Windows Analysis Report
Iv88OQbqpE.exe

Overview

General Information

Sample name: Iv88OQbqpE.exe
renamed because original name is a hash value
Original sample name: 0ee8874628614a8fb4c0ee5d97ea6c5c.exe
Analysis ID: 1417240
MD5: 0ee8874628614a8fb4c0ee5d97ea6c5c
SHA1: 63e37e83ee9b2fef519c2c036bf41479899d0b32
SHA256: b5468ef28fbad7cf3fe6e60f324215f81fb75fd6289c17a587ad418d49aeb751
Tags: exe
Infos:

Detection

RisePro Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected RisePro Stealer
Connects to many ports of the same IP (likely port scanning)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Potentially malicious time measurement code found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to read the PEB
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Entry point lies outside standard sections
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: Iv88OQbqpE.exe Avira: detected
Antivirus detection for URL or domain
Source: http://193.233.132.167/cost/lenin.exe URL Reputation: Label: malware
Source: http://193.233.132.167/mine/amert.exe56 Avira URL Cloud: Label: malware
Source: http://193.233.132.167/mine/amert.exem Avira URL Cloud: Label: malware
Source: http://193.233.132.167/cost/lenin.exeS Avira URL Cloud: Label: malware
Source: http://193.233.132.167/cost/go.exe Avira URL Cloud: Label: malware
Source: http://193.233.132.167/mine/amert.exe Avira URL Cloud: Label: malware
Source: http://193.233.132.216:57893/hera/amadka.exeer Avira URL Cloud: Label: malware
Source: http://193.233.132.167/cost/go.exe02.165.48.43 Avira URL Cloud: Label: malware
Source: http://193.233.132.216:57893/hera/amadka.exe Avira URL Cloud: Label: malware
Multi AV Scanner detection for submitted file
Source: Iv88OQbqpE.exe ReversingLabs: Detection: 47%
Machine Learning detection for sample
Source: Iv88OQbqpE.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Code function: 1_2_00ACF8D0 CryptUnprotectData,CryptUnprotectData, 1_2_00ACF8D0
Uses 32bit PE files
Source: Iv88OQbqpE.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.8:49706 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.8:49707 version: TLS 1.2
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Code function: 1_2_00ABA160 GetFileAttributesA,std::_Throw_Cpp_error,CreateDirectoryA,std::_Throw_Cpp_error,FindFirstFileA,FindNextFileA,SetFileAttributesA,RemoveDirectoryA,std::_Throw_Cpp_error, 1_2_00ABA160
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Code function: 1_2_00B8C7AB FindFirstFileExW, 1_2_00B8C7AB

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.8:49705 -> 193.233.132.74:58709
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 193.233.132.74:58709 -> 192.168.2.8:49705
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.8:49705 -> 193.233.132.74:58709
Source: Traffic Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 193.233.132.74:58709 -> 192.168.2.8:49705
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 193.233.132.74 ports 0,5,7,8,58709,9
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.8:49705 -> 193.233.132.74:58709
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View IP Address: 104.26.5.15 104.26.5.15
Source: Joe Sandbox View IP Address: 193.233.132.74 193.233.132.74
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
May check the online IP address of the machine
Source: unknown DNS query: name: ipinfo.io
Source: unknown DNS query: name: ipinfo.io
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /widget/demo/102.165.48.43 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=102.165.48.43 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /widget/demo/102.165.48.43 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=102.165.48.43 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: unknown DNS traffic detected: queries for: ipinfo.io
Source: Iv88OQbqpE.exe, 00000001.00000002.1674023072.00000000011C3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/go.exe
Source: Iv88OQbqpE.exe, 00000001.00000002.1674023072.00000000011C3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/go.exe02.165.48.43
Source: Iv88OQbqpE.exe, 00000001.00000002.1674023072.00000000011C3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/lenin.exe
Source: Iv88OQbqpE.exe, 00000001.00000002.1674023072.00000000011C3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/lenin.exeS
Source: Iv88OQbqpE.exe, 00000001.00000002.1674023072.0000000001217000.00000004.00000020.00020000.00000000.sdmp, Iv88OQbqpE.exe, 00000001.00000002.1674023072.00000000011C3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/mine/amert.exe
Source: Iv88OQbqpE.exe, 00000001.00000002.1674023072.00000000011C3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/mine/amert.exe56
Source: Iv88OQbqpE.exe, 00000001.00000002.1674023072.0000000001217000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/mine/amert.exem
Source: Iv88OQbqpE.exe, 00000001.00000002.1674023072.00000000011C3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.216:57893/hera/amadka.exe
Source: Iv88OQbqpE.exe, 00000001.00000002.1674023072.00000000011C3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.216:57893/hera/amadka.exeer
Source: Amcache.hve.7.dr String found in binary or memory: http://upx.sf.net
Source: Iv88OQbqpE.exe, 00000001.00000002.1673523973.0000000000AB1000.00000040.00000001.01000000.00000003.sdmp, Iv88OQbqpE.exe, 00000001.00000003.1370253101.0000000004D00000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.winimage.com/zLibDll
Source: Iv88OQbqpE.exe, 00000001.00000003.1548633411.0000000005E55000.00000004.00000020.00020000.00000000.sdmp, KP7KkCCF7bc_Web Data.1.dr, F8sZ6bOkZYvDWeb Data.1.dr, _oyhXtkVWgI8Web Data.1.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Iv88OQbqpE.exe, 00000001.00000003.1548633411.0000000005E55000.00000004.00000020.00020000.00000000.sdmp, KP7KkCCF7bc_Web Data.1.dr, F8sZ6bOkZYvDWeb Data.1.dr, _oyhXtkVWgI8Web Data.1.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Iv88OQbqpE.exe, 00000001.00000003.1548633411.0000000005E55000.00000004.00000020.00020000.00000000.sdmp, KP7KkCCF7bc_Web Data.1.dr, F8sZ6bOkZYvDWeb Data.1.dr, _oyhXtkVWgI8Web Data.1.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Iv88OQbqpE.exe, 00000001.00000003.1548633411.0000000005E55000.00000004.00000020.00020000.00000000.sdmp, KP7KkCCF7bc_Web Data.1.dr, F8sZ6bOkZYvDWeb Data.1.dr, _oyhXtkVWgI8Web Data.1.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Iv88OQbqpE.exe, 00000001.00000002.1674023072.00000000011C3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/
Source: Iv88OQbqpE.exe, 00000001.00000002.1674023072.00000000011C3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=102.165.48.43
Source: Iv88OQbqpE.exe, 00000001.00000002.1674023072.00000000011C3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=102.165.48.43f6
Source: Iv88OQbqpE.exe, 00000001.00000002.1674023072.00000000011AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=102.165.48.43x
Source: Iv88OQbqpE.exe, 00000001.00000002.1674023072.00000000011C3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com:443/demo/home.php?s=102.165.48.43
Source: Iv88OQbqpE.exe, 00000001.00000003.1548633411.0000000005E55000.00000004.00000020.00020000.00000000.sdmp, KP7KkCCF7bc_Web Data.1.dr, F8sZ6bOkZYvDWeb Data.1.dr, _oyhXtkVWgI8Web Data.1.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Iv88OQbqpE.exe, 00000001.00000003.1548633411.0000000005E55000.00000004.00000020.00020000.00000000.sdmp, KP7KkCCF7bc_Web Data.1.dr, F8sZ6bOkZYvDWeb Data.1.dr, _oyhXtkVWgI8Web Data.1.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Iv88OQbqpE.exe, 00000001.00000003.1548633411.0000000005E55000.00000004.00000020.00020000.00000000.sdmp, KP7KkCCF7bc_Web Data.1.dr, F8sZ6bOkZYvDWeb Data.1.dr, _oyhXtkVWgI8Web Data.1.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Iv88OQbqpE.exe, 00000001.00000002.1674023072.000000000114E000.00000004.00000020.00020000.00000000.sdmp, Iv88OQbqpE.exe, 00000001.00000002.1674023072.00000000011AA000.00000004.00000020.00020000.00000000.sdmp, Iv88OQbqpE.exe, 00000001.00000002.1674023072.00000000011C3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/
Source: Iv88OQbqpE.exe, 00000001.00000002.1674023072.00000000011AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/Mozilla/5.0
Source: Iv88OQbqpE.exe, 00000001.00000002.1673523973.0000000000AB1000.00000040.00000001.01000000.00000003.sdmp, Iv88OQbqpE.exe, 00000001.00000003.1370253101.0000000004D00000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: Iv88OQbqpE.exe, 00000001.00000002.1674023072.000000000117E000.00000004.00000020.00020000.00000000.sdmp, Iv88OQbqpE.exe, 00000001.00000002.1674023072.00000000011AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/102.165.48.43
Source: Iv88OQbqpE.exe, 00000001.00000002.1674023072.000000000117E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/102.165.48.43;
Source: Iv88OQbqpE.exe, 00000001.00000002.1674023072.00000000011AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io:443/widget/demo/102.165.48.43P
Source: 3b6N2Xdh3CYwplaces.sqlite.1.dr String found in binary or memory: https://support.mozilla.org
Source: 3b6N2Xdh3CYwplaces.sqlite.1.dr String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: 3b6N2Xdh3CYwplaces.sqlite.1.dr String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.elMx_wJzrE6l
Source: Iv88OQbqpE.exe, 00000001.00000002.1676118743.0000000005CB0000.00000004.00000020.00020000.00000000.sdmp, Iv88OQbqpE.exe, 00000001.00000002.1674023072.000000000114E000.00000004.00000020.00020000.00000000.sdmp, qf2iRTCbu9eZdALmXvtvP2Z.zip.1.dr String found in binary or memory: https://t.me/RiseProSUPPORT
Source: Iv88OQbqpE.exe, 00000001.00000002.1676118743.0000000005CB0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORTe
Source: Iv88OQbqpE.exe, 00000001.00000002.1674023072.00000000011C3000.00000004.00000020.00020000.00000000.sdmp, passwords.txt.1.dr String found in binary or memory: https://t.me/risepro_bot
Source: Iv88OQbqpE.exe, 00000001.00000002.1674023072.00000000011C3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botZ6
Source: Iv88OQbqpE.exe, 00000001.00000002.1674023072.00000000011C3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_bott
Source: Iv88OQbqpE.exe, 00000001.00000003.1548633411.0000000005E55000.00000004.00000020.00020000.00000000.sdmp, KP7KkCCF7bc_Web Data.1.dr, F8sZ6bOkZYvDWeb Data.1.dr, _oyhXtkVWgI8Web Data.1.dr String found in binary or memory: https://www.ecosia.org/newtab/
Source: Iv88OQbqpE.exe, 00000001.00000003.1548633411.0000000005E55000.00000004.00000020.00020000.00000000.sdmp, KP7KkCCF7bc_Web Data.1.dr, F8sZ6bOkZYvDWeb Data.1.dr, _oyhXtkVWgI8Web Data.1.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: Iv88OQbqpE.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: 3b6N2Xdh3CYwplaces.sqlite.1.dr String found in binary or memory: https://www.mozilla.org
Source: 3b6N2Xdh3CYwplaces.sqlite.1.dr String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.0JoCxlq8ibGr
Source: 3b6N2Xdh3CYwplaces.sqlite.1.dr String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.Tgc_vjLFc3HK
Source: 3b6N2Xdh3CYwplaces.sqlite.1.dr String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: Iv88OQbqpE.exe, 00000001.00000002.1674023072.0000000001217000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: Iv88OQbqpE.exe, 00000001.00000003.1559519400.0000000005CEC000.00000004.00000020.00020000.00000000.sdmp, Iv88OQbqpE.exe, 00000001.00000003.1562377075.0000000005CEC000.00000004.00000020.00020000.00000000.sdmp, Iv88OQbqpE.exe, 00000001.00000003.1559340860.0000000005CEC000.00000004.00000020.00020000.00000000.sdmp, Iv88OQbqpE.exe, 00000001.00000003.1561085817.0000000005CEC000.00000004.00000020.00020000.00000000.sdmp, Iv88OQbqpE.exe, 00000001.00000003.1563774134.0000000005CEC000.00000004.00000020.00020000.00000000.sdmp, Iv88OQbqpE.exe, 00000001.00000003.1552523057.0000000005CEC000.00000004.00000020.00020000.00000000.sdmp, Iv88OQbqpE.exe, 00000001.00000003.1558878804.0000000005CEC000.00000004.00000020.00020000.00000000.sdmp, Iv88OQbqpE.exe, 00000001.00000003.1563291272.0000000005CEC000.00000004.00000020.00020000.00000000.sdmp, Iv88OQbqpE.exe, 00000001.00000003.1550634899.0000000005CEC000.00000004.00000020.00020000.00000000.sdmp, Iv88OQbqpE.exe, 00000001.00000003.1566008269.0000000005CEC000.00000004.00000020.00020000.00000000.sdmp, Iv88OQbqpE.exe, 00000001.00000002.1676118743.0000000005CEC000.00000004.00000020.00020000.00000000.sdmp, Iv88OQbqpE.exe, 00000001.00000003.1551637411.0000000005CEC000.00000004.00000020.00020000.00000000.sdmp, D87fZN3R3jFeplaces.sqlite.1.dr, 3b6N2Xdh3CYwplaces.sqlite.1.dr String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.8:49706 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.8:49707 version: TLS 1.2

System Summary
barindex
PE file contains section with special chars
Source: Iv88OQbqpE.exe Static PE information: section name:
Source: Iv88OQbqpE.exe Static PE information: section name: .idata
Source: Iv88OQbqpE.exe Static PE information: section name:
Detected potential crypto function
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Code function: 1_2_00B069A0 1_2_00B069A0
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Code function: 1_2_00AE11F0 1_2_00AE11F0
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Code function: 1_2_00AF21C0 1_2_00AF21C0
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Code function: 1_2_00AE0AE0 1_2_00AE0AE0
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Code function: 1_2_00B112C0 1_2_00B112C0
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Code function: 1_2_00AE6A00 1_2_00AE6A00
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Code function: 1_2_00ADDBB0 1_2_00ADDBB0
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Code function: 1_2_00B0BBD0 1_2_00B0BBD0
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Code function: 1_2_00B06320 1_2_00B06320
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Code function: 1_2_00AE4B00 1_2_00AE4B00
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Code function: 1_2_00B8BC20 1_2_00B8BC20
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Code function: 1_2_00ABDC50 1_2_00ABDC50
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Code function: 1_2_00AE7C50 1_2_00AE7C50
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Code function: 1_2_00B08670 1_2_00B08670
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Code function: 1_2_00AEA7A0 1_2_00AEA7A0
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Code function: 1_2_00AF1FA0 1_2_00AF1FA0
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Code function: 1_2_00B9A73D 1_2_00B9A73D
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Code function: 1_2_00B390B0 1_2_00B390B0
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Code function: 1_2_00B918B0 1_2_00B918B0
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Code function: 1_2_00B95038 1_2_00B95038
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Code function: 1_2_00B97070 1_2_00B97070
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Code function: 1_2_00BA81A4 1_2_00BA81A4
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Code function: 1_2_00B0E160 1_2_00B0E160
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Code function: 1_2_00B352B0 1_2_00B352B0
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Code function: 1_2_00B42AB0 1_2_00B42AB0
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Code function: 1_2_00B31220 1_2_00B31220
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Code function: 1_2_00B9AA7F 1_2_00B9AA7F
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Code function: 1_2_00B24330 1_2_00B24330
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Code function: 1_2_00AC9360 1_2_00AC9360
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Code function: 1_2_00B35CE0 1_2_00B35CE0
