FC518348h 0x0000002d or cx, 7638h 0x00000032 jmp 00007F29FC51833Bh 0x00000037 popfd 0x00000038 popad 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC01EE second address: 4AC0205 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dl, CEh 0x00000005 movzx esi, di 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov ecx, 4E429A7Bh 0x00000014 mov edi, eax 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC0205 second address: 4AC0244 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC51833Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr fs:[00000000h] 0x0000000f jmp 00007F29FC51833Eh 0x00000014 nop 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F29FC518347h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC0244 second address: 4AC0273 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FCD43479h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d call 00007F29FCD4346Dh 0x00000012 pop esi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC0273 second address: 4AC029E instructions: 0x00000000 rdtsc 0x00000002 mov bh, DFh 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 mov ax, bx 0x0000000a pop ebx 0x0000000b popad 0x0000000c nop 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 movsx edx, ax 0x00000013 call 00007F29FC518346h 0x00000018 pop eax 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC029E second address: 4AC02D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F29FCD4346Eh 0x00000008 pop ecx 0x00000009 mov cl, dl 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e sub esp, 18h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F29FCD43474h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC02D0 second address: 4AC02D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC02D4 second address: 4AC02DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC02DA second address: 4AC0365 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, cx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a pushad 0x0000000b jmp 00007F29FC518340h 0x00000010 movzx esi, dx 0x00000013 popad 0x00000014 push eax 0x00000015 pushad 0x00000016 mov esi, 5346ED49h 0x0000001b mov eax, 7B881505h 0x00000020 popad 0x00000021 xchg eax, ebx 0x00000022 jmp 00007F29FC518340h 0x00000027 xchg eax, esi 0x00000028 pushad 0x00000029 mov eax, 71D6322Dh 0x0000002e pushfd 0x0000002f jmp 00007F29FC51833Ah 0x00000034 and ax, 82C8h 0x00000039 jmp 00007F29FC51833Bh 0x0000003e popfd 0x0000003f popad 0x00000040 push eax 0x00000041 jmp 00007F29FC518349h 0x00000046 xchg eax, esi 0x00000047 push eax 0x00000048 push edx 0x00000049 jmp 00007F29FC51833Dh 0x0000004e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC0365 second address: 4AC036B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC036B second address: 4AC036F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC036F second address: 4AC03CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebp 0x00000009 jmp 00007F29FCD43474h 0x0000000e mov dword ptr [esp], edi 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007F29FCD4346Eh 0x00000018 add esi, 2CFF19E8h 0x0000001e jmp 00007F29FCD4346Bh 0x00000023 popfd 0x00000024 call 00007F29FCD43478h 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC03CB second address: 4AC0440 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 mov eax, dword ptr [75AB4538h] 0x0000000b pushad 0x0000000c mov eax, edx 0x0000000e mov edx, 5F503E8Ch 0x00000013 popad 0x00000014 xor dword ptr [ebp-08h], eax 0x00000017 jmp 00007F29FC51833Bh 0x0000001c xor eax, ebp 0x0000001e pushad 0x0000001f pushad 0x00000020 jmp 00007F29FC51833Bh 0x00000025 popad 0x00000026 mov esi, ebx 0x00000028 popad 0x00000029 push esi 0x0000002a pushad 0x0000002b pushfd 0x0000002c jmp 00007F29FC51833Ch 0x00000031 add esi, 634CE108h 0x00000037 jmp 00007F29FC51833Bh 0x0000003c popfd 0x0000003d popad 0x0000003e mov dword ptr [esp], eax 0x00000041 push eax 0x00000042 push edx 0x00000043 push eax 0x00000044 push edx 0x00000045 jmp 00007F29FC518347h 0x0000004a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC0440 second address: 4AC0446 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC0446 second address: 4AC0498 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC518344h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea eax, dword ptr [ebp-10h] 0x0000000c jmp 00007F29FC518340h 0x00000011 mov dword ptr fs:[00000000h], eax 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a pushfd 0x0000001b jmp 00007F29FC51833Ch 0x00000020 sbb ax, D828h 0x00000025 jmp 00007F29FC51833Bh 0x0000002a popfd 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC0498 second address: 4AC04FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F29FCD4346Fh 0x0000000a add si, E96Eh 0x0000000f jmp 00007F29FCD43479h 0x00000014 popfd 0x00000015 popad 0x00000016 mov dword ptr [ebp-18h], esp 0x00000019 pushad 0x0000001a jmp 00007F29FCD4346Ch 0x0000001f mov ecx, 25F1BF01h 0x00000024 popad 0x00000025 mov eax, dword ptr fs:[00000018h] 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007F29FCD43473h 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC04FD second address: 4AC0541 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F29FC51833Fh 0x00000009 add si, 84DEh 0x0000000e jmp 00007F29FC518349h 0x00000013 popfd 0x00000014 mov bl, cl 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 mov ecx, dword ptr [eax+00000FDCh] 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 push esi 0x00000023 pop edx 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC0541 second address: 4AC0546 