Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1542329
MD5:e79fcf06f6f663837c3abfec736125c3
SHA1:f21d317e8a22775ebbb77cb256af7d04bb8385a1
SHA256:1e38b032b9cf04afe0921c32af4ec9cddfe66ef25c327bacdc71a3085d2cc0e6
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Entry point lies outside standard sections
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
One or more processes crash
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 1272 cmdline: "C:\Users\user\Desktop\file.exe" MD5: E79FCF06F6F663837C3ABFEC736125C3)
    • WerFault.exe (PID: 4708 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1272 -s 1500 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.2548586234.0000000000711000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
    00000000.00000002.2549334421.000000000133E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000003.2104870730.00000000050C0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.2548586234.00000000007AA000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 1272JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Click to see the 1 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.file.exe.710000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

              Sigma Signatures

              No Sigma rule has matched

              Suricata Signatures

              No Suricata rule has matched

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: file.exeAvira: detected
              Antivirus detection for URL or domain
              Source: http://185.215.113.37/URL Reputation: Label: malware
              Source: http://185.215.113.37URL Reputation: Label: malware
              Source: http://185.215.113.37/e2b1563c6670f193.phpURL Reputation: Label: malware
              Found malware configuration
              Source: 0.2.file.exe.710000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
              Multi AV Scanner detection for submitted file
              Source: file.exeReversingLabs: Detection: 50%
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for sample
              Source: file.exeJoe Sandbox ML: detected
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

              Networking

              barindex
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
              Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
              Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
              Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
              Source: file.exe, 00000000.00000002.2549334421.000000000133E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
              Source: file.exe, 00000000.00000002.2549334421.0000000001399000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2549334421.000000000133E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/
              Source: file.exe, 00000000.00000002.2549334421.000000000133E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/7
              Source: file.exe, 00000000.00000002.2549334421.000000000133E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/U
              Source: Amcache.hve.5.drString found in binary or memory: http://upx.sf.net

              System Summary

              barindex
              PE file contains section with special chars
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: .rsrc
              Source: file.exeStatic PE information: section name: .idata
              Source: file.exeStatic PE information: section name:
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1272 -s 1500
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: file.exeStatic PE information: Section: bcrkrvhx ZLIB complexity 0.9948627393697226
              Source: file.exe, 00000000.00000002.2548586234.0000000000711000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2104870730.00000000050C0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
              Source: classification engineClassification label: mal100.troj.evad.winEXE@2/5@0/1
              Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1272
              Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\aa68db01-abbb-46a9-8ed6-6305203b435bJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: file.exeReversingLabs: Detection: 50%
              Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
              Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1272 -s 1500
              Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
              Source: file.exeStatic file information: File size 1853952 > 1048576
              Source: file.exeStatic PE information: Raw size of bcrkrvhx is bigger than: 0x100000 < 0x19e800

              Data Obfuscation

              barindex
              Detected unpacking (changes PE section rights)
              Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.710000.0.unpack :EW;.rsrc :W;.idata :W; :EW;bcrkrvhx:EW;qmlvtclo:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;bcrkrvhx:EW;qmlvtclo:EW;.taggant:EW;
              Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
              Source: file.exeStatic PE information: real checksum: 0x1c8685 should be: 0x1cb8a4
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: .rsrc
              Source: file.exeStatic PE information: section name: .idata
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: bcrkrvhx
              Source: file.exeStatic PE information: section name: qmlvtclo
              Source: file.exeStatic PE information: section name: .taggant
              Source: file.exeStatic PE information: section name: bcrkrvhx entropy: 7.953714908129621