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Code function: 1_2_00AB24F0 1_2_00AB24F0
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Code function: 1_2_00AB8CC0 1_2_00AB8CC0
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Code function: 1_2_00B45C10 1_2_00B45C10
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Code function: 1_2_00B41DF0 1_2_00B41DF0
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Code function: 1_2_00B34D20 1_2_00B34D20
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Code function: 1_2_00BACD2E 1_2_00BACD2E
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Code function: 1_2_00AE0530 1_2_00AE0530
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Code function: 1_2_00B41630 1_2_00B41630
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Code function: 1_2_00BCBE38 1_2_00BCBE38
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Code function: 1_2_00B3FE40 1_2_00B3FE40
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Code function: 1_2_00B33790 1_2_00B33790
One or more processes crash
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7496 -s 2004
Sample file is different than original file name gathered from version info
Source: Iv88OQbqpE.exe, 00000001.00000002.1675184055.0000000004D00000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamefilezilla.exe4 vs Iv88OQbqpE.exe
Source: Iv88OQbqpE.exe, 00000001.00000002.1673621549.0000000000BE3000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamefilezilla.exe4 vs Iv88OQbqpE.exe
Source: Iv88OQbqpE.exe Binary or memory string: OriginalFilenamefilezilla.exe4 vs Iv88OQbqpE.exe
Tries to load missing DLLs
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Section loaded: dpapi.dll Jump to behavior
Uses 32bit PE files
Source: Iv88OQbqpE.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Iv88OQbqpE.exe Static PE information: Section: ZLIB complexity 0.9998331850533808
Source: Iv88OQbqpE.exe Static PE information: Section: ntfjvkxf ZLIB complexity 0.9894196931306306
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@2/27@2/3
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kz8kl7vh.default\signons.sqlite Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7496
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe File created: C:\Users\user\AppData\Local\Temp\adobeKiDxAbBQnJab Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Iv88OQbqpE.exe, 00000001.00000002.1673523973.0000000000AB1000.00000040.00000001.01000000.00000003.sdmp, Iv88OQbqpE.exe, 00000001.00000003.1370253101.0000000004D00000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: Iv88OQbqpE.exe, 00000001.00000002.1673523973.0000000000AB1000.00000040.00000001.01000000.00000003.sdmp, Iv88OQbqpE.exe, 00000001.00000003.1370253101.0000000004D00000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: Iv88OQbqpE.exe, 00000001.00000003.1558878804.0000000005CEC000.00000004.00000020.00020000.00000000.sdmp, Iv88OQbqpE.exe, 00000001.00000003.1547450296.0000000005CED000.00000004.00000020.00020000.00000000.sdmp, ihRnkUjPWlZhLogin Data.1.dr, P4GKVEeNqUNxLogin Data.1.dr, Exbm88Y9TX3cLogin Data For Account.1.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: Iv88OQbqpE.exe ReversingLabs: Detection: 47%
Source: Iv88OQbqpE.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: Iv88OQbqpE.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe File read: C:\Users\user\Desktop\Iv88OQbqpE.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Iv88OQbqpE.exe "C:\Users\user\Desktop\Iv88OQbqpE.exe"
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7496 -s 2004
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: Iv88OQbqpE.exe Static file information: File size 2298880 > 1048576
Source: Iv88OQbqpE.exe Static PE information: Raw size of ntfjvkxf is bigger than: 0x100000 < 0x1a0400

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Unpacked PE file: 1.2.Iv88OQbqpE.exe.ab0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ntfjvkxf:EW;gjzhiyds:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ntfjvkxf:EW;gjzhiyds:EW;.taggant:EW;
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: Iv88OQbqpE.exe Static PE information: real checksum: 0x235f7c should be: 0x23c906
PE file contains sections with non-standard names
Source: Iv88OQbqpE.exe Static PE information: section name:
Source: Iv88OQbqpE.exe Static PE information: section name: .idata
Source: Iv88OQbqpE.exe Static PE information: section name:
Source: Iv88OQbqpE.exe Static PE information: section name: ntfjvkxf
Source: Iv88OQbqpE.exe Static PE information: section name: gjzhiyds
Source: Iv88OQbqpE.exe Static PE information: section name: .taggant
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Code function: 1_2_00B8E689 push ecx; ret 1_2_00B8E69C
Source: Iv88OQbqpE.exe Static PE information: section name: entropy: 7.987260772297516
Source: Iv88OQbqpE.exe Static PE information: section name: ntfjvkxf entropy: 7.949286589820064

Boot Survival
barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Evasive API call chain: GetPEB, DecisionNodes, Sleep
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: BEB478 second address: BEB47C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: D50E66 second address: D50E70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F8521396B46h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: D5DC5D second address: D5DC73 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F852108DE11h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: D61ADA second address: D61ADE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: D61ADE second address: D61B17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F852108DE0Ch 0x0000000c popad 0x0000000d xor dword ptr [esp], 100E4C76h 0x00000014 mov si, 0F4Ch 0x00000018 cld 0x00000019 lea ebx, dword ptr [ebp+1244A966h] 0x0000001f mov dword ptr [ebp+122D220Bh], edx 0x00000025 xchg eax, ebx 0x00000026 pushad 0x00000027 js 00007F852108DE08h 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: D61B17 second address: D61B1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: D61B1B second address: D61B33 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F852108DE06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d jnl 00007F852108DE08h 0x00000013 pushad 0x00000014 popad 0x00000015 push edi 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: D61B74 second address: D61BDC instructions: 0x00000000 rdtsc 0x00000002 ja 00007F8521396B48h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push ebx 0x00000012 call 00007F8521396B48h 0x00000017 pop ebx 0x00000018 mov dword ptr [esp+04h], ebx 0x0000001c add dword ptr [esp+04h], 0000001Dh 0x00000024 inc ebx 0x00000025 push ebx 0x00000026 ret 0x00000027 pop ebx 0x00000028 ret 0x00000029 mov di, A109h 0x0000002d push 00000000h 0x0000002f push 00000000h 0x00000031 push edx 0x00000032 call 00007F8521396B48h 0x00000037 pop edx 0x00000038 mov dword ptr [esp+04h], edx 0x0000003c add dword ptr [esp+04h], 0000001Bh 0x00000044 inc edx 0x00000045 push edx 0x00000046 ret 0x00000047 pop edx 0x00000048 ret 0x00000049 mov dh, 32h 0x0000004b push 19B3A3F8h 0x00000050 push ecx 0x00000051 pushad 0x00000052 push eax 0x00000053 push edx 0x00000054 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: D55FB4 second address: D55FD4 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F852108DE06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d ja 00007F852108DE06h 0x00000013 jmp 00007F852108DE0Bh 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: D80759 second address: D80762 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: D80762 second address: D80767 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: D808CF second address: D808E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8521396B4Fh 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: D808E3 second address: D808ED instructions: 0x00000000 rdtsc 0x00000002 jo 00007F852108DE12h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: D808ED second address: D808F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: D80A3B second address: D80A5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F852108DE16h 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: D80A5B second address: D80A61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: D80A61 second address: D80A75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F852108DE0Fh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: D80A75 second address: D80AA9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 pushad 0x00000006 popad 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 jmp 00007F8521396B4Eh 0x0000000e popad 0x0000000f pushad 0x00000010 jmp 00007F8521396B57h 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: D80AA9 second address: D80ADC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 jc 00007F852108DE0Eh 0x0000000e jnc 00007F852108DE06h 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F852108DE19h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: D80ADC second address: D80AE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: D80AE0 second address: D80AE4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: D80AE4 second address: D80AF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F8521396B46h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: D80C51 second address: D80CA2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jmp 00007F852108DE17h 0x0000000a popad 0x0000000b push ebx 0x0000000c jne 00007F852108DE06h 0x00000012 push edx 0x00000013 pop edx 0x00000014 pop ebx 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 push edx 0x00000019 jnc 00007F852108DE0Eh 0x0000001f jmp 00007F852108DE18h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: D80F4F second address: D80F59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 push edi 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: D80F59 second address: D80F60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: D80F60 second address: D80F83 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007F8521396B46h 0x00000009 ja 00007F8521396B46h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F8521396B51h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: D80F83 second address: D80F89 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: D80F89 second address: D80FAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jo 00007F8521396B53h 0x0000000f jmp 00007F8521396B4Dh 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 pop eax 0x00000018 jno 00007F8521396B46h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: D80FAF second address: D80FB5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: D81278 second address: D812AC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8521396B59h 0x00000008 jmp 00007F8521396B50h 0x0000000d jnp 00007F8521396B46h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: D815B4 second address: D815CA instructions: 0x00000000 rdtsc 0x00000002 jl 00007F852108DE18h 0x00000008 jmp 00007F852108DE0Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: D81894 second address: D81898 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: D85728 second address: D8572C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: D4BD40 second address: D4BD70 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8521396B57h 0x00000007 jg 00007F8521396B46h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ecx 0x00000010 jmp 00007F8521396B4Ch 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: D8CB7D second address: D8CB8D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F852108DE0Ch 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: D8CB8D second address: D8CB93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: D8CB93 second address: D8CB99 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: D8CB99 second address: D8CBAC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 js 00007F8521396B46h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 push edx 0x00000012 pop edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: D8CBAC second address: D8CBB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: D8CBB0 second address: D8CBCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F8521396B50h 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: D8CEF9 second address: D8CF15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F852108DE17h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: D8CF15 second address: D8CF21 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F8521396B4Eh 0x00000008 push esi 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: D8D261 second address: D8D274 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F852108DE08h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: D8D274 second address: D8D27D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: D8D3B3 second address: D8D3C1 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F852108DE08h 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: D900BE second address: D900D5 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F8521396B48h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jno 00007F8521396B46h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: D900D5 second address: D900DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: D900DB second address: D900E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F8521396B46h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: D904C8 second address: D904D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: D90FC9 second address: D90FD3 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F8521396B46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: D91056 second address: D9105C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: D9105C second address: D91060 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: D91EA9 second address: D91EAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: D91EAE second address: D91EFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b mov edi, dword ptr [ebp+122D2995h] 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push eax 0x00000016 call 00007F8521396B48h 0x0000001b pop eax 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 add dword ptr [esp+04h], 0000001Bh 0x00000028 inc eax 0x00000029 push eax 0x0000002a ret 0x0000002b pop eax 0x0000002c ret 0x0000002d or edi, dword ptr [ebp+122D2E4Ah] 0x00000033 push 00000000h 0x00000035 sbb di, C758h 0x0000003a xchg eax, ebx 0x0000003b jng 00007F8521396B54h 0x00000041 push eax 0x00000042 push edx 0x00000043 push eax 0x00000044 push edx 0x00000045 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: D91EFC second address: D91F00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: D94089 second address: D9408E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: D9408E second address: D9409E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: D9409E second address: D940A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: D97683 second address: D97699 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F852108DE11h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: D97699 second address: D976AF instructions: 0x00000000 rdtsc 0x00000002 jno 00007F8521396B48h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e jne 00007F8521396B46h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: D95657 second address: D9565D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: D9619C second address: D961A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: D97B34 second address: D97B3A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: D97B3A second address: D97BD7 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F8521396B59h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edi 0x0000000c pushad 0x0000000d jmp 00007F8521396B50h 0x00000012 jnc 00007F8521396B46h 0x00000018 popad 0x00000019 pop edi 0x0000001a nop 0x0000001b jmp 00007F8521396B57h 