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC0546 second address: 4AC0578 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC518347h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test ecx, ecx 0x0000000b pushad 0x0000000c mov ecx, 35C22F9Bh 0x00000011 mov ah, 2Ah 0x00000013 popad 0x00000014 jns 00007F29FC51837Dh 0x0000001a pushad 0x0000001b pushad 0x0000001c mov eax, edi 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC0578 second address: 4AC05C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov di, 7114h 0x00000009 popad 0x0000000a add eax, ecx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F29FCD43479h 0x00000013 add cx, 2086h 0x00000018 jmp 00007F29FCD43471h 0x0000001d popfd 0x0000001e mov ebx, ecx 0x00000020 popad 0x00000021 mov ecx, dword ptr [ebp+08h] 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 push ebx 0x00000028 pop esi 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC05C2 second address: 4AC05C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC05C8 second address: 4AC05CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC05CC second address: 4AC05D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AB003F second address: 4AB0045 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AB0045 second address: 4AB007A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC51833Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushfd 0x0000000f jmp 00007F29FC51833Ch 0x00000014 sub si, 5708h 0x00000019 jmp 00007F29FC51833Bh 0x0000001e popfd 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AB007A second address: 4AB00EB instructions: 0x00000000 rdtsc 0x00000002 movzx esi, di 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a mov bh, 99h 0x0000000c popad 0x0000000d popad 0x0000000e sub esp, 2Ch 0x00000011 jmp 00007F29FCD43478h 0x00000016 xchg eax, ebx 0x00000017 pushad 0x00000018 push eax 0x00000019 mov cx, di 0x0000001c pop edx 0x0000001d pushfd 0x0000001e jmp 00007F29FCD43476h 0x00000023 and ecx, 7AAE36F8h 0x00000029 jmp 00007F29FCD4346Bh 0x0000002e popfd 0x0000002f popad 0x00000030 push eax 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007F29FCD43474h 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AB00EB second address: 4AB0155 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC51833Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a jmp 00007F29FC518346h 0x0000000f xchg eax, edi 0x00000010 jmp 00007F29FC518340h 0x00000015 push eax 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 mov bx, si 0x0000001c pushfd 0x0000001d jmp 00007F29FC518348h 0x00000022 sub esi, 3A247548h 0x00000028 jmp 00007F29FC51833Bh 0x0000002d popfd 0x0000002e popad 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AB0382 second address: 4AB0386 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AB0386 second address: 4AB038A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AB038A second address: 4AB0390 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AB0390 second address: 4AB0396 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AB03BF second address: 4AB03C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AB03C5 second address: 4AB0417 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC51833Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jg 00007F2A6D4C63E9h 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 mov si, di 0x00000017 pushfd 0x00000018 jmp 00007F29FC518349h 0x0000001d adc si, B9C6h 0x00000022 jmp 00007F29FC518341h 0x00000027 popfd 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AB0417 second address: 4AB048F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FCD43471h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 js 00007F29FCD434D1h 0x0000000f pushad 0x00000010 mov dh, ch 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007F29FCD4346Fh 0x00000019 or ah, FFFFFFAEh 0x0000001c jmp 00007F29FCD43479h 0x00000021 popfd 0x00000022 movzx esi, bx 0x00000025 popad 0x00000026 popad 0x00000027 cmp dword ptr [ebp-14h], edi 0x0000002a pushad 0x0000002b jmp 00007F29FCD43474h 0x00000030 popad 0x00000031 jne 00007F2A6DCF1480h 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a mov cl, dl 0x0000003c mov edx, eax 0x0000003e popad 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AB048F second address: 4AB0495 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AB0495 second address: 4AB0566 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebx, dword ptr [ebp+08h] 0x0000000b pushad 0x0000000c pushad 0x0000000d jmp 00007F29FCD43475h 0x00000012 pushfd 0x00000013 jmp 00007F29FCD43470h 0x00000018 or si, 0F18h 0x0000001d jmp 00007F29FCD4346Bh 0x00000022 popfd 0x00000023 popad 0x00000024 mov bx, cx 0x00000027 popad 0x00000028 lea eax, dword ptr [ebp-2Ch] 0x0000002b jmp 00007F29FCD43472h 0x00000030 xchg eax, esi 0x00000031 pushad 0x00000032 pushfd 0x00000033 jmp 00007F29FCD4346Eh 0x00000038 adc cl, FFFFFFA8h 0x0000003b jmp 00007F29FCD4346Bh 0x00000040 popfd 0x00000041 pushfd 0x00000042 jmp 00007F29FCD43478h 0x00000047 and eax, 654DA308h 0x0000004d jmp 00007F29FCD4346Bh 0x00000052 popfd 0x00000053 popad 0x00000054 push eax 0x00000055 pushad 0x00000056 mov si, dx 0x00000059 mov ax, dx 0x0000005c popad 0x0000005d xchg eax, esi 0x0000005e push eax 0x0000005f push edx 0x00000060 pushad 0x00000061 call 00007F29FCD43476h 0x00000066 pop ecx 0x00000067 mov eax, edi 0x00000069 popad 0x0000006a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AA0DC4 second address: 4AA0DCA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AA0DCA second