              Boot Survival

              barindex
              Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonclassJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Tries to detect sandboxes / dynamic malware analysis system (registry check)
              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
              Tries to detect virtualization through RDTSC time measurements
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97230B second address: 97230F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 971B9C second address: 971BAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a jl 00007F3828DEBBB6h 0x00000010 pop eax 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE7495 second address: AE749A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADCCF1 second address: ADCD2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 jmp 00007F3828DEBBBFh 0x0000000b pushad 0x0000000c popad 0x0000000d pop esi 0x0000000e jmp 00007F3828DEBBC1h 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F3828DEBBBDh 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADCD2B second address: ADCD2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADCD2F second address: ADCD4B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F3828DEBBC1h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADCD4B second address: ADCD54 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADCD54 second address: ADCD5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE6A8B second address: AE6AA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007F38284EF66Bh 0x0000000b jnp 00007F38284EF67Ch 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE946E second address: AE948F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3828DEBBBCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push esi 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e pop edx 0x0000000f pop esi 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE948F second address: AE9495 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE9532 second address: AE9560 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007F3828DEBBBCh 0x0000000c popad 0x0000000d push eax 0x0000000e js 00007F3828DEBBC0h 0x00000014 mov eax, dword ptr [esp+04h] 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE9560 second address: AE9564 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE9564 second address: AE9568 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE9568 second address: AE956E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE956E second address: AE958B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3828DEBBBBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F3828DEBBBAh 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE958B second address: AE9595 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F38284EF66Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE9647 second address: AE9661 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 jmp 00007F3828DEBBBEh 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE96BC second address: AE96EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 push eax 0x00000007 push ebx 0x00000008 jmp 00007F38284EF66Ah 0x0000000d pop ebx 0x0000000e nop 0x0000000f mov dword ptr [ebp+122D3986h], ecx 0x00000015 push 00000000h 0x00000017 mov esi, dword ptr [ebp+122D2BEFh] 0x0000001d push 25BE3413h 0x00000022 pushad 0x00000023 push eax 0x00000024 push edx 0x00000025 ja 00007F38284EF666h 0x0000002b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE96EC second address: AE97C4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3828DEBBC8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F3828DEBBC6h 0x0000000e popad 0x0000000f xor dword ptr [esp], 25BE3493h 0x00000016 mov dword ptr [ebp+122D3986h], eax 0x0000001c push 00000003h 0x0000001e push 00000000h 0x00000020 push edx 0x00000021 call 00007F3828DEBBB8h 0x00000026 pop edx 0x00000027 mov dword ptr [esp+04h], edx 0x0000002b add dword ptr [esp+04h], 00000015h 0x00000033 inc edx 0x00000034 push edx 0x00000035 ret 0x00000036 pop edx 0x00000037 ret 0x00000038 sub di, 4943h 0x0000003d push 00000000h 0x0000003f push 00000000h 0x00000041 push ebx 0x00000042 call 00007F3828DEBBB8h 0x00000047 pop ebx 0x00000048 mov dword ptr [esp+04h], ebx 0x0000004c add dword ptr [esp+04h], 0000001Ah 0x00000054 inc ebx 0x00000055 push ebx 0x00000056 ret 0x00000057 pop ebx 0x00000058 ret 0x00000059 jmp 00007F3828DEBBC7h 0x0000005e push 00000003h 0x00000060 mov cx, B75Dh 0x00000064 call 00007F3828DEBBB9h 0x00000069 jmp 00007F3828DEBBBCh 0x0000006e push eax 0x0000006f jmp 00007F3828DEBBBFh 0x00000074 mov eax, dword ptr [esp+04h] 0x00000078 push eax 0x00000079 push edx 0x0000007a push eax 0x0000007b push edx 0x0000007c js 00007F3828DEBBB6h 0x00000082 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE97C4 second address: AE97CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE97CA second address: AE97D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE97D0 second address: AE97D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE97D4 second address: AE97F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push edi 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e pop edx 0x0000000f pop edi 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 jnl 00007F3828DEBBB6h 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE97F2 second address: AE97F8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE97F8 second address: AE97FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE989D second address: AE9943 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 jmp 00007F38284EF66Fh 0x0000000d nop 0x0000000e jmp 00007F38284EF66Ah 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push eax 0x00000018 call 00007F38284EF668h 0x0000001d pop eax 0x0000001e mov dword ptr [esp+04h], eax 0x00000022 add dword ptr [esp+04h], 0000001Dh 0x0000002a inc eax 0x0000002b push eax 0x0000002c ret 0x0000002d pop eax 0x0000002e ret 0x0000002f mov dword ptr [ebp+122D3A32h], eax 0x00000035 sub dword ptr [ebp+122D2CEAh], edi 0x0000003b call 00007F38284EF669h 0x00000040 jnl 00007F38284EF678h 0x00000046 push eax 0x00000047 pushad 0x00000048 push edi 0x00000049 jp 00007F38284EF666h 0x0000004f pop edi 0x00000050 push eax 0x00000051 jmp 00007F38284EF66Ch 0x00000056 pop eax 0x00000057 popad 0x00000058 mov eax, dword ptr [esp+04h] 0x0000005c push eax 0x0000005d push edx 0x0000005e pushad 0x0000005f jmp 00007F38284EF66Dh 0x00000064 pushad 0x00000065 popad 0x00000066 popad 0x00000067 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE9943 second address: AE9949 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE9949 second address: AE9980 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F38284EF666h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [eax] 0x0000000e jmp 00007F38284EF670h 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 push eax 0x00000018 push edx 0x00000019 jnc 00007F38284EF673h 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE9980 second address: AE99DC instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F3828DEBBC3h 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop eax 0x0000000c and esi, dword ptr [ebp+122D2B87h] 0x00000012 push 00000003h 0x00000014 or dword ptr [ebp+122D3A32h], edx 0x0000001a push 00000000h 0x0000001c push 00000000h 0x0000001e push esi 0x0000001f call 00007F3828DEBBB8h 0x00000024 pop esi 0x00000025 mov dword ptr [esp+04h], esi 0x00000029 add dword ptr [esp+04h], 0000001Bh 0x00000031 inc esi 0x00000032 push esi 0x00000033 ret 0x00000034 pop esi 0x00000035 ret 0x00000036 mov dl, C1h 0x00000038 push 00000003h 0x0000003a push CC271769h 0x0000003f push eax 0x00000040 push edx 0x00000041 push edx 0x00000042 pushad 0x00000043 popad 0x00000044 pop edx 0x00000045 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE99DC second address: AE99E1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B09DF7 second address: B09E06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B09E06 second address: B09E1E instructions: 0x00000000 rdtsc 0x00000002 jo 00007F38284EF666h 0x00000008 jc 00007F38284EF666h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jne 00007F38284EF666h 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B09E1E second address: B09E28 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F3828DEBBB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0A203 second address: B0A208 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0A650 second address: B0A656 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0A656 second address: B0A65A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0A999 second address: B0A9AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F3828DEBBBCh 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0AC2D second address: B0AC62 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F38284EF671h 0x0000000a pop ebx 0x0000000b jnl 00007F38284EF672h 0x00000011 pop edx 0x00000012 pop eax 0x00000013 ja 00007F38284EF688h 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0BA50 second address: B0BA56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0DB1D second address: B0DB26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B12A01 second address: B12A07 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B12A07 second address: B12A0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B176B4 second address: B176CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3828DEBBC3h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B176CB second address: B176D1 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADE8D1 second address: ADE8D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADE8D5 second address: ADE8D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B16C6F second address: B16C76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop esi 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B16DEA second address: B16DF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F38284EF666h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B16DF4 second address: B16DF9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B17231 second address: B17237 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B199BC second address: B199C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B199C2 second address: B199E6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jne 00007F38284EF679h 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1A13E