0x00000020 push 00000000h 0x00000022 mov ebx, dword ptr [ebp+122D22C6h] 0x00000028 push 00000000h 0x0000002a push 00000000h 0x0000002c push edi 0x0000002d call 00007F8521396B48h 0x00000032 pop edi 0x00000033 mov dword ptr [esp+04h], edi 0x00000037 add dword ptr [esp+04h], 00000014h 0x0000003f inc edi 0x00000040 push edi 0x00000041 ret 0x00000042 pop edi 0x00000043 ret 0x00000044 jnc 00007F8521396B47h 0x0000004a xchg eax, esi 0x0000004b push edx 0x0000004c jmp 00007F8521396B57h 0x00000051 pop edx 0x00000052 push eax 0x00000053 push eax 0x00000054 push edx 0x00000055 pushad 0x00000056 push eax 0x00000057 push edx 0x00000058 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: D97BD7 second address: D97BDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: D97BDD second address: D97BE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: D98A52 second address: D98AFC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F852108DE18h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jc 00007F852108DE1Ah 0x00000011 jmp 00007F852108DE14h 0x00000016 pushad 0x00000017 jmp 00007F852108DE0Bh 0x0000001c ja 00007F852108DE06h 0x00000022 popad 0x00000023 popad 0x00000024 nop 0x00000025 call 00007F852108DE10h 0x0000002a jmp 00007F852108DE10h 0x0000002f pop edi 0x00000030 push 00000000h 0x00000032 push 00000000h 0x00000034 push ebp 0x00000035 call 00007F852108DE08h 0x0000003a pop ebp 0x0000003b mov dword ptr [esp+04h], ebp 0x0000003f add dword ptr [esp+04h], 00000016h 0x00000047 inc ebp 0x00000048 push ebp 0x00000049 ret 0x0000004a pop ebp 0x0000004b ret 0x0000004c stc 0x0000004d push 00000000h 0x0000004f mov dword ptr [ebp+122D233Dh], esi 0x00000055 push eax 0x00000056 push eax 0x00000057 push edx 0x00000058 jnp 00007F852108DE10h 0x0000005e rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: D97CEA second address: D97CEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: D97DD8 second address: D97DDC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: D98CD7 second address: D98CDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: D97DDC second address: D97DE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: D99B33 second address: D99B38 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: D9AFBE second address: D9AFC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: D9BFFD second address: D9C002 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: D9CE54 second address: D9CE58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: D9DD7D second address: D9DD95 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8521396B54h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: D9CE58 second address: D9CE74 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F852108DE14h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: D9FE92 second address: D9FE99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: D9FE99 second address: D9FEE3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F852108DE15h 0x00000007 push ebx 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F852108DE19h 0x0000000f pop ebx 0x00000010 pop edx 0x00000011 pop eax 0x00000012 jl 00007F852108DE1Eh 0x00000018 jg 00007F852108DE08h 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 popad 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: D9FEE3 second address: D9FEE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DA04DE second address: DA0505 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 jns 00007F852108DE06h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f je 00007F852108DE1Eh 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F852108DE10h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DA0771 second address: DA0797 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F8521396B52h 0x00000008 jmp 00007F8521396B4Ch 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F8521396B4Dh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DA2415 second address: DA2439 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 ja 00007F852108DE08h 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F852108DE13h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DA2439 second address: DA244B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8521396B4Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DA33E2 second address: DA33E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DA33E6 second address: DA33EC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DA33EC second address: DA346F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F852108DE16h 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e or edi, 708F2C7Ah 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push esi 0x00000019 call 00007F852108DE08h 0x0000001e pop esi 0x0000001f mov dword ptr [esp+04h], esi 0x00000023 add dword ptr [esp+04h], 00000014h 0x0000002b inc esi 0x0000002c push esi 0x0000002d ret 0x0000002e pop esi 0x0000002f ret 0x00000030 mov dword ptr [ebp+122D2759h], ebx 0x00000036 push 00000000h 0x00000038 push 00000000h 0x0000003a push esi 0x0000003b call 00007F852108DE08h 0x00000040 pop esi 0x00000041 mov dword ptr [esp+04h], esi 0x00000045 add dword ptr [esp+04h], 0000001Bh 0x0000004d inc esi 0x0000004e push esi 0x0000004f ret 0x00000050 pop esi 0x00000051 ret 0x00000052 pushad 0x00000053 jnc 00007F852108DE0Ch 0x00000059 popad 0x0000005a push eax 0x0000005b push eax 0x0000005c push edx 0x0000005d push eax 0x0000005e push edx 0x0000005f push eax 0x00000060 push edx 0x00000061 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DA346F second address: DA3473 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DA3473 second address: DA3479 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DA165B second address: DA1661 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DA3479 second address: DA3491 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F852108DE14h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DA1661 second address: DA1666 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DA4453 second address: DA44AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop ebx 0x00000006 mov dword ptr [esp], eax 0x00000009 sub dword ptr [ebp+1246BFDEh], esi 0x0000000f sbb bl, FFFFFFCBh 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push ebp 0x00000017 call 00007F852108DE08h 0x0000001c pop ebp 0x0000001d mov dword ptr [esp+04h], ebp 0x00000021 add dword ptr [esp+04h], 00000018h 0x00000029 inc ebp 0x0000002a push ebp 0x0000002b ret 0x0000002c pop ebp 0x0000002d ret 0x0000002e push 00000000h 0x00000030 mov dword ptr [ebp+122D2F11h], ebx 0x00000036 xchg eax, esi 0x00000037 jmp 00007F852108DE13h 0x0000003c push eax 0x0000003d push eax 0x0000003e push edx 0x0000003f push eax 0x00000040 push edx 0x00000041 push eax 0x00000042 pop eax 0x00000043 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DA44AA second address: DA44B0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DA5489 second address: DA548D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DA460F second address: DA4613 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DA548D second address: DA54FD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F852108DE10h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push edx 0x00000010 call 00007F852108DE08h 0x00000015 pop edx 0x00000016 mov dword ptr [esp+04h], edx 0x0000001a add dword ptr [esp+04h], 00000019h 0x00000022 inc edx 0x00000023 push edx 0x00000024 ret 0x00000025 pop edx 0x00000026 ret 0x00000027 mov bx, cx 0x0000002a mov edi, 071FE42Ch 0x0000002f push 00000000h 0x00000031 mov dword ptr [ebp+122D2F11h], edx 0x00000037 push 00000000h 0x00000039 pushad 0x0000003a mov ebx, dword ptr [ebp+122D2C15h] 0x00000040 clc 0x00000041 popad 0x00000042 push edi 0x00000043 mov di, 9E86h 0x00000047 pop edi 0x00000048 xchg eax, esi 0x00000049 push eax 0x0000004a push edx 0x0000004b jmp 00007F852108DE13h 0x00000050 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DA4613 second address: DA461D instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F8521396B4Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DA54FD second address: DA5502 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DA5502 second address: DA550E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push ebx 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DA64E3 second address: DA64EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DA64EC second address: DA64F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DA5646 second address: DA564C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DA64F0 second address: DA6519 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8521396B55h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d je 00007F8521396B4Ch 0x00000013 jns 00007F8521396B46h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DA56ED second address: DA570F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F852108DE19h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DA74E2 second address: DA74E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DA74E6 second address: DA74F0 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F852108DE06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DA74F0 second address: DA750D instructions: 0x00000000 rdtsc 0x00000002 jno 00007F8521396B48h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jnl 00007F8521396B46h 0x00000014 ja 00007F8521396B46h 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DA750D second address: DA7512 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DB00C0 second address: DB00D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8521396B52h 0x00000008 push edx 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DB56F3 second address: DB56F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DB56F7 second address: DB5704 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 pushad 0x00000008 popad 0x00000009 pop edi 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DB64D1 second address: DB650B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F852108DE19h 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c ja 00007F852108DE12h 0x00000012 jmp 00007F852108DE0Ch 0x00000017 mov eax, dword ptr [esp+04h] 0x0000001b pushad 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DB650B second address: DB6535 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F8521396B46h 0x0000000a popad 0x0000000b jmp 00007F8521396B56h 0x00000010 popad 0x00000011 mov eax, dword ptr [eax] 0x00000013 push eax 0x00000014 push edx 0x00000015 push ecx 0x00000016 pushad 0x00000017 popad 0x00000018 pop ecx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DB6535 second address: DB6557 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F852108DE0Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f ja 00007F852108DE0Ch 0x00000015 jnc 00007F852108DE06h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DB65FE second address: DB6603 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DBCEA9 second address: DBCEAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DBBB91 second address: DBBBCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8521396B55h 0x00000009 push edi 0x0000000a jng 00007F8521396B46h 0x00000010 push esi 0x00000011 pop esi 0x00000012 pop edi 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F8521396B54h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DBC330 second address: DBC33B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jbe 00007F852108DE06h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DBC76A second address: DBC76F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DBC76F second address: DBC774 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DBCA67 second address: DBCA6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DBCA6B second address: DBCA82 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F852108DE0Fh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DBCA82 second address: DBCA9D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8521396B57h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DBCA9D second address: DBCAAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnl 00007F852108DE06h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DBCD29 second address: DBCD2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DC5A3F second address: DC5A54 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F852108DE0Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DC5A54 second address: DC5A5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DC45B8 second address: DC45DF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007F852108DE18h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c jo 00007F852108DE06h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DC473E second address: DC4742 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DC4742 second address: DC4758 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F852108DE0Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DC4758 second address: DC475C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DC475C second address: DC4760 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DC4760 second address: DC476F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jnp 00007F8521396CF9h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DC4ED2 second address: DC4ED6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DC51C2 second address: DC51C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DC58A4 second address: DC58E5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8521396CCDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F8521396CD8h 0x00000011 jmp 00007F8521396CD5h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DC4145 second address: DC4154 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8521396CEBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DC4154 second address: DC416A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8521396CD0h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DC416A second address: DC416F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DC416F second address: DC41AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8521396CD4h 0x00000009 push eax 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d jmp 00007F8521396CD1h 0x00000012 jbe 00007F8521396CC6h 0x00000018 pop eax 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push eax 0x0000001c push edx 0x0000001d push edx 0x0000001e push edx 0x0000001f pop edx 0x00000020 pop edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DC41AB second address: DC41C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8521396CF2h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DC98B8 second address: DC98C8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8521396CCAh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DC98C8 second address: DC98EF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F8521396CF5h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edi 0x0000000b pop edx 0x0000000c pop eax 0x0000000d jc 00007F8521396D1Ch 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DC98EF second address: DC98F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DC98F3 second address: DC991C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8521396CF3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a jmp 00007F8521396CEFh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DCDF87 second address: DCDF8C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DCDF8C second address: DCDFA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007F8521396CEDh 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push ecx 0x0000000f push ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: D8E63F second address: D8E643 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: D8E643 second address: D8E66D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8521396CF7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F8521396CEDh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: D8E66D second address: D8E671 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: D8E671 second address: D78A1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push esi 0x0000000b call 00007F8521396CF6h 0x00000010 pushad 0x00000011 popad 0x00000012 pop edx 0x00000013 pop edi 0x00000014 mov dword ptr [ebp+12468FFEh], edx 0x0000001a call dword ptr [ebp+1245AE80h] 0x00000020 pushad 0x00000021 jnl 00007F8521396CE8h 0x00000027 jmp 00007F8521396CF0h 0x0000002c pushad 0x0000002d jmp 00007F8521396CEEh 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: D8E7D8 second address: D8E7DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: D8E7DC second address: D8E7E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: D8EA77 second address: D8EA7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: D8EC8D second address: D8EC91 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: D8F135 second address: D8F139 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DCD2CB second address: DCD2DA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DCD2DA second address: DCD2EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a jl 00007F8521396CCCh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DCD2EC second address: DCD2F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F8521396CECh 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DCD2F8 second address: DCD2FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DCD2FC second address: DCD303 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DCD467 second address: DCD46D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DCD46D second address: DCD472 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DCD6F1 second address: DCD6F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DCD6F7 second address: DCD702 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DCD702 second address: DCD70E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DCD70E second address: DCD712 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DD0235 second address: DD023C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DD023C second address: DD0252 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F8521396CEDh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DD0252 second address: DD0256 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DD18BC second address: DD18C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DD18C0 second address: DD18CA instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DD18CA second address: DD18DC instructions: 0x00000000 rdtsc 0x00000002 jo 00007F8521396CE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DD18DC second address: DD18E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DD6FC0 second address: DD6FC4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DD5D2C second address: DD5D5A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jmp 00007F8521396CCFh 0x0000000c jno 00007F8521396CC6h 0x00000012 pop edi 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F8521396CCFh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DD5D5A second address: DD5D71 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jnl 00007F8521396CE6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 je 00007F8521396CE6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DD5D71 second address: DD5D8F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8521396CD8h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DD60A1 second address: DD60B3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8521396CEAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DD60B3 second address: DD60B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DD64F2 second address: DD64F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DD59E2 second address: DD59F6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F8521396CCEh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DD67A1 second address: DD67A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DD68F0 second address: DD6902 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F8521396CCCh 0x0000000c jng 00007F8521396CC6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DD6902 second address: DD690B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DDC130 second address: DDC14A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007F8521396CCCh 0x0000000c jc 00007F8521396CD2h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: D4F378 second address: D4F37C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: D4F37C second address: D4F38A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F8521396CCCh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: D4F38A second address: D4F38E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DDB9ED second address: DDB9F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DDB9F1 second address: DDB9F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DDB9F5 second address: DDBA14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8521396CD9h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DDBA14 second address: DDBA44 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F8521396CECh 0x00000008 jc 00007F8521396CE6h 0x0000000e pushad 0x0000000f jo 00007F8521396CE6h 0x00000015 jbe 00007F8521396CE6h 0x0000001b push ecx 0x0000001c pop ecx 0x0000001d popad 0x0000001e pop edx 0x0000001f pop eax 0x00000020 push eax 0x00000021 push edx 0x00000022 jng 00007F8521396CEAh 0x00000028 push edx 0x00000029 pop edx 0x0000002a pushad 0x0000002b popad 0x0000002c push ecx 0x0000002d pushad 0x0000002e popad 0x0000002f pop ecx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DE120D second address: DE1211 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DE1391 second address: DE1397 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DE1397 second address: DE139B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DE139B second address: DE13A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DE13A1 second address: DE13D4 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 pop edi 0x00000008 jg 00007F8521396CE0h 0x0000000e push edi 0x0000000f pop edi 0x00000010 jmp 00007F8521396CD8h 0x00000015 pop edx 0x00000016 pop eax 0x00000017 jl 00007F8521396CF6h 0x0000001d push ebx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DE1539 second address: DE1549 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jc 00007F8521396CFDh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DE1549 second address: DE155E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8521396CD1h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DE155E second address: DE1572 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8521396CF0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DE1D02 second address: DE1D0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DE26A7 second address: DE26AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DE26AE second address: DE26C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8521396CD0h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: D5948D second address: D59492 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: D59492 second address: D59498 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DE5717 second address: DE5745 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jmp 00007F8521396CECh 0x0000000c pushad 0x0000000d popad 0x0000000e pop esi 0x0000000f popad 0x00000010 pushad 0x00000011 jnl 00007F8521396CECh 0x00000017 push eax 0x00000018 push edx 0x00000019 je 00007F8521396CE6h 0x0000001f push esi 0x00000020 pop esi 0x00000021 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DEA5D2 second address: DEA5EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b jc 00007F8521396CC6h 0x00000011 jns 00007F8521396CC6h 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DE99F7 second address: DE9A2D instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F8521396D01h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F8521396CEFh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DE9E97 second address: DE9E9B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DEA13B second address: DEA140 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DEFCBF second address: DEFCF4 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F8521396CC6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ebx 0x0000000d push ecx 0x0000000e pushad 0x0000000f jmp 00007F8521396CCCh 0x00000014 push edx 0x00000015 pop edx 0x00000016 pushad 0x00000017 popad 0x00000018 jmp 00007F8521396CD2h 0x0000001d popad 0x0000001e push ebx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DEFE33 second address: DEFE37 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DEFE37 second address: DEFE50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b je 00007F8521396CCEh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DEFE50 second address: DEFE64 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 jp 00007F8521396CE6h 0x0000000b pop edi 0x0000000c jne 00007F8521396CECh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: D8F70D second address: D8F718 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DF153C second address: DF1540 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DF17FE second address: DF1804 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DF57AC second address: DF57B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DF5915 second address: DF591A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DF5C2E second address: DF5C45 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8521396CF3h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DF5C45 second address: DF5C62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F8521396CD1h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DF5C62 second address: DF5C7E instructions: 0x00000000 rdtsc 0x00000002 jp 00007F8521396CE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F8521396CECh 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DF5C7E second address: DF5C8B instructions: 0x00000000 rdtsc 0x00000002 ja 00007F8521396CC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DF61E3 second address: DF61EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: DF61EE second address: DF61F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: E059FB second address: E05A0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007F8521396CECh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: E05A0F second address: E05A13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: E05A13 second address: E05A2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F8521396CF3h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: E05A2E second address: E05A32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: E04181 second address: E0418D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jng 00007F8521396CE6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: E04328 second address: E04334 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F8521396CC6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: E04334 second address: E0433A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: E0433A second address: E0433F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: E0B4FC second address: E0B502 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: E0B502 second address: E0B512 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a ja 00007F8521396CC6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: E1B814 second address: E1B822 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8521396CEAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: E1B822 second address: E1B827 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: E1B827 second address: E1B82D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: E1B3DA second address: E1B406 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8521396CD2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F8521396CCEh 0x00000010 jl 00007F8521396CC6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: E1B406 second address: E1B421 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8521396CF7h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: E2C770 second address: E2C774 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: E2C774 second address: E2C7A9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8521396CF3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnp 00007F8521396CF6h 0x00000011 pushad 0x00000012 push eax 0x00000013 pop eax 0x00000014 push edx 0x00000015 pop edx 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: E2C7A9 second address: E2C7C4 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F8521396CCEh 0x00000008 jbe 00007F8521396CC6h 0x0000000e pop edi 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: E308BB second address: E308D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8521396CF4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: E308D3 second address: E3092C instructions: 0x00000000 rdtsc 0x00000002 jne 00007F8521396CC6h 0x00000008 jmp 00007F8521396CD3h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ecx 0x00000010 pushad 0x00000011 popad 0x00000012 pop ecx 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F8521396CD5h 0x0000001b pushad 0x0000001c jnc 00007F8521396CC6h 0x00000022 push ebx 0x00000023 pop ebx 0x00000024 jmp 00007F8521396CD6h 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: E31E90 second address: E31ECE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 popad 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 popad 0x0000000a jmp 00007F8521396CF0h 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 push ebx 0x00000013 push eax 0x00000014 pop eax 0x00000015 jmp 00007F8521396CF9h 0x0000001a pop ebx 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: E31ECE second address: E31ED2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: E34129 second address: E34141 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8521396CF4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: E34141 second address: E34145 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: E34145 second address: E3414D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: E3414D second address: E34159 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: E386C0 second address: E386FB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8521396CF9h 0x00000007 jmp 00007F8521396CF8h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push ebx 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 pop ebx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: E38837 second address: E3885F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007F8521396CCCh 0x0000000c jmp 00007F8521396CD0h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 pop eax 0x00000015 push esi 0x00000016 pop esi 0x00000017 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: E3885F second address: E3886F instructions: 0x00000000 rdtsc 0x00000002 jc 00007F8521396CE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: E3886F second address: E38879 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F8521396CC6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: E38879 second address: E388A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push edx 0x0000000a pop edx 0x0000000b push edx 0x0000000c pop edx 0x0000000d popad 0x0000000e pushad 0x0000000f jmp 00007F8521396CF6h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: E38B11 second address: E38B17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: E38B17 second address: E38B1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: E38CBB second address: E38CC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: E39BCE second address: E39C0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jc 