address: 4AA0E4D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a mov cl, C8h 0x0000000c mov esi, ebx 0x0000000e popad 0x0000000f push eax 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F29FCD43478h 0x00000017 sub eax, 6C7175B8h 0x0000001d jmp 00007F29FCD4346Bh 0x00000022 popfd 0x00000023 pushad 0x00000024 pushad 0x00000025 popad 0x00000026 pushfd 0x00000027 jmp 00007F29FCD43474h 0x0000002c sbb si, 3018h 0x00000031 jmp 00007F29FCD4346Bh 0x00000036 popfd 0x00000037 popad 0x00000038 popad 0x00000039 xchg eax, ebp 0x0000003a pushad 0x0000003b pushad 0x0000003c mov cx, 61E1h 0x00000040 mov di, ax 0x00000043 popad 0x00000044 mov edi, eax 0x00000046 popad 0x00000047 mov ebp, esp 0x00000049 push eax 0x0000004a push edx 0x0000004b pushad 0x0000004c mov dx, E624h 0x00000050 mov di, 4090h 0x00000054 popad 0x00000055 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AA0E4D second address: 4AA0E53 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AA0E53 second address: 4AA0E57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AA0E57 second address: 4AA0E5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AA0E5B second address: 4AA0EC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ecx 0x00000009 jmp 00007F29FCD4346Ch 0x0000000e push eax 0x0000000f pushad 0x00000010 jmp 00007F29FCD43471h 0x00000015 jmp 00007F29FCD43470h 0x0000001a popad 0x0000001b xchg eax, ecx 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f mov dl, FDh 0x00000021 pushfd 0x00000022 jmp 00007F29FCD43476h 0x00000027 sub eax, 00EBF998h 0x0000002d jmp 00007F29FCD4346Bh 0x00000032 popfd 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AA0EC4 second address: 4AA0ECD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, E2BAh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AA0ECD second address: 4AA0EF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [ebp-04h], 55534552h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 push esi 0x00000012 pop edx 0x00000013 jmp 00007F29FCD43474h 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AA0EF5 second address: 4AA0EFB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AB0AAC second address: 4AB0AC4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F29FCD43474h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AB0AC4 second address: 4AB0B22 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC51833Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d pushad 0x0000000e jmp 00007F29FC518344h 0x00000013 jmp 00007F29FC518342h 0x00000018 popad 0x00000019 cmp dword ptr [75AB459Ch], 05h 0x00000020 pushad 0x00000021 push esi 0x00000022 mov ecx, edi 0x00000024 pop edi 0x00000025 movzx esi, di 0x00000028 popad 0x00000029 je 00007F2A6D4B6226h 0x0000002f pushad 0x00000030 mov si, 2A69h 0x00000034 popad 0x00000035 pop ebp 0x00000036 pushad 0x00000037 mov ah, BDh 0x00000039 pushad 0x0000003a push eax 0x0000003b push edx 0x0000003c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AB0C7B second address: 4AB0C7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AB0C7F second address: 4AB0C85 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AB0C85 second address: 4AB0CA7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FCD4346Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F2A6DCD7158h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F29FCD4346Ah 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AB0CA7 second address: 4AB0CAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AB0CAB second address: 4AB0CB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AB0CB1 second address: 4AB0D03 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F29FC51833Ch 0x00000008 pushfd 0x00000009 jmp 00007F29FC518342h 0x0000000e or ch, FFFFFFF8h 0x00000011 jmp 00007F29FC51833Bh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a cmp dword ptr [ebp+08h], 00002000h 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F29FC518345h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC09A7 second address: 4AC09FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F29FCD4346Fh 0x00000008 pushfd 0x00000009 jmp 00007F29FCD43478h 0x0000000e and al, FFFFFFE8h 0x00000011 jmp 00007F29FCD4346Bh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov ebp, esp 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F29FCD43475h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC09FD second address: 4AC0A03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC0A03 second address: 4AC0A07 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC0A07 second address: 4AC0A18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov bh, 22h 0x0000000e mov dl, ah 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC0A18 second address: 4AC0AE0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FCD43474h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], esi 0x0000000c jmp 00007F29FCD43470h 0x00000011 mov esi, dword ptr [ebp+0Ch] 0x00000014 jmp 00007F29FCD43470h 0x00000019 test esi, esi 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007F29FCD4346Eh 0x00000022 and ax, A268h 0x00000027 jmp 00007F29FCD4346Bh 0x0000002c popfd 0x0000002d pushfd 0x0000002e jmp 00007F29FCD43478h 0x00000033 adc si, 74C8h 0x00000038 jmp 00007F29FCD4346Bh 0x0000003d popfd 0x0000003e popad 0x0000003f je 00007F2A6DCD0D79h 0x00000045 jmp 00007F29FCD43476h 0x0000004a cmp dword ptr [75AB459Ch], 05h 0x00000051 push eax 0x00000052 push edx 0x00000053 jmp 00007F29FCD43477h 0x00000058 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC0AE0 second address: 