second address: B1A142 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1A142 second address: B1A15E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F38284EF678h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1A15E second address: B1A171 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F3828DEBBB8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1A171 second address: B1A177 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1A177 second address: B1A181 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F3828DEBBBCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1A20F second address: B1A213 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1A3EE second address: B1A3F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1A622 second address: B1A626 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1B4B9 second address: B1B4BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1B4BD second address: B1B4CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jne 00007F38284EF666h 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1B4CF second address: B1B4D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1D472 second address: B1D4AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F38284EF677h 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F38284EF678h 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1D4AA second address: B1D4AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1DB2E second address: B1DB33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B21908 second address: B2190C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2190C second address: B21954 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F38284EF666h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F38284EF66Bh 0x00000011 ja 00007F38284EF67Ah 0x00000017 popad 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b push edi 0x0000001c pop edi 0x0000001d jmp 00007F38284EF671h 0x00000022 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B21954 second address: B21958 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B21ED7 second address: B21EE7 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F38284EF666h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b push eax 0x0000000c pushad 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B21EE7 second address: B21F53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push edi 0x00000006 push esi 0x00000007 pop esi 0x00000008 pop edi 0x00000009 popad 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push ecx 0x0000000e call 00007F3828DEBBB8h 0x00000013 pop ecx 0x00000014 mov dword ptr [esp+04h], ecx 0x00000018 add dword ptr [esp+04h], 0000001Bh 0x00000020 inc ecx 0x00000021 push ecx 0x00000022 ret 0x00000023 pop ecx 0x00000024 ret 0x00000025 push 00000000h 0x00000027 push 00000000h 0x00000029 push ebp 0x0000002a call 00007F3828DEBBB8h 0x0000002f pop ebp 0x00000030 mov dword ptr [esp+04h], ebp 0x00000034 add dword ptr [esp+04h], 00000019h 0x0000003c inc ebp 0x0000003d push ebp 0x0000003e ret 0x0000003f pop ebp 0x00000040 ret 0x00000041 push 00000000h 0x00000043 mov esi, 3A7ACE9Ch 0x00000048 xchg eax, ebx 0x00000049 push eax 0x0000004a push edx 0x0000004b jnl 00007F3828DEBBC1h 0x00000051 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B229C8 second address: B229D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B229D1 second address: B22A2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push edx 0x0000000c call 00007F3828DEBBB8h 0x00000011 pop edx 0x00000012 mov dword ptr [esp+04h], edx 0x00000016 add dword ptr [esp+04h], 00000016h 0x0000001e inc edx 0x0000001f push edx 0x00000020 ret 0x00000021 pop edx 0x00000022 ret 0x00000023 mov dword ptr [ebp+122D5AB5h], eax 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push eax 0x0000002e call 00007F3828DEBBB8h 0x00000033 pop eax 0x00000034 mov dword ptr [esp+04h], eax 0x00000038 add dword ptr [esp+04h], 00000018h 0x00000040 inc eax 0x00000041 push eax 0x00000042 ret 0x00000043 pop eax 0x00000044 ret 0x00000045 push 00000000h 0x00000047 movzx esi, si 0x0000004a push eax 0x0000004b pushad 0x0000004c push eax 0x0000004d push edx 0x0000004e push ebx 0x0000004f pop ebx 0x00000050 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2456F second address: B24599 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F38284EF670h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F38284EF674h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B24599 second address: B2459D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B25BEC second address: B25BF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B28AC9 second address: B28ACF instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B28ACF second address: B28AD4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B28AD4 second address: B28B46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a mov edi, 38150A62h 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push ecx 0x00000014 call 00007F3828DEBBB8h 0x00000019 pop ecx 0x0000001a mov dword ptr [esp+04h], ecx 0x0000001e add dword ptr [esp+04h], 0000001Ah 0x00000026 inc ecx 0x00000027 push ecx 0x00000028 ret 0x00000029 pop ecx 0x0000002a ret 0x0000002b mov ebx, dword ptr [ebp+122D2AD3h] 0x00000031 push 00000000h 0x00000033 push 00000000h 0x00000035 push edx 0x00000036 call 00007F3828DEBBB8h 0x0000003b pop edx 0x0000003c mov dword ptr [esp+04h], edx 0x00000040 add dword ptr [esp+04h], 0000001Ch 0x00000048 inc edx 0x00000049 push edx 0x0000004a ret 0x0000004b pop edx 0x0000004c ret 0x0000004d mov di, 0DC1h 0x00000051 xchg eax, esi 0x00000052 jc 00007F3828DEBBC8h 0x00000058 push eax 0x00000059 push edx 0x0000005a jg 00007F3828DEBBB6h 0x00000060 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B28B46 second address: B28B4A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B29914 second address: B29919 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B25E24 second address: B25E2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F38284EF666h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2BA09 second address: B2BA0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2BA0D second address: B2BAB1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 pushad 0x00000009 jmp 00007F38284EF674h 0x0000000e jmp 00007F38284EF66Ah 0x00000013 popad 0x00000014 nop 0x00000015 push 00000000h 0x00000017 push edx 0x00000018 call 00007F38284EF668h 0x0000001d pop edx 0x0000001e mov dword ptr [esp+04h], edx 0x00000022 add dword ptr [esp+04h], 0000001Bh 0x0000002a inc edx 0x0000002b push edx 0x0000002c ret 0x0000002d pop edx 0x0000002e ret 0x0000002f mov di, 61F4h 0x00000033 adc bx, 8CD5h 0x00000038 push 00000000h 0x0000003a push 00000000h 0x0000003c push esi 0x0000003d call 00007F38284EF668h 0x00000042 pop esi 0x00000043 mov dword ptr [esp+04h], esi 0x00000047 add dword ptr [esp+04h], 00000014h 0x0000004f inc esi 0x00000050 push esi 0x00000051 ret 0x00000052 pop esi 0x00000053 ret 0x00000054 push 00000000h 0x00000056 jmp 00007F38284EF675h 0x0000005b jmp 00007F38284EF674h 0x00000060 xchg eax, esi 0x00000061 push eax 0x00000062 push edx 0x00000063 pushad 0x00000064 push eax 0x00000065 push edx 0x00000066 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B28C67 second address: B28C6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2AA56 second address: B2AA73 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F38284EF66Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edi 0x0000000b jc 00007F38284EF66Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2BAB1 second address: B2BACF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3828DEBBC9h 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2EACE second address: B2EAEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F38284EF678h 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2EAEB second address: B2EB41 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F3828DEBBB8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d mov bx, E529h 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push ecx 0x00000016 call 00007F3828DEBBB8h 0x0000001b pop ecx 0x0000001c mov dword ptr [esp+04h], ecx 0x00000020 add dword ptr [esp+04h], 0000001Bh 0x00000028 inc ecx 0x00000029 push ecx 0x0000002a ret 0x0000002b pop ecx 0x0000002c ret 0x0000002d push 00000000h 0x0000002f push ebx 0x00000030 and edi, 3BE8C614h 0x00000036 pop edi 0x00000037 xchg eax, esi 0x00000038 push eax 0x00000039 push edx 0x0000003a jmp 00007F3828DEBBC1h 0x0000003f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2FAB8 second address: B2FAC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2FAC1 second address: B2FAC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2FAC5 second address: B2FAE7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edi 0x00000009 pushad 0x0000000a jmp 00007F38284EF676h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B33ACC second address: B33AD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2ED82 second address: B2ED86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2DDD0 second address: B2DDD4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B31D09 second address: B31D1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F38284EF66Eh 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B34C02 second address: B34C0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B33C4D second address: B33C53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B31D1E second address: B31D22 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B34C0E second address: B34C1C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F38284EF66Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B34C1C second address: B34C26 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F3828DEBBBCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B39997 second address: B3999B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3999B second address: B399A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B399A9 second address: B399AF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3C804 second address: B3C81E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edi 0x00000006 jp 00007F3828DEBBE2h 0x0000000c push esi 0x0000000d push eax 0x0000000e pop eax 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 ja 00007F3828DEBBB6h 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3C81E second address: B3C822 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3C9A9 