00007F8521396CE8h 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e push edi 0x0000000f pop edi 0x00000010 jnp 00007F8521396CE6h 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 pushad 0x00000019 popad 0x0000001a popad 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f jmp 00007F8521396CF8h 0x00000024 jnp 00007F8521396CE6h 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: E39C0D second address: E39C14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: E4279B second address: E4279F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: E4279F second address: E427AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jc 00007F8521396CCEh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: E4EFBD second address: E4F021 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8521396CECh 0x00000007 jmp 00007F8521396CEEh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jng 00007F8521396CFFh 0x00000014 jmp 00007F8521396CF9h 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F8521396CF2h 0x00000021 jnc 00007F8521396CF2h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: E50708 second address: E50712 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pushad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: E50712 second address: E5074D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8521396CF7h 0x00000009 pop eax 0x0000000a jp 00007F8521396CEEh 0x00000010 pushad 0x00000011 popad 0x00000012 jo 00007F8521396CE6h 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F8521396CEFh 0x0000001f rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: E5074D second address: E50751 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: E4D840 second address: E4D85C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jmp 00007F8521396CF6h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: E6339C second address: E633A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: E633A5 second address: E633C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8521396CF1h 0x00000009 push edx 0x0000000a pop edx 0x0000000b popad 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: E633C3 second address: E633D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 js 00007F8521396CCCh 0x0000000f jns 00007F8521396CC6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: E633D8 second address: E633DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: E633DE second address: E633E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: E86DD3 second address: E86DE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F8521396CE6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e pop edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: E86879 second address: E8687D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: E8687D second address: E868A1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8521396CEEh 0x00000007 jns 00007F8521396CE6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jp 00007F8521396CE8h 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: E868A1 second address: E868A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: E86A26 second address: E86A76 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F8521396CF6h 0x00000008 jmp 00007F8521396CF0h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jnc 00007F8521396CFFh 0x00000016 jg 00007F8521396CEEh 0x0000001c push eax 0x0000001d push edx 0x0000001e jng 00007F8521396CE6h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: E86A76 second address: E86A7A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: E86A7A second address: E86A80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: E86A80 second address: E86AA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F8521396CD9h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: E86AA3 second address: E86AA9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: E89892 second address: E89896 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: E89896 second address: E8989C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: E89B2B second address: E89B30 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: E89B30 second address: E89B36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: E89B36 second address: E89B8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a mov dword ptr [ebp+122D30D2h], ebx 0x00000010 jmp 00007F8521396CCDh 0x00000015 push 00000004h 0x00000017 push 00000000h 0x00000019 push ebp 0x0000001a call 00007F8521396CC8h 0x0000001f pop ebp 0x00000020 mov dword ptr [esp+04h], ebp 0x00000024 add dword ptr [esp+04h], 00000019h 0x0000002c inc ebp 0x0000002d push ebp 0x0000002e ret 0x0000002f pop ebp 0x00000030 ret 0x00000031 push 070A297Ch 0x00000036 push eax 0x00000037 push edx 0x00000038 jmp 00007F8521396CCDh 0x0000003d rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: E89E80 second address: E89EFD instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jc 00007F8521396CE6h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push ecx 0x0000000e jnl 00007F8521396CECh 0x00000014 pop ecx 0x00000015 nop 0x00000016 mov edx, dword ptr [ebp+122D2C21h] 0x0000001c push dword ptr [ebp+122D22B1h] 0x00000022 mov edx, dword ptr [ebp+122D2198h] 0x00000028 call 00007F8521396CE9h 0x0000002d jp 00007F8521396CECh 0x00000033 push eax 0x00000034 pushad 0x00000035 jmp 00007F8521396CEFh 0x0000003a jne 00007F8521396CE8h 0x00000040 push ebx 0x00000041 pop ebx 0x00000042 popad 0x00000043 mov eax, dword ptr [esp+04h] 0x00000047 push eax 0x00000048 push edx 0x00000049 pushad 0x0000004a jmp 00007F8521396CF6h 0x0000004f push esi 0x00000050 pop esi 0x00000051 popad 0x00000052 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: E89EFD second address: E89F23 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F8521396CD9h 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [eax] 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: E89F23 second address: E89F27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: E89F27 second address: E89F2B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: E89F2B second address: E89F39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jng 00007F8521396CE6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: E89F39 second address: E89F6B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8521396CD1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F8521396CD5h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: E8E9B1 second address: E8E9C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 jne 00007F8521396CE6h 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f pop eax 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: E8E9C2 second address: E8E9DC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8521396CCAh 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F8521396CCAh 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F008AB second address: 4F008B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F008B1 second address: 4F008B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F008B5 second address: 4F008B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F008B9 second address: 4F00906 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a mov ecx, 66DAF68Fh 0x0000000f pushfd 0x00000010 jmp 00007F8521396CD4h 0x00000015 xor cx, CA38h 0x0000001a jmp 00007F8521396CCBh 0x0000001f popfd 0x00000020 popad 0x00000021 push eax 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F8521396CD4h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F00906 second address: 4F00918 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8521396CEEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F00918 second address: 4F00988 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8521396CCBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007F8521396CD6h 0x00000011 mov ebp, esp 0x00000013 jmp 00007F8521396CD0h 0x00000018 pop ebp 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c mov eax, edx 0x0000001e pushfd 0x0000001f jmp 00007F8521396CD9h 0x00000024 and ch, FFFFFFF6h 0x00000027 jmp 00007F8521396CD1h 0x0000002c popfd 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4EC0F3D second address: 4EC0F84 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8521396CEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F8521396CF6h 0x0000000f mov ebp, esp 0x00000011 jmp 00007F8521396CF0h 0x00000016 pop ebp 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F8521396CEAh 0x00000020 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4EC0F84 second address: 4EC0F88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4EC0F88 second address: 4EC0F8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F40822 second address: 4F40826 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F40826 second address: 4F4082C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F4082C second address: 4F40848 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F8521396CD1h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4EC0C1F second address: 4EC0C82 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F8521396CF9h 0x00000009 and cx, 7446h 0x0000000e jmp 00007F8521396CF1h 0x00000013 popfd 0x00000014 mov eax, 6FC77EF7h 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c xchg eax, ebp 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 mov eax, ebx 0x00000022 pushfd 0x00000023 jmp 00007F8521396CEBh 0x00000028 jmp 00007F8521396CF3h 0x0000002d popfd 0x0000002e popad 0x0000002f rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4EC0C82 second address: 4EC0C88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4EC0C88 second address: 4EC0C9E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8521396CEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4EC0C9E second address: 4EC0D01 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushfd 0x00000007 jmp 00007F8521396CD7h 0x0000000c and ch, 0000003Eh 0x0000000f jmp 00007F8521396CD9h 0x00000014 popfd 0x00000015 popad 0x00000016 push dword ptr [ebp+04h] 0x00000019 jmp 00007F8521396CCEh 0x0000001e push dword ptr [ebp+0Ch] 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 jmp 00007F8521396CCDh 0x00000029 pushad 0x0000002a popad 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4EC0D01 second address: 4EC0D0F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8521396CEAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4EC0D0F second address: 4EC0D20 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push dword ptr [ebp+08h] 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4EC0D20 second address: 4EC0D26 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F40532 second address: 4F40538 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F40538 second address: 4F4053C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F4053C second address: 4F4057A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e pushfd 0x0000000f jmp 00007F8521396CD9h 0x00000014 sub cl, FFFFFFC6h 0x00000017 jmp 00007F8521396CD1h 0x0000001c popfd 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F4057A second address: 4F405D7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8521396CF1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F8521396CEEh 0x0000000f mov ebp, esp 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007F8521396CEEh 0x00000018 adc ax, D5C8h 0x0000001d jmp 00007F8521396CEBh 0x00000022 popfd 0x00000023 movzx esi, dx 0x00000026 popad 0x00000027 pop ebp 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007F8521396CEDh 0x00000031 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F405D7 second address: 4F405DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F405DB second address: 4F405E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F10ABD second address: 4F10AC3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F10AC3 second address: 4F10AC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F10AC7 second address: 4F10AFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov si, bx 0x0000000d mov dh, B8h 0x0000000f popad 0x00000010 xchg eax, ebp 0x00000011 jmp 00007F8521396CCAh 0x00000016 mov ebp, esp 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F8521396CD7h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F5014C second address: 4F5015F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, 0672h 0x00000007 push edx 0x00000008 pop eax 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F5015F second address: 4F50163 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F50163 second address: 4F5017A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8521396CF3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F5017A second address: 4F50192 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8521396CD4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F50192 second address: 4F501BD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8521396CEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F8521396CF5h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F501BD second address: 4F50215 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F8521396CD7h 0x00000009 adc ah, FFFFFF8Eh 0x0000000c jmp 00007F8521396CD9h 0x00000011 popfd 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 mov ebp, esp 0x00000019 pushad 0x0000001a mov bx, si 0x0000001d mov ecx, 17F68D25h 0x00000022 popad 0x00000023 pop ebp 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007F8521396CCAh 0x0000002d rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F50215 second address: 4F5021B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F50027 second address: 4F5002D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F5002D second address: 4F5003E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8521396CEDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F5003E second address: 4F5007F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov esi, 1C1497C9h 0x0000000f pushfd 0x00000010 jmp 00007F8521396CD6h 0x00000015 or eax, 5979F818h 0x0000001b jmp 00007F8521396CCBh 0x00000020 popfd 0x00000021 popad 0x00000022 xchg eax, ebp 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 push ebx 0x00000027 pop eax 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F5007F second address: 4F50084 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F50084 second address: 4F500F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F8521396CD8h 0x00000009 sub ecx, 16A059A8h 0x0000000f jmp 00007F8521396CCBh 0x00000014 popfd 0x00000015 pushfd 0x00000016 jmp 00007F8521396CD8h 0x0000001b sbb eax, 2629CC08h 0x00000021 jmp 00007F8521396CCBh 0x00000026 popfd 0x00000027 popad 0x00000028 pop edx 0x00000029 pop eax 0x0000002a mov ebp, esp 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007F8521396CD5h 0x00000033 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F500F9 second address: 4F50109 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8521396CECh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F50109 second address: 4F5010D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F40634 second address: 4F40668 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8521396CF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F8521396CEEh 0x0000000f mov ebp, esp 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F40668 second address: 4F4066C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F4066C second address: 4F40672 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F40672 second address: 4F406A0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F8521396CD2h 0x00000009 jmp 00007F8521396CD5h 0x0000000e popfd 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F406A0 second address: 4F406BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pop ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F8521396CF3h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F40DD8 second address: 