4AC0B09 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC518349h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F2A6D4BDCD0h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC0B09 second address: 4AC0B0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC0B0D second address: 4AC0B13 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC0B13 second address: 4AC0B2F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FCD43472h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC0B2F second address: 4AC0B40 instructions: 0x00000000 rdtsc 0x00000002 mov esi, 33CFF6CFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC0B40 second address: 4AC0B5D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FCD43479h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC0B5D second address: 4AC0BA1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, di 0x00000006 pushfd 0x00000007 jmp 00007F29FC518343h 0x0000000c xor ecx, 177695EEh 0x00000012 jmp 00007F29FC518349h 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b xchg eax, esi 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC0BA1 second address: 4AC0BA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC0BA5 second address: 4AC0BB8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F29FC51833Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC0BFE second address: 4AC0C03 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AC0C03 second address: 4AC0C4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F29FC51833Dh 0x0000000a sub ah, FFFFFF96h 0x0000000d jmp 00007F29FC518341h 0x00000012 popfd 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 xchg eax, esi 0x00000017 jmp 00007F29FC51833Eh 0x0000001c push eax 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F29FC51833Eh 0x00000024 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: AECB44 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: AECA63 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: D26636 instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AF0545 rdtsc 0_2_00AF0545
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\file.exe TID: 5948 Thread sleep time: -270000s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\file.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: file.exe, file.exe, 00000000.00000002.1494688218.0000000000C77000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000003.1335820959.0000000005445000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: file.exe, 00000000.00000003.1335820959.0000000005445000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: file.exe, 00000000.00000003.1335820959.0000000005445000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: file.exe, 00000000.00000003.1335820959.0000000005445000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: file.exe, 00000000.00000002.1494042557.0000000000788000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW{
Source: file.exe, 00000000.00000003.1335820959.0000000005445000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: file.exe, 00000000.00000003.1335820959.0000000005445000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696492231s
Source: file.exe, 00000000.00000003.1335820959.0000000005445000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: file.exe, 00000000.00000003.1335820959.0000000005445000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696492231
Source: file.exe, 00000000.00000003.1335820959.0000000005445000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: file.exe, 00000000.00000003.1335820959.0000000005445000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: file.exe, 00000000.00000002.1494042557.0000000000788000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1494042557.0000000000757000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000003.1335820959.0000000005445000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: file.exe, 00000000.00000003.1335820959.0000000005445000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: file.exe, 00000000.00000003.1335820959.0000000005445000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: file.exe, 00000000.00000003.1335820959.0000000005445000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: file.exe, 00000000.00000003.1335820959.000000000544A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: - GDCDYNVMware20,11696492231p
Source: file.exe, 00000000.00000003.1335820959.0000000005445000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: file.exe, 00000000.00000003.1335820959.0000000005445000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696492231f
Source: file.exe, 00000000.00000003.1335820959.0000000005445000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696492231
Source: file.exe, 00000000.00000003.1335820959.0000000005445000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696492231j
Source: file.exe, 00000000.00000003.1335820959.0000000005445000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: file.exe, 00000000.00000003.1335820959.0000000005445000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: file.exe, 00000000.00000003.1335820959.0000000005445000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: file.exe, 00000000.00000003.1335820959.0000000005445000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: file.exe, 00000000.00000003.1335820959.0000000005445000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696492231o