second address: B3C9B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3C9B1 second address: B3C9B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3C9B7 second address: B3C9BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3C9BD second address: B3C9C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD7C2D second address: AD7C34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B49591 second address: B495A1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 je 00007F38284EF666h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B495A1 second address: B495A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD61CC second address: AD61E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F38284EF66Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a push ecx 0x0000000b js 00007F38284EF672h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B487F6 second address: B487FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B48AE8 second address: B48B05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F38284EF679h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B48DFA second address: B48E0E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3828DEBBBAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B48E0E second address: B48E12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B48E12 second address: B48E21 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3828DEBBBBh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B48E21 second address: B48E30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jc 00007F38284EF666h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B48E30 second address: B48E3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4900B second address: B49015 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B49015 second address: B49019 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4915A second address: B4915F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4915F second address: B49184 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3828DEBBC8h 0x00000007 pushad 0x00000008 jnl 00007F3828DEBBB6h 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4DDE6 second address: B4DDEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4DDEC second address: B4DDF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4DDF1 second address: B4DDF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4CCBB second address: B4CCE8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3828DEBBC4h 0x00000007 jnp 00007F3828DEBBCBh 0x0000000d jmp 00007F3828DEBBBFh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B17F3B second address: B17F41 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B17F41 second address: B17F45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B180CE second address: B180D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B180D2 second address: B180D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B18398 second address: B183B0 instructions: 0x00000000 rdtsc 0x00000002 js 00007F38284EF66Ch 0x00000008 jbe 00007F38284EF666h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B183B0 second address: B183B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B183B5 second address: 971B9C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F38284EF66Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov edx, dword ptr [ebp+1245DB23h] 0x00000010 push dword ptr [ebp+122D1121h] 0x00000016 mov dx, 6100h 0x0000001a sub dword ptr [ebp+12447388h], esi 0x00000020 call dword ptr [ebp+122D1ABDh] 0x00000026 pushad 0x00000027 mov dword ptr [ebp+122D1AF8h], esi 0x0000002d xor eax, eax 0x0000002f jmp 00007F38284EF66Ch 0x00000034 mov edx, dword ptr [esp+28h] 0x00000038 mov dword ptr [ebp+122D1AF8h], esi 0x0000003e pushad 0x0000003f mov dword ptr [ebp+122D36EAh], eax 0x00000045 stc 0x00000046 popad 0x00000047 mov dword ptr [ebp+122D2A1Bh], eax 0x0000004d jmp 00007F38284EF673h 0x00000052 mov esi, 0000003Ch 0x00000057 clc 0x00000058 add esi, dword ptr [esp+24h] 0x0000005c jmp 00007F38284EF66Ch 0x00000061 lodsw 0x00000063 pushad 0x00000064 mov dword ptr [ebp+122D36EAh], ecx 0x0000006a mov dword ptr [ebp+122D1AF8h], eax 0x00000070 popad 0x00000071 add eax, dword ptr [esp+24h] 0x00000075 mov dword ptr [ebp+122D1AF8h], edi 0x0000007b mov ebx, dword ptr [esp+24h] 0x0000007f mov dword ptr [ebp+122D1AF8h], edi 0x00000085 add dword ptr [ebp+122D36EAh], edi 0x0000008b nop 0x0000008c push edx 0x0000008d pushad 0x0000008e pushad 0x0000008f popad 0x00000090 push eax 0x00000091 push edx 0x00000092 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B18495 second address: B184B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 add dword ptr [esp], 145235D1h 0x0000000c mov edi, esi 0x0000000e movzx edi, ax 0x00000011 push 6409FD5Ch 0x00000016 push eax 0x00000017 push edx 0x00000018 jo 00007F3828DEBBB8h 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B18623 second address: B18648 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 push ecx 0x00000008 jmp 00007F38284EF672h 0x0000000d pop ecx 0x0000000e popad 0x0000000f mov dword ptr [esp], esi 0x00000012 nop 0x00000013 push esi 0x00000014 push eax 0x00000015 push edx 0x00000016 push ebx 0x00000017 pop ebx 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1871C second address: B18721 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B18DD7 second address: B18DDB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B18F2C second address: B18F43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3828DEBBC2h 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B18F43 second address: B18F71 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F38284EF66Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jmp 00007F38284EF678h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B18F71 second address: B18F76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B190A4 second address: B190FA instructions: 0x00000000 rdtsc 0x00000002 jne 00007F38284EF666h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b nop 0x0000000c pushad 0x0000000d mov dword ptr [ebp+122D39C3h], edi 0x00000013 mov ecx, 3B6AD25Eh 0x00000018 popad 0x00000019 lea eax, dword ptr [ebp+12479C6Bh] 0x0000001f push 00000000h 0x00000021 push eax 0x00000022 call 00007F38284EF668h 0x00000027 pop eax 0x00000028 mov dword ptr [esp+04h], eax 0x0000002c add dword ptr [esp+04h], 00000019h 0x00000034 inc eax 0x00000035 push eax 0x00000036 ret 0x00000037 pop eax 0x00000038 ret 0x00000039 mov ecx, dword ptr [ebp+122D2AAFh] 0x0000003f mov edi, dword ptr [ebp+122D2BE7h] 0x00000045 nop 0x00000046 push ecx 0x00000047 js 00007F38284EF66Ch 0x0000004d push eax 0x0000004e push edx 0x0000004f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B190FA second address: B19120 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007F3828DEBBCEh 0x0000000e jmp 00007F3828DEBBC8h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B17EC8 second address: B17F3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp], eax 0x00000008 push 00000000h 0x0000000a push ecx 0x0000000b call 00007F38284EF668h 0x00000010 pop ecx 0x00000011 mov dword ptr [esp+04h], ecx 0x00000015 add dword ptr [esp+04h], 0000001Dh 0x0000001d inc ecx 0x0000001e push ecx 0x0000001f ret 0x00000020 pop ecx 0x00000021 ret 0x00000022 mov cx, si 0x00000025 mov ecx, eax 0x00000027 lea eax, dword ptr [ebp+12479C27h] 0x0000002d push 00000000h 0x0000002f push ebp 0x00000030 call 00007F38284EF668h 0x00000035 pop ebp 0x00000036 mov dword ptr [esp+04h], ebp 0x0000003a add dword ptr [esp+04h], 0000001Bh 0x00000042 inc ebp 0x00000043 push ebp 0x00000044 ret 0x00000045 pop ebp 0x00000046 ret 0x00000047 mov edx, 10D529A5h 0x0000004c push eax 0x0000004d push eax 0x0000004e push edx 0x0000004f jmp 00007F38284EF670h 0x00000054 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4D553 second address: B4D572 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F3828DEBBB6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d jne 00007F3828DEBBC2h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4D572 second address: B4D578 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4D578 second address: B4D57C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4D94C second address: B4D96E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F38284EF679h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4D96E second address: B4D973 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4D973 second address: B4D9A0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pushad 0x00000007 push eax 0x00000008 pop eax 0x00000009 push esi 0x0000000a pop esi 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F38284EF66Bh 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F38284EF66Ah 0x0000001c push esi 0x0000001d pushad 0x0000001e popad 0x0000001f pushad 0x00000020 popad 0x00000021 pop esi 0x00000022 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4D9A0 second address: B4D9B7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3828DEBBBDh 0x00000007 push eax 0x00000008 push edx 0x00000009 jne 00007F3828DEBBB6h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B52AF5 second address: B52AF9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B52C52 second address: B52C60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jng 00007F3828DEBBC8h 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B53077 second address: B5307E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edi 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5346A second address: B53488 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3828DEBBC6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B53488 second address: B5348C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5348C second address: B53495 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B53495 second address: B5349F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B535EE second address: B535FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pushad 0x0000000a popad 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B535FD second address: B53614 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F38284EF670h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B53614 second address: B5361A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5361A second address: B5361E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B56F00 second address: B56F2A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jc 