4F40DE7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8521396CCBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F40DE7 second address: 4F40DF7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dl, F5h 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F40DF7 second address: 4F40DFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F40DFB second address: 4F40E11 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8521396CF2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F40E11 second address: 4F40E17 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F40E17 second address: 4F40E1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F40E1B second address: 4F40E51 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [ebp+08h] 0x0000000b jmp 00007F8521396CD9h 0x00000010 and dword ptr [eax], 00000000h 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F8521396CCDh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F40E51 second address: 4F40E56 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F40E56 second address: 4F40E75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 call 00007F8521396CCDh 0x00000009 pop eax 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d and dword ptr [eax+04h], 00000000h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F40E75 second address: 4F40E79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F40E79 second address: 4F40E7D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F40E7D second address: 4F40E83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F40E83 second address: 4F40EAC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F8521396CCCh 0x00000009 sbb ch, 00000018h 0x0000000c jmp 00007F8521396CCBh 0x00000011 popfd 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 pop ebp 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F40EAC second address: 4F40EB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F40EB0 second address: 4F40EB6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F40EB6 second address: 4F40EBC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F50342 second address: 4F5036B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8521396CD5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F8521396CCDh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F5036B second address: 4F50371 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F50371 second address: 4F50375 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F50375 second address: 4F50395 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F8521396CF5h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4EF0A2C second address: 4EF0A32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4EF0A32 second address: 4EF0A36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4EF0A36 second address: 4EF0A3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4EF0A3A second address: 4EF0A63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007F8521396CF9h 0x0000000e mov ebp, esp 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4EF0A63 second address: 4EF0A6E instructions: 0x00000000 rdtsc 0x00000002 mov ax, D91Fh 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F60041 second address: 4F60047 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F60047 second address: 4F6004B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F6004B second address: 4F6009C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8521396CEDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d mov esi, 51746B23h 0x00000012 pushfd 0x00000013 jmp 00007F8521396CF8h 0x00000018 sub cl, 00000068h 0x0000001b jmp 00007F8521396CEBh 0x00000020 popfd 0x00000021 popad 0x00000022 mov ebp, esp 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 mov di, 71D6h 0x0000002b mov dx, D562h 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F6009C second address: 4F600AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8521396CCFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F600AF second address: 4F60130 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8521396CF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ecx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F8521396CECh 0x00000013 xor eax, 1D0BAA58h 0x00000019 jmp 00007F8521396CEBh 0x0000001e popfd 0x0000001f mov ebx, eax 0x00000021 popad 0x00000022 push eax 0x00000023 jmp 00007F8521396CF5h 0x00000028 xchg eax, ecx 0x00000029 jmp 00007F8521396CEEh 0x0000002e mov eax, dword ptr [775165FCh] 0x00000033 pushad 0x00000034 mov al, 1Dh 0x00000036 mov edi, 5492B67Eh 0x0000003b popad 0x0000003c test eax, eax 0x0000003e push eax 0x0000003f push edx 0x00000040 pushad 0x00000041 pushad 0x00000042 popad 0x00000043 mov dx, si 0x00000046 popad 0x00000047 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F60130 second address: 4F60136 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F60136 second address: 4F6013A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F6013A second address: 4F6013E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F6013E second address: 4F601A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F85938CA506h 0x0000000e jmp 00007F8521396CF7h 0x00000013 mov ecx, eax 0x00000015 jmp 00007F8521396CF6h 0x0000001a xor eax, dword ptr [ebp+08h] 0x0000001d jmp 00007F8521396CF1h 0x00000022 and ecx, 1Fh 0x00000025 jmp 00007F8521396CEEh 0x0000002a ror eax, cl 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F601A8 second address: 4F601AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F601AC second address: 4F601C9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8521396CF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F10015 second address: 4F1001B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F1001B second address: 4F1001F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F1001F second address: 4F100B7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8521396CD3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007F8521396CD6h 0x00000011 push eax 0x00000012 jmp 00007F8521396CCBh 0x00000017 xchg eax, ebp 0x00000018 pushad 0x00000019 pushfd 0x0000001a jmp 00007F8521396CD4h 0x0000001f sub al, 00000018h 0x00000022 jmp 00007F8521396CCBh 0x00000027 popfd 0x00000028 push esi 0x00000029 movsx edx, ax 0x0000002c pop eax 0x0000002d popad 0x0000002e mov ebp, esp 0x00000030 push eax 0x00000031 push edx 0x00000032 pushad 0x00000033 mov si, BBBFh 0x00000037 pushfd 0x00000038 jmp 00007F8521396CD4h 0x0000003d xor ax, 42A8h 0x00000042 jmp 00007F8521396CCBh 0x00000047 popfd 0x00000048 popad 0x00000049 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F100B7 second address: 4F100F7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, E54Ah 0x00000007 call 00007F8521396CEBh 0x0000000c pop ecx 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 and esp, FFFFFFF8h 0x00000013 jmp 00007F8521396CEFh 0x00000018 xchg eax, ecx 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F8521396CF5h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F100F7 second address: 4F10134 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8521396CD1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F8521396CD1h 0x0000000f xchg eax, ecx 0x00000010 jmp 00007F8521396CCEh 0x00000015 xchg eax, ebx 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F10134 second address: 4F10138 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F10138 second address: 4F1013C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F1013C second address: 4F10142 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F10142 second address: 4F1016F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8521396CD4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b call 00007F8521396CD1h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F1016F second address: 4F101D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push edi 0x00000006 mov esi, 0A24F259h 0x0000000b pop esi 0x0000000c popad 0x0000000d xchg eax, ebx 0x0000000e jmp 00007F8521396CF5h 0x00000013 mov ebx, dword ptr [ebp+10h] 0x00000016 jmp 00007F8521396CEEh 0x0000001b xchg eax, esi 0x0000001c jmp 00007F8521396CF0h 0x00000021 push eax 0x00000022 pushad 0x00000023 call 00007F8521396CF1h 0x00000028 mov ah, D2h 0x0000002a pop edi 0x0000002b mov dl, ch 0x0000002d popad 0x0000002e xchg eax, esi 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 movzx eax, di 0x00000035 movsx ebx, si 0x00000038 popad 0x00000039 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F101D8 second address: 4F101EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8521396CD0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F101EC second address: 4F10226 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov esi, dword ptr [ebp+08h] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 pushfd 0x00000011 jmp 00007F8521396CF6h 0x00000016 sbb esi, 0313AA68h 0x0000001c jmp 00007F8521396CEBh 0x00000021 popfd 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F10226 second address: 4F10293 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F8521396CCFh 0x00000009 jmp 00007F8521396CD3h 0x0000000e popfd 0x0000000f mov bh, ah 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push eax 0x00000015 jmp 00007F8521396CD0h 0x0000001a mov dword ptr [esp], edi 0x0000001d pushad 0x0000001e call 00007F8521396CCEh 0x00000023 movzx esi, bx 0x00000026 pop edx 0x00000027 movzx eax, bx 0x0000002a popad 0x0000002b test esi, esi 0x0000002d push eax 0x0000002e push edx 0x0000002f jmp 00007F8521396CD2h 0x00000034 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F10293 second address: 4F102A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8521396CEEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F102A5 second address: 4F102A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F102A9 second address: 4F102BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F859391504Ah 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F102BC second address: 4F10303 instructions: 0x00000000 rdtsc 0x00000002 movsx ebx, cx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 jmp 00007F8521396CD2h 0x0000000c popad 0x0000000d cmp dword ptr [esi+08h], DDEEDDEEh 0x00000014 jmp 00007F8521396CD0h 0x00000019 je 00007F8593915004h 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 call 00007F8521396CCCh 0x00000027 pop ecx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F10303 second address: 4F1032E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov edx, ecx 0x00000006 popad 0x00000007 mov edx, dword ptr [esi+44h] 0x0000000a jmp 00007F8521396CF8h 0x0000000f or edx, dword ptr [ebp+0Ch] 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F1032E second address: 4F10332 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F10332 second address: 4F10338 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F2002A second address: 4F20033 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, 512Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F20033 second address: 4F20093 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jmp 00007F8521396CEEh 0x0000000d xchg eax, ebp 0x0000000e jmp 00007F8521396CF0h 0x00000013 mov ebp, esp 0x00000015 pushad 0x00000016 pushfd 0x00000017 jmp 00007F8521396CEEh 0x0000001c add ax, 3E48h 0x00000021 jmp 00007F8521396CEBh 0x00000026 popfd 0x00000027 mov edi, esi 0x00000029 popad 0x0000002a and esp, FFFFFFF8h 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007F8521396CECh 0x00000036 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F20093 second address: 4F20097 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F20097 second address: 4F2009D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F2009D second address: 4F200F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F8521396CCCh 0x00000009 xor ax, 63D8h 0x0000000e jmp 00007F8521396CCBh 0x00000013 popfd 0x00000014 pushfd 0x00000015 jmp 00007F8521396CD8h 0x0000001a or si, AE38h 0x0000001f jmp 00007F8521396CCBh 0x00000024 popfd 0x00000025 popad 0x00000026 pop edx 0x00000027 pop eax 0x00000028 xchg eax, ebx 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c mov cx, dx 0x0000002f push edx 0x00000030 pop esi 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F200F5 second address: 4F200FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F200FB second address: 4F200FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F200FF second address: 4F20155 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F8521396CF1h 0x0000000e xchg eax, ebx 0x0000000f jmp 00007F8521396CEEh 0x00000014 xchg eax, esi 0x00000015 pushad 0x00000016 mov si, 1C0Dh 0x0000001a call 00007F8521396CEAh 0x0000001f mov ecx, 784A9341h 0x00000024 pop ecx 0x00000025 popad 0x00000026 push eax 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007F8521396CF3h 0x0000002e rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F20155 second address: 4F201D6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8521396CD9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a jmp 00007F8521396CCEh 0x0000000f mov esi, dword ptr [ebp+08h] 0x00000012 jmp 00007F8521396CD0h 0x00000017 sub ebx, ebx 0x00000019 jmp 00007F8521396CD1h 0x0000001e test esi, esi 0x00000020 jmp 00007F8521396CCEh 0x00000025 je 00007F85938FCE9Dh 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007F8521396CD7h 0x00000032 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F201D6 second address: 4F20210 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8521396CF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp dword ptr [esi+08h], DDEEDDEEh 0x00000010 jmp 00007F8521396CEEh 0x00000015 mov ecx, esi 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a mov ecx, edi 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F20210 second address: 4F20224 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8521396CD0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F20224 second address: 4F2023E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F85938FCE5Dh 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F8521396CEAh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F2023E second address: 4F20286 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8521396CCBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test byte ptr [77516968h], 00000002h 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007F8521396CCBh 0x00000019 add cx, 190Eh 0x0000001e jmp 00007F8521396CD9h 0x00000023 popfd 0x00000024 mov di, cx 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F20286 second address: 4F2029D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop eax 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007F85938FCE0Eh 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 mov si, dx 0x00000014 mov eax, edi 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F2029D second address: 4F202D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, 9BF7h 0x00000007 mov si, 0093h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov edx, dword ptr [ebp+0Ch] 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 pushfd 0x00000015 jmp 00007F8521396CD2h 0x0000001a xor ch, 00000018h 0x0000001d jmp 00007F8521396CCBh 0x00000022 popfd 0x00000023 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F202D3 second address: 4F20336 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F8521396CF8h 0x00000008 adc cx, EF78h 0x0000000d jmp 00007F8521396CEBh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 pushad 0x00000016 pushfd 0x00000017 jmp 00007F8521396CF6h 0x0000001c and al, FFFFFFD8h 0x0000001f jmp 00007F8521396CEBh 0x00000024 popfd 0x00000025 mov eax, 13A4488Fh 0x0000002a popad 0x0000002b popad 0x0000002c xchg eax, ebx 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F20336 second address: 4F2033A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F2033A second address: 4F20340 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F20340 second address: 4F20346 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F20346 