Source: file.exe, 00000000.00000003.1335820959.0000000005445000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: file.exe, 00000000.00000003.1335820959.0000000005445000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: file.exe, 00000000.00000003.1335820959.0000000005445000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: file.exe, 00000000.00000003.1335820959.0000000005445000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: file.exe, 00000000.00000002.1494688218.0000000000C77000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: file.exe, 00000000.00000003.1335820959.0000000005445000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: file.exe, 00000000.00000003.1335820959.0000000005445000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
Source: file.exe, 00000000.00000003.1335820959.0000000005445000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: file.exe, 00000000.00000003.1335820959.0000000005445000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696492231]
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\file.exe Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\Desktop\file.exe File opened: NTICE
Source: C:\Users\user\Desktop\file.exe File opened: SICE
Source: C:\Users\user\Desktop\file.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AF0545 rdtsc 0_2_00AF0545
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00ACD930 LdrInitializeThunk, 0_2_00ACD930
Source: file.exe, file.exe, 00000000.00000002.1494688218.0000000000C77000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: kProgram Manager
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: file.exe, 00000000.00000003.1415129893.0000000005431000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1496783158.0000000005432000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1415035715.00000000007F3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1493528719.0000000005432000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\Desktop\file.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: file.exe PID: 5380, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Found many strings related to Crypto-Wallets (likely being stolen)
Source: file.exe, 00000000.00000002.1494042557.0000000000788000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Wallets/Electrum-LTC
Source: file.exe, 00000000.00000003.1310755085.00000000007F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Wallets/ElectronCash
Source: file.exe, 00000000.00000003.1336629907.00000000007F5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
Source: file.exe, 00000000.00000002.1494390752.00000000007F7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ExodusWeb3
Source: file.exe, 00000000.00000002.1494042557.0000000000788000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Wallets/Ethereum
Source: file.exe, 00000000.00000003.1336629907.00000000007F5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: file.exe, 00000000.00000003.1336629907.00000000007F5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: keystore
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\formhistory.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\prefs.js Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cert9.db Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\logins.json Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\key4.db Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\FTPbox Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\FTPRush Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\FTPGetter Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\FTPInfo Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\ProgramData\SiteDesigner\3D-FTP Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000000.00000003.1336629907.00000000007F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1336085175.00000000007F4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1383847377.00000000007F3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1310755085.00000000007F3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1311800277.00000000007F4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1359632994.00000000007F3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1359202911.00000000007F3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1386704934.00000000007F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1359393322.00000000007F4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 5380, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: file.exe PID: 5380, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1562727 Sample: file.exe Startdate: 25/11/2024 Architecture: WINDOWS Score: 100 10 property-imper.sbs 2->10 12 occupy-blushi.sbs 2->12 14 frogs-severz.sbs 2->14 18 Suricata IDS alerts for network traffic 2->18 20 Found malware configuration 2->20 22 Antivirus detection for URL or domain 2->22 24 7 other signatures 2->24 6 file.exe 2->6         started        signatures3 process4 dnsIp5 16 occupy-blushi.sbs 172.67.187.240, 443, 49700, 49701 CLOUDFLARENETUS United States 6->16 26 Detected unpacking (changes PE section rights) 6->26 28 Query firmware table information (likely to detect VMs) 6->28 30 Tries to detect sandboxes and other dynamic analysis tools (window names) 6->30 32 9 other signatures 6->32 signatures6
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
172.67.187.240
 occupy-blushi.sbs United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
occupy-blushi.sbs 172.67.187.240 true
property-imper.sbs unknown unknown
frogs-severz.sbs unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://occupy-blushi.sbs/api false
    		high