00007F3828DEBBB6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007F3828DEBBBBh 0x00000012 jmp 00007F3828DEBBBAh 0x00000017 jo 00007F3828DEBBB6h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B56F2A second address: B56F32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B56F32 second address: B56F38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B56F38 second address: B56F55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F38284EF675h 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5D1CD second address: B5D206 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3828DEBBC5h 0x00000007 jmp 00007F3828DEBBBAh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f pushad 0x00000010 jmp 00007F3828DEBBC0h 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5D206 second address: B5D219 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F38284EF66Ah 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5D219 second address: B5D21D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B5D21D second address: B5D228 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B619CA second address: B619E0 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F3828DEBBB6h 0x00000008 js 00007F3828DEBBB6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B619E0 second address: B619E6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B619E6 second address: B61A18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F3828DEBBBDh 0x00000008 jns 00007F3828DEBBB6h 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 jmp 00007F3828DEBBC7h 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B61A18 second address: B61A1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B61F71 second address: B61F82 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3828DEBBBDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B61F82 second address: B61F87 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B62257 second address: B6225D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B624EB second address: B624F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B624F1 second address: B624FD instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B624FD second address: B62507 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F38284EF666h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B627A5 second address: B627B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F3828DEBBB6h 0x0000000a je 00007F3828DEBBB6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B627B7 second address: B627C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 pop edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B64980 second address: B6498B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6498B second address: B6498F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B67E50 second address: B67E6C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007F3828DEBBB6h 0x0000000e jmp 00007F3828DEBBBEh 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B67914 second address: B67923 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F38284EF66Bh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B67923 second address: B6794A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3828DEBBBAh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push esi 0x0000000d jmp 00007F3828DEBBC2h 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6794A second address: B67950 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B67950 second address: B67956 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6B468 second address: B6B46C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6B46C second address: B6B477 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6B5FF second address: B6B617 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F38284EF66Eh 0x00000007 jl 00007F38284EF666h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6B77A second address: B6B77F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6F21C second address: B6F221 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6F221 second address: B6F22C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6F22C second address: B6F23C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d push esi 0x0000000e pop esi 0x0000000f pop ecx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6F385 second address: B6F394 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3828DEBBBBh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6F394 second address: B6F3B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F38284EF677h 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6F3B3 second address: B6F3B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6F520 second address: B6F534 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 jl 00007F38284EF666h 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e jnl 00007F38284EF666h 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6F534 second address: B6F53A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6F65C second address: B6F683 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007F38284EF674h 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 jnp 00007F38284EF666h 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6F683 second address: B6F689 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6F689 second address: B6F694 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007F38284EF666h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6F926 second address: B6F92A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6F92A second address: B6F940 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F38284EF672h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B6F940 second address: B6F94A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B76C61 second address: B76C65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7570F second address: B7571C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 jnp 00007F3828DEBBB6h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B75AFE second address: B75B1E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jo 00007F38284EF666h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007F38284EF66Bh 0x00000012 push eax 0x00000013 push edx 0x00000014 jp 00007F38284EF666h 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B18A5E second address: B18A62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B18A62 second address: B18A77 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F38284EF66Bh 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B18A77 second address: B18AAD instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F3828DEBBB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b nop 0x0000000c pushad 0x0000000d or dword ptr [ebp+12472DFFh], edx 0x00000013 add si, 99D9h 0x00000018 popad 0x00000019 mov ebx, dword ptr [ebp+12479C66h] 0x0000001f stc 0x00000020 add eax, ebx 0x00000022 and edx, 108BC400h 0x00000028 nop 0x00000029 push edi 0x0000002a pushad 0x0000002b push eax 0x0000002c pop eax 0x0000002d push ecx 0x0000002e pop ecx 0x0000002f popad 0x00000030 pop edi 0x00000031 push eax 0x00000032 pushad 0x00000033 pushad 0x00000034 push eax 0x00000035 push edx 0x00000036 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B75E3F second address: B75E44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7696A second address: B76988 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007F3828DEBBC0h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jg 00007F3828DEBBB6h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B76988 second address: B76998 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F38284EF66Ah 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B76998 second address: B7699D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7699D second address: B769C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 push ecx 0x00000008 js 00007F38284EF666h 0x0000000e jno 00007F38284EF666h 0x00000014 pop ecx 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d jmp 00007F38284EF66Ch 0x00000022 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B769C6 second address: B769CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B769CE second address: B769D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B769D4 second address: B769D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7C7C4 second address: B7C7E9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F38284EF66Dh 0x00000007 ja 00007F38284EF666h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jp 00007F38284EF666h 0x00000017 je 00007F38284EF666h 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7C7E9 second address: B7C7EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7C7EF second address: B7C7FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7C7FB second address: B7C7FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7C7FF second address: B7C805 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7C912 second address: B7C916 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7C916 second address: B7C929 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jc 00007F38284EF666h 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7C929 second address: B7C92E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7C92E second address: B7C937 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push edx 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7C937 second address: B7C942 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7C942 second address: B7C946 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7D150 second address: B7D158 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7D158 second address: B7D15C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7D15C second address: B7D162 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7D162 second address: B7D168 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7D168 second address: B7D187 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3828DEBBC7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7D187 second address: B7D18B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7D18B second address: B7D19C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3828DEBBBDh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7D4B4 second address: B7D4BE instructions: 0x00000000 rdtsc 0x00000002 ja 00007F38284EF666h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7D799 second address: B7D79D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7D79D