second address: 4F20390 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F8521396CF7h 0x0000000e xchg eax, ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 call 00007F8521396CEBh 0x00000017 pop eax 0x00000018 jmp 00007F8521396CF9h 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F20390 second address: 4F203A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8521396CCCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F203A0 second address: 4F203D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 jmp 00007F8521396CECh 0x0000000e mov dword ptr [esp], ebx 0x00000011 jmp 00007F8521396CF0h 0x00000016 push dword ptr [ebp+14h] 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F203D0 second address: 4F203D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ax, dx 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F2044C second address: 4F2046F instructions: 0x00000000 rdtsc 0x00000002 mov esi, 637653FDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov cx, 32F9h 0x0000000d popad 0x0000000e pop esi 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 mov esi, ebx 0x00000014 call 00007F8521396CEDh 0x00000019 pop ecx 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F2046F second address: 4F204C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, 7A391723h 0x00000008 pushfd 0x00000009 jmp 00007F8521396CD8h 0x0000000e jmp 00007F8521396CD5h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 pop ebx 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b pushfd 0x0000001c jmp 00007F8521396CCAh 0x00000021 sub ax, 60C8h 0x00000026 jmp 00007F8521396CCBh 0x0000002b popfd 0x0000002c rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F819C0 second address: 4F819C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F819C6 second address: 4F819CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F819CA second address: 4F81A17 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b call 00007F8521396CEFh 0x00000010 movzx eax, di 0x00000013 pop edi 0x00000014 push esi 0x00000015 push edi 0x00000016 pop ecx 0x00000017 pop edx 0x00000018 popad 0x00000019 push 0000007Fh 0x0000001b jmp 00007F8521396CF8h 0x00000020 push 00000001h 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F8521396CEAh 0x0000002b rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F81A17 second address: 4F81A1D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F81A1D second address: 4F81A4B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8521396CEEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+08h] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F8521396CF7h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F81AC1 second address: 4F819C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8521396CD1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 retn 0004h 0x0000000c lea eax, dword ptr [ebp-10h] 0x0000000f push eax 0x00000010 call ebx 0x00000012 mov edi, edi 0x00000014 jmp 00007F8521396CD2h 0x00000019 xchg eax, ebp 0x0000001a pushad 0x0000001b push eax 0x0000001c mov si, dx 0x0000001f pop edx 0x00000020 mov bl, ah 0x00000022 popad 0x00000023 push eax 0x00000024 pushad 0x00000025 mov di, ax 0x00000028 pushad 0x00000029 mov ebx, ecx 0x0000002b movzx esi, dx 0x0000002e popad 0x0000002f popad 0x00000030 xchg eax, ebp 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007F8521396CCAh 0x00000038 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: D92AA6 second address: D92AAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F4095A second address: 4F40977 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8521396CD9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F40977 second address: 4F40997 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, di 0x00000006 mov edi, 673395BEh 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push edx 0x0000000f pushad 0x00000010 mov edi, ecx 0x00000012 mov cx, 90B3h 0x00000016 popad 0x00000017 mov dword ptr [esp], ebp 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F40997 second address: 4F4099D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F4099D second address: 4F409BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8521396CF9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F20689 second address: 4F206A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8521396CD3h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F206A0 second address: 4F206F9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8521396CF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F8521396CF3h 0x00000015 or ecx, 3BF78CEEh 0x0000001b jmp 00007F8521396CF9h 0x00000020 popfd 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F206F9 second address: 4F206FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F206FE second address: 4F20704 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F20704 second address: 4F20708 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F20708 second address: 4F2076B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a movzx esi, dx 0x0000000d pushfd 0x0000000e jmp 00007F8521396CF7h 0x00000013 or esi, 11FAD7AEh 0x00000019 jmp 00007F8521396CF9h 0x0000001e popfd 0x0000001f popad 0x00000020 xchg eax, ebp 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007F8521396CF8h 0x0000002a rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F2076B second address: 4F2077A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8521396CCBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4ED0282 second address: 4ED0287 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4ED0287 second address: 4ED02CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F8521396CCDh 0x0000000a and cl, FFFFFF96h 0x0000000d jmp 00007F8521396CD1h 0x00000012 popfd 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 mov ebp, esp 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F8521396CD8h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4ED02CF second address: 4ED02D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4ED02D5 second address: 4ED0384 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, cx 0x00000006 pushfd 0x00000007 jmp 00007F8521396CD8h 0x0000000c adc si, FA48h 0x00000011 jmp 00007F8521396CCBh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ecx 0x0000001b jmp 00007F8521396CD6h 0x00000020 push eax 0x00000021 pushad 0x00000022 pushfd 0x00000023 jmp 00007F8521396CD1h 0x00000028 and esi, 26761616h 0x0000002e jmp 00007F8521396CD1h 0x00000033 popfd 0x00000034 push eax 0x00000035 call 00007F8521396CD7h 0x0000003a pop eax 0x0000003b pop edx 0x0000003c popad 0x0000003d xchg eax, ecx 0x0000003e jmp 00007F8521396CD4h 0x00000043 and dword ptr [ebp-04h], 00000000h 0x00000047 push eax 0x00000048 push edx 0x00000049 pushad 0x0000004a push eax 0x0000004b push edx 0x0000004c rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4ED0384 second address: 4ED038A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4ED038A second address: 4ED038F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4ED038F second address: 4ED03D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F8521396CF4h 0x00000009 sub si, 0EF8h 0x0000000e jmp 00007F8521396CEBh 0x00000013 popfd 0x00000014 push esi 0x00000015 pop edx 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 lea eax, dword ptr [ebp-04h] 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F8521396CF1h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4ED03D3 second address: 4ED0414 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8521396CD1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a jmp 00007F8521396CCEh 0x0000000f push eax 0x00000010 jmp 00007F8521396CCBh 0x00000015 nop 0x00000016 pushad 0x00000017 mov bh, CFh 0x00000019 popad 0x0000001a push dword ptr [ebp+08h] 0x0000001d pushad 0x0000001e mov si, F2DFh 0x00000022 push eax 0x00000023 push edx 0x00000024 mov ebx, ecx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4ED0457 second address: 4ED045B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4ED045B second address: 4ED0461 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4ED0461 second address: 4ED047A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8521396CF5h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4ED047A second address: 4ED04E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 js 00007F8591A428F1h 0x0000000e pushad 0x0000000f mov esi, edi 0x00000011 pushad 0x00000012 call 00007F8521396CD5h 0x00000017 pop esi 0x00000018 pushfd 0x00000019 jmp 00007F8521396CD1h 0x0000001e adc eax, 3C7513D6h 0x00000024 jmp 00007F8521396CD1h 0x00000029 popfd 0x0000002a popad 0x0000002b popad 0x0000002c mov eax, dword ptr [ebp-04h] 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007F8521396CCDh 0x00000036 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4ED04E0 second address: 4ED04FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ch, bh 0x00000005 mov edi, esi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a leave 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F8521396CECh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4ED04FB second address: 4ED050A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8521396CCBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4EB0DC7 second address: 4EB0DCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4EB0DCB second address: 4EB0DE7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8521396CD8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4EB0DE7 second address: 4EB0DEC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F5089E second address: 4F508FF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8521396CCEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b movzx eax, di 0x0000000e pushfd 0x0000000f jmp 00007F8521396CD3h 0x00000014 xor ch, 0000007Eh 0x00000017 jmp 00007F8521396CD9h 0x0000001c popfd 0x0000001d popad 0x0000001e push eax 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F8521396CD3h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F508FF second address: 4F50903 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F50903 second address: 4F50909 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F50909 second address: 4F50930 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8521396CF4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F8521396CEAh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F50930 second address: 4F50936 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F50936 second address: 4F5098B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8521396CECh 0x00000008 mov edi, esi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov ebp, esp 0x0000000f pushad 0x00000010 mov ecx, 01F95449h 0x00000015 mov ax, EC05h 0x00000019 popad 0x0000001a and esp, FFFFFFF0h 0x0000001d pushad 0x0000001e movzx ecx, dx 0x00000021 mov bx, A9FEh 0x00000025 popad 0x00000026 sub esp, 44h 0x00000029 jmp 00007F8521396CF5h 0x0000002e xchg eax, ebx 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007F8521396CEDh 0x00000036 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F5098B second address: 4F509D6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, si 0x00000006 pushfd 0x00000007 jmp 00007F8521396CD8h 0x0000000c or esi, 6921CB58h 0x00000012 jmp 00007F8521396CCBh 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push eax 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F8521396CD4h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F509D6 second address: 4F50A22 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8521396CF1h 0x00000008 mov dl, ch 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 pushfd 0x00000012 jmp 00007F8521396CEFh 0x00000017 or cx, 642Eh 0x0000001c jmp 00007F8521396CF9h 0x00000021 popfd 0x00000022 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F50A22 second address: 4F50AA1 instructions: 0x00000000 rdtsc 0x00000002 mov dx, ax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 movzx eax, bx 0x0000000b mov si, bx 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 pushad 0x00000012 mov bl, ch 0x00000014 pushfd 0x00000015 jmp 00007F8521396CD9h 0x0000001a jmp 00007F8521396CCBh 0x0000001f popfd 0x00000020 popad 0x00000021 mov dword ptr [esp], esi 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 call 00007F8521396CCBh 0x0000002c pop ecx 0x0000002d pushfd 0x0000002e jmp 00007F8521396CD9h 0x00000033 sub cx, 45D6h 0x00000038 jmp 00007F8521396CD1h 0x0000003d popfd 0x0000003e popad 0x0000003f rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F50AA1 second address: 4F50B19 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop eax 0x00000005 pushfd 0x00000006 jmp 00007F8521396CF3h 0x0000000b add ecx, 25EE270Eh 0x00000011 jmp 00007F8521396CF9h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, edi 0x0000001b pushad 0x0000001c pushad 0x0000001d pushad 0x0000001e popad 0x0000001f pushad 0x00000020 popad 0x00000021 popad 0x00000022 pushad 0x00000023 pushfd 0x00000024 jmp 00007F8521396CEBh 0x00000029 sub ch, 0000001Eh 0x0000002c jmp 00007F8521396CF9h 0x00000031 popfd 0x00000032 popad 0x00000033 popad 0x00000034 push eax 0x00000035 push eax 0x00000036 push edx 0x00000037 pushad 0x00000038 movzx esi, bx 0x0000003b popad 0x0000003c rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F50B19 second address: 4F50B6D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8521396CCBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F8521396CD4h 0x00000011 add ax, 0D78h 0x00000016 jmp 00007F8521396CCBh 0x0000001b popfd 0x0000001c mov edx, esi 0x0000001e popad 0x0000001f mov edi, dword ptr [ebp+08h] 0x00000022 pushad 0x00000023 movzx ecx, dx 0x00000026 push edi 0x00000027 mov ch, 2Fh 0x00000029 pop ebx 0x0000002a popad 0x0000002b mov dword ptr [esp+24h], 00000000h 0x00000033 push eax 0x00000034 push edx 0x00000035 push eax 0x00000036 push edx 0x00000037 pushad 0x00000038 popad 0x00000039 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F50B6D second address: 4F50B8A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8521396CF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F50B8A second address: 4F50C18 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8521396CD1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lock bts dword ptr [edi], 00000000h 0x0000000e jmp 00007F8521396CCEh 0x00000013 jc 00007F8593878547h 0x00000019 pushad 0x0000001a movzx esi, di 0x0000001d mov eax, edi 0x0000001f popad 0x00000020 pop edi 0x00000021 pushad 0x00000022 pushfd 0x00000023 jmp 00007F8521396CCBh 0x00000028 sbb esi, 6811D55Eh 0x0000002e jmp 00007F8521396CD9h 0x00000033 popfd 0x00000034 pushfd 0x00000035 jmp 00007F8521396CD0h 0x0000003a xor eax, 2394F158h 0x00000040 jmp 00007F8521396CCBh 0x00000045 popfd 0x00000046 popad 0x00000047 pop esi 0x00000048 push eax 0x00000049 push edx 0x0000004a push eax 0x0000004b push edx 0x0000004c push eax 0x0000004d push edx 0x0000004e rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F50C18 second address: 4F50C1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F50C1C second address: 4F50C22 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F50C22 second address: 4F50C3F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8521396CEAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F8521396CEAh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F50C3F second address: 4F50C45 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F50C45 second address: 4F50C4B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F50C4B second address: 4F50C4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F50C4F second address: 4F50C66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov esp, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F8521396CEBh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F50C66 second address: 4F50C93 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8521396CD9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F8521396CCDh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F50C93 second address: 4F50C99 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F50C99 second address: 4F50C9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F50C9D second address: 4F50CA1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F5050E second address: 4F5051D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8521396CCBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F5051D second address: 4F5053E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8521396CF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F5053E second address: 4F5056C instructions: 0x00000000 rdtsc 0x00000002 movzx esi, di 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 push eax 0x00000009 jmp 00007F8521396CCCh 0x0000000e xchg eax, ebp 0x0000000f jmp 00007F8521396CD0h 0x00000014 mov ebp, esp 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F5056C second address: 4F50570 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F50570 second address: 4F50576 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F50576 second address: 4F50587 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop ebx 0x00000005 push eax 0x00000006 pop edx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F50587 second address: 4F5058B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F5058B second address: 4F5058F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F5058F second address: 4F50595 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F50595 second address: 4F505B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, EEF9h 0x00000007 push eax 0x00000008 pop ebx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jmp 00007F8521396CECh 0x00000015 mov ah, DBh 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F505B4 second address: 4F505BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F505BA second address: 4F505BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F505BE second address: 4F505C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F505C2 second address: 4F505F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebx 0x00000009 jmp 00007F8521396CF2h 0x0000000e xchg eax, esi 0x0000000f pushad 0x00000010 mov si, C1BDh 0x00000014 call 00007F8521396CEAh 0x00000019 pushad 0x0000001a popad 0x0000001b pop ecx 0x0000001c popad 0x0000001d push eax 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F505F8 second address: 4F5060B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8521396CCFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe RDTSC instruction interceptor: First address: 4F5060B second address: 4F50611 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Special instruction interceptor: First address: D855DA instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Code function: 1_2_04EA0EA8 rdtsc 1_2_04EA0EA8
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe TID: 7500 Thread sleep count: 94 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe TID: 7500 Thread sleep count: 48 > 30 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Code function: 1_2_00ABA160 GetFileAttributesA,std::_Throw_Cpp_error,CreateDirectoryA,std::_Throw_Cpp_error,FindFirstFileA,FindNextFileA,SetFileAttributesA,RemoveDirectoryA,std::_Throw_Cpp_error, 1_2_00ABA160
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Code function: 1_2_00B8C7AB FindFirstFileExW, 1_2_00B8C7AB
Source: Amcache.hve.7.dr Binary or memory string: VMware
Source: Pw3K6fcNQoliWeb Data.1.dr Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: Pw3K6fcNQoliWeb Data.1.dr Binary or memory string: AMC password management pageVMware20,11696494690
Source: Pw3K6fcNQoliWeb Data.1.dr Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: Iv88OQbqpE.exe, 00000001.00000003.1399469486.0000000001195000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}@
Source: Pw3K6fcNQoliWeb Data.1.dr Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: Pw3K6fcNQoliWeb Data.1.dr Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: Pw3K6fcNQoliWeb Data.1.dr Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: Amcache.hve.7.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Pw3K6fcNQoliWeb Data.1.dr Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: Iv88OQbqpE.exe, 00000001.00000002.1674023072.000000000117E000.00000004.00000020.00020000.00000000.sdmp, Iv88OQbqpE.exe, 00000001.00000002.1674023072.00000000011AA000.00000004.00000020.00020000.00000000.sdmp, Iv88OQbqpE.exe, 00000001.00000002.1674023072.00000000011C3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Iv88OQbqpE.exe, 00000001.00000003.1399469486.0000000001193000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.7.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Pw3K6fcNQoliWeb Data.1.dr Binary or memory string: tasks.office.comVMware20,11696494690o
Source: Amcache.hve.7.dr Binary or memory string: vmci.sys
Source: Pw3K6fcNQoliWeb Data.1.dr Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: Pw3K6fcNQoliWeb Data.1.dr Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: Pw3K6fcNQoliWeb Data.1.dr Binary or memory string: global block list test formVMware20,11696494690
Source: Amcache.hve.7.dr Binary or memory string: VMware20,1
Source: Amcache.hve.7.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.7.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.7.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.7.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Pw3K6fcNQoliWeb Data.1.dr Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: Amcache.hve.7.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.7.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.7.dr Binary or memory string: VMware VMCI Bus Device
Source: Pw3K6fcNQoliWeb Data.1.dr Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: Pw3K6fcNQoliWeb Data.1.dr Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: Amcache.hve.7.dr Binary or memory string: VMware Virtual RAM
Source: Iv88OQbqpE.exe, 00000001.00000002.1674023072.00000000011C3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\*
Source: Amcache.hve.7.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Pw3K6fcNQoliWeb Data.1.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: Pw3K6fcNQoliWeb Data.1.dr Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: Pw3K6fcNQoliWeb Data.1.dr Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: Pw3K6fcNQoliWeb Data.1.dr Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: Pw3K6fcNQoliWeb Data.1.dr Binary or memory string: secure.bankofamerica.comVMware20,11696494690|UE
Source: Amcache.hve.7.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: Iv88OQbqpE.exe, Iv88OQbqpE.exe, 00000001.00000002.1673637208.0000000000D69000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: Pw3K6fcNQoliWeb Data.1.dr Binary or memory string: discord.comVMware20,11696494690f
Source: Amcache.hve.7.dr Binary or memory string: VMware Virtual USB Mouse
Source: Iv88OQbqpE.exe, 00000001.00000002.1674023072.000000000118B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ?\#disk&ven_vmware&prouask#4&1656f219&0&0000f5-b6bf-11d0-94f2-00a08b
Source: Pw3K6fcNQoliWeb Data.1.dr Binary or memory string: outlook.office.comVMware20,11696494690s
Source: Amcache.hve.7.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.7.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.7.dr Binary or memory string: VMware-42 27 c5 9a 47 85 d6 84-53 49 ec ec 87 a6 6d 67
Source: Pw3K6fcNQoliWeb Data.1.dr Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: Pw3K6fcNQoliWeb Data.1.dr Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: Iv88OQbqpE.exe, 00000001.00000002.1674023072.00000000011C3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.7.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.7.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.7.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Pw3K6fcNQoliWeb Data.1.dr Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: Iv88OQbqpE.exe, 00000001.00000002.1674023072.0000000001217000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}ATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=x86PROCESSOR_ARCHITEW6432=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSION
Source: Amcache.hve.7.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Pw3K6fcNQoliWeb Data.1.dr Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: Pw3K6fcNQoliWeb Data.1.dr Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: Pw3K6fcNQoliWeb Data.1.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: Amcache.hve.7.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Pw3K6fcNQoliWeb Data.1.dr Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: Iv88OQbqpE.exe, 00000001.00000002.1674023072.0000000001140000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000s
Source: Amcache.hve.7.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Iv88OQbqpE.exe, 00000001.00000002.1674023072.000000000117E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000s\user\AppData\Local\Temp\h
Source: Pw3K6fcNQoliWeb Data.1.dr Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: Pw3K6fcNQoliWeb Data.1.dr Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h
Source: Amcache.hve.7.dr Binary or memory string: vmci.syshbin`
Source: Iv88OQbqpE.exe, 00000001.00000002.1674023072.0000000001217000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_C4361282
Source: Amcache.hve.7.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Pw3K6fcNQoliWeb Data.1.dr Binary or memory string: dev.azure.comVMware20,11696494690j
Source: Amcache.hve.7.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.7.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Iv88OQbqpE.exe, 00000001.00000002.1673637208.0000000000D69000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Thread information set: HideFromDebugger Jump to behavior
Potentially malicious time measurement code found
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Code function: 1_2_04EC094E Start: 04EC09F8 End: 04EC095D 1_2_04EC094E
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe File opened: NTICE
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe File opened: SICE
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Code function: 1_2_04EA0EA8 rdtsc 1_2_04EA0EA8
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Code function: 1_2_00B13320 mov eax, dword ptr fs:[00000030h] 1_2_00B13320
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Code function: 1_2_00B13320 mov eax, dword ptr fs:[00000030h] 1_2_00B13320
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Code function: 1_2_00AC3F10 mov eax, dword ptr fs:[00000030h] 1_2_00AC3F10
Source: Iv88OQbqpE.exe, Iv88OQbqpE.exe, 00000001.00000002.1673637208.0000000000D69000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: IProgram Manager
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Code function: 1_2_00B8DE2D GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime, 1_2_00B8DE2D
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.7.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.7.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.7.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.7.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.7.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected RisePro Stealer
Source: Yara match File source: 00000001.00000002.1676118743.0000000005CB0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Iv88OQbqpE.exe PID: 7496, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\qf2iRTCbu9eZdALmXvtvP2Z.zip, type: DROPPED
Found many strings related to Crypto-Wallets (likely being stolen)
Source: Iv88OQbqpE.exe, 00000001.00000002.1674023072.0000000001217000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: Iv88OQbqpE.exe, 00000001.00000002.1674023072.0000000001217000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\ElectronCash\wallets
Source: Iv88OQbqpE.exe, 00000001.00000002.1674023072.0000000001217000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\com.liberty.jaxx
Source: Iv88OQbqpE.exe, 00000001.00000002.1674023072.0000000001217000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: Iv88OQbqpE.exe, 00000001.00000002.1674023072.0000000001217000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\wallets
Source: Iv88OQbqpE.exe, 00000001.00000002.1674023072.0000000001217000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: Iv88OQbqpE.exe, 00000001.00000002.1674023072.0000000001217000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Binance\app-store.json
Source: Iv88OQbqpE.exe, 00000001.00000002.1674023072.0000000001217000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\wallets
Source: Iv88OQbqpE.exe, 00000001.00000002.1674023072.0000000001217000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: Iv88OQbqpE.exe, 00000001.00000002.1674023072.0000000001217000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\MultiDoge\multidoge.wallet
Source: Iv88OQbqpE.exe, 00000001.00000002.1674023072.000000000119D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Liveo
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_cjelfplplebdjjenllpjcblmjkfcffne_0.indexeddb.leveldb\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\logins.json Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kz8kl7vh.default\logins.json Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\signons.sqlite Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kz8kl7vh.default\formhistory.sqlite Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_blnieiiffboillknjnepogjhkgnoapac_0.indexeddb.leveldb\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kz8kl7vh.default\places.sqlite Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\formhistory.sqlite Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kz8kl7vh.default\signons.sqlite Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Iv88OQbqpE.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: Iv88OQbqpE.exe PID: 7496, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected RisePro Stealer
Source: Yara match File source: 00000001.00000002.1676118743.0000000005CB0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Iv88OQbqpE.exe PID: 7496, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\qf2iRTCbu9eZdALmXvtvP2Z.zip, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1417240 Sample: Iv88OQbqpE.exe Startdate: 28/03/2024 Architecture: WINDOWS Score: 100 16 ipinfo.io 2->16 18 db-ip.com 2->18 26 Snort IDS alert for network traffic 2->26 28 Antivirus detection for URL or domain 2->28 30 Antivirus / Scanner detection for submitted sample 2->30 32 5 other signatures 2->32 7 Iv88OQbqpE.exe 56 2->7         started        signatures3 process4 dnsIp5 20 193.233.132.74, 49705, 58709 FREE-NET-ASFREEnetEU Russian Federation 7->20 22 ipinfo.io 34.117.186.192, 443, 49706 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 7->22 24 db-ip.com 104.26.5.15, 443, 49707 CLOUDFLARENETUS United States 7->24 14 C:\Users\user\...\qf2iRTCbu9eZdALmXvtvP2Z.zip, Zip 7->14 dropped 34 Detected unpacking (changes PE section rights) 7->34 36 Tries to detect sandboxes and other dynamic analysis tools (window names) 7->36 38 Tries to steal Mail credentials (via file / registry access) 7->38 40 9 other signatures 7->40 12 WerFault.exe 22 16 7->12         started        file6 signatures7 process8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
34.117.186.192
 ipinfo.io United States
139070 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG false
104.26.5.15
 db-ip.com United States
13335 CLOUDFLARENETUS false
193.233.132.74
 unknown Russian Federation
2895 FREE-NET-ASFREEnetEU true

Contacted Domains

Name IP Active
ipinfo.io 34.117.186.192 true
db-ip.com 104.26.5.15 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://db-ip.com/demo/home.php?s=102.165.48.43 false
    		high
    https://ipinfo.io/widget/demo/102.165.48.43 false
      		high