second address: B7D7C1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F38284EF674h 0x00000007 jmp 00007F38284EF66Ch 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7DA97 second address: B7DA9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7DDE5 second address: B7DE05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 jmp 00007F38284EF66Ah 0x0000000c pushad 0x0000000d jl 00007F38284EF666h 0x00000013 jo 00007F38284EF666h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7E0FC second address: B7E100 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7E100 second address: B7E104 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7E104 second address: B7E10C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7E3AA second address: B7E3AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7E3AE second address: B7E3B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8331B second address: B8332A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F38284EF666h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e pop edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B825C6 second address: B825CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B82723 second address: B82729 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B82729 second address: B8276C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007F3828DEBBBAh 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 jmp 00007F3828DEBBBBh 0x00000016 jbe 00007F3828DEBBB6h 0x0000001c jno 00007F3828DEBBB6h 0x00000022 jmp 00007F3828DEBBC4h 0x00000027 popad 0x00000028 popad 0x00000029 pushad 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8276C second address: B82776 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F38284EF666h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B82776 second address: B82780 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F3828DEBBB6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B82780 second address: B82789 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B82789 second address: B827A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jbe 00007F3828DEBBB6h 0x0000000c popad 0x0000000d jg 00007F3828DEBBB8h 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B827A2 second address: B827A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B82A10 second address: B82A18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B82A18 second address: B82A4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 jmp 00007F38284EF66Ch 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jng 00007F38284EF674h 0x00000015 push ecx 0x00000016 ja 00007F38284EF666h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B82A4B second address: B82A50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B82D26 second address: B82D2C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B82E9D second address: B82EBE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3828DEBBC2h 0x00000007 jmp 00007F3828DEBBBBh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B87EF9 second address: B87F01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B87F01 second address: B87F07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B8955B second address: B89561 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B93049 second address: B93088 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007F3828DEBBC7h 0x0000000b popad 0x0000000c push eax 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F3828DEBBC6h 0x00000014 pop eax 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B93088 second address: B9308E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9308E second address: B93096 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B91210 second address: B91216 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B91216 second address: B9121A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9121A second address: B9121E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9121E second address: B9123A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F3828DEBBC2h 0x0000000d push esi 0x0000000e pop esi 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9139D second address: B913A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F38284EF666h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B913A7 second address: B913D2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3828DEBBC3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F3828DEBBC4h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B918DF second address: B91915 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F38284EF673h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F38284EF679h 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B91915 second address: B9191B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B91BCB second address: B91BCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B91BCF second address: B91BE1 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jl 00007F3828DEBBB6h 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B91BE1 second address: B91BE9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B91BE9 second address: B91BED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B91BED second address: B91BF1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B91BF1 second address: B91C0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F3828DEBBBEh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B91C0C second address: B91C33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F38284EF676h 0x0000000e jl 00007F38284EF668h 0x00000014 push eax 0x00000015 pop eax 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B91C33 second address: B91C3D instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F3828DEBBBEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B91D78 second address: B91D7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B91D7C second address: B91DA2 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F3828DEBBB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F3828DEBBBDh 0x00000010 jnc 00007F3828DEBBB6h 0x00000016 popad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a push ebx 0x0000001b push eax 0x0000001c pop eax 0x0000001d pop ebx 0x0000001e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B920D6 second address: B920ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F38284EF666h 0x0000000a pop esi 0x0000000b pushad 0x0000000c je 00007F38284EF666h 0x00000012 pushad 0x00000013 popad 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9285C second address: B9287B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3828DEBBC9h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9287B second address: B9287F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9287F second address: B92888 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B92888 second address: B9288E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B92F0B second address: B92F13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B90DC5 second address: B90DCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B90DCB second address: B90DD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B90DD3 second address: B90DDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B90DDF second address: B90DFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F3828DEBBB6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F3828DEBBBCh 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B90DFC second address: B90E02 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B90E02 second address: B90E08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B952F9 second address: B95300 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B99F14 second address: B99F1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B99996 second address: B9999C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B9999C second address: B999A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA8741 second address: BA8753 instructions: 0x00000000 rdtsc 0x00000002 je 00007F38284EF666h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b pushad 0x0000000c popad 0x0000000d pop ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA8753 second address: BA8757 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA8757 second address: BA875B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA875B second address: BA8778 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e push edx 0x0000000f pop edx 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 jc 00007F3828DEBBB6h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA8778 second address: BA877C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA877C second address: BA8780 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA8780 second address: BA878C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F38284EF666h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA878C second address: BA87AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3828DEBBC9h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA87AB second address: BA87AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD9765 second address: AD9782 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F3828DEBBB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F3828DEBBC3h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA827E second address: BA8299 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F38284EF677h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BA8299 second address: BA82B8 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F3828DEBBB6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F3828DEBBC3h 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB9343 second address: BB9359 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007F38284EF66Dh 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBB30A second address: BBB30E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBB30E second address: BBB314 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBB314 second address: BBB324 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F3828DEBBBAh 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBB162 second address: BBB166 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBB166 second address: BBB16A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBB16A second address: BBB17A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jbe 00007F38284EF666h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBE3ED second address: BBE407 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3828DEBBC5h 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBE407 second address: BBE41E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F38284EF673h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBE41E second address: BBE45E instructions: 0x00000000 rdtsc 0x00000002 js 00007F3828DEBBB6h 0x00000008 jmp 00007F3828DEBBC8h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007F3828DEBBC6h 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push ecx 0x0000001a pop ecx 0x0000001b pop eax 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBE45E second address: BBE46B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jne 00007F38284EF666h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC3901 second address: BC3905 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC83FC second address: BC8412 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007F38284EF666h 0x00000009 push edi 0x0000000a pop edi 0x0000000b jnp 00007F38284EF666h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 push esi 0x00000015 pop esi 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC8412 second address: BC843E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b jmp 00007F3828DEBBC3h 0x00000010 pushad 0x00000011 jmp 00007F3828DEBBBBh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC843E second address: BC8444 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD8486 second address: BD8490 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F3828DEBBB6h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD8490 second address: BD8494 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD8494 second address: BD849A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD849A second address: BD84BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F38284EF677h 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BD84BA second address: BD84DE instructions: 0x00000000 rdtsc 0x00000002 ja 00007F3828DEBBCEh 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE81CF second address: BE81D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE81D3 second address: BE81D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE9C54 second address: BE9C64 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F38284EF666h 0x0000000a jnp 00007F38284EF666h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE9C64 second address: BE9C74 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F3828DEBBB6h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BED227 second address: BED232 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BED232 second address: BED238 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BED238 second address: BED23E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BED23E second address: BED244 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BFC469 second address: BFC471 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BFC71E second address: BFC722 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BFC722 second address: BFC72B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BFCE59 second address: BFCE5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BFCE5F second address: BFCE64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BFD008 second address: BFD033 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 pop eax 0x00000007 pop edi 0x00000008 push esi 0x00000009 push edx 0x0000000a pop edx 0x0000000b pop esi 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F3828DEBBC5h 0x00000015 push eax 0x00000016 push edx 0x00000017 push edi 0x00000018 pop edi 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BFD033 second address: BFD037 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BFD037 second address: BFD048 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3828DEBBBDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C01244 second address: C01248 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C03291 second address: C03295 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C04D4A second address: C04D54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F38284EF666h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5250279 second address: 525027D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 525027D second address: 5250283 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5250283 second address: 52502A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3828DEBBC6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52502A3 second address: 5250331 instructions: 0x00000000 rdtsc 0x00000002 call 00007F38284EF66Ah 0x00000007 pop esi 0x00000008 pop edx 0x00000009 pop eax 0x0000000a call 00007F38284EF66Bh 0x0000000f mov ch, B8h 0x00000011 pop edi 0x00000012 popad 0x00000013 push eax 0x00000014 pushad 0x00000015 pushad 0x00000016 jmp 00007F38284EF677h 0x0000001b jmp 00007F38284EF678h 0x00000020 popad 0x00000021 pushfd 0x00000022 jmp 00007F38284EF672h 0x00000027 and ax, BDC8h 0x0000002c jmp 00007F38284EF66Bh 0x00000031 popfd 0x00000032 popad 0x00000033 xchg eax, ebp 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007F38284EF675h 0x0000003b rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5250331 second address: 5250387 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F3828DEBBC7h 0x00000009 jmp 00007F3828DEBBC3h 0x0000000e popfd 0x0000000f jmp 00007F3828DEBBC8h 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 mov ebp, esp 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c movsx edx, ax 0x0000001f mov bx, si 0x00000022 popad 0x00000023 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5250387 second address: 525038D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 525038D second address: 52503C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F3828DEBBC2h 0x00000012 and eax, 002BB278h 0x00000018 jmp 00007F3828DEBBBBh 0x0000001d popfd 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52503C0 second address: 52503C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52503C5 second address: 52503CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5250410 second address: 5250416 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5250416 second address: 525041C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 525041C second address: 5250420 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5250420 second address: 5250424 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Tries to evade debugger and weak emulator (self modifying code)
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 971B15 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 971BED instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 971B3A instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 96F6D6 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: B39A08 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: B9BED1 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\file.exeLast function: Thread delayed
              Source: file.exe, file.exe, 00000000.00000002.2548877358.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
              Source: Amcache.hve.5.drBinary or memory string: VMware
              Source: Amcache.hve.5.drBinary or memory string: VMware Virtual USB Mouse
              Source: Amcache.hve.5.drBinary or memory string: vmci.syshbin
              Source: Amcache.hve.5.drBinary or memory string: VMware, Inc.
              Source: Amcache.hve.5.drBinary or memory string: VMware20,1hbin@
              Source: Amcache.hve.5.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
              Source: Amcache.hve.5.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
              Source: Amcache.hve.5.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
              Source: file.exe, 00000000.00000002.2549334421.00000000013B2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: Amcache.hve.5.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
              Source: Amcache.hve.5.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
              Source: Amcache.hve.5.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
              Source: file.exe, 00000000.00000002.2549334421.000000000133E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMwarei
              Source: Amcache.hve.5.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
              Source: file.exe, 00000000.00000002.2548877358.0000000000BCF000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: ZhgfS
              Source: Amcache.hve.5.drBinary or memory string: vmci.sys
              Source: Amcache.hve.5.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
              Source: Amcache.hve.5.drBinary or memory string: vmci.syshbin`
              Source: Amcache.hve.5.drBinary or memory string: \driver\vmci,\driver\pci
              Source: Amcache.hve.5.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
              Source: Amcache.hve.5.drBinary or memory string: VMware20,1
              Source: Amcache.hve.5.drBinary or memory string: Microsoft Hyper-V Generation Counter
              Source: Amcache.hve.5.drBinary or memory string: NECVMWar VMware SATA CD00
              Source: Amcache.hve.5.drBinary or memory string: VMware Virtual disk SCSI Disk Device
              Source: file.exe, 00000000.00000002.2549334421.000000000133E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
              Source: Amcache.hve.5.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
              Source: Amcache.hve.5.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
              Source: file.exe, 00000000.00000002.2549334421.0000000001381000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW`w;
              Source: Amcache.hve.5.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
              Source: Amcache.hve.5.drBinary or memory string: VMware PCI VMCI Bus Device
              Source: Amcache.hve.5.drBinary or memory string: VMware VMCI Bus Device
              Source: Amcache.hve.5.drBinary or memory string: VMware Virtual RAM
              Source: Amcache.hve.5.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
              Source: file.exe, 00000000.00000002.2548877358.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
              Source: Amcache.hve.5.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
              Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

              Anti Debugging

              barindex
              Hides threads from debuggers
              Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
              Tries to detect sandboxes and other dynamic analysis tools (window names)
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
              Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
              Source: C:\Users\user\Desktop\file.exeFile opened: SICE
              Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Yara detected Powershell download and execute
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 1272, type: MEMORYSTR
              Source: file.exe, file.exe, 00000000.00000002.2548877358.0000000000AF1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: DProgram Manager
              Source: C:\Users\user\Desktop\file.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: Amcache.hve.5.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
              Source: Amcache.hve.5.drBinary or memory string: msmpeng.exe
              Source: Amcache.hve.5.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
              Source: Amcache.hve.5.drBinary or memory string: MsMpEng.exe

              Stealing of Sensitive Information

              barindex
              Yara detected Stealc
              Source: Yara matchFile source: 0.2.file.exe.710000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.2548586234.0000000000711000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2549334421.000000000133E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2104870730.00000000050C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2548586234.00000000007AA000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 1272, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected Stealc
              Source: Yara matchFile source: 0.2.file.exe.710000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.2548586234.0000000000711000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2549334421.000000000133E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2104870730.00000000050C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2548586234.00000000007AA000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 1272, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
              Command and Scripting Interpreter              		1
              DLL Side-Loading              		2
              Process Injection              		23
              Virtualization/Sandbox Evasion              		OS Credential Dumping641
              Security Software Discovery              		Remote ServicesData from Local System1
              Ingress Tool Transfer              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
              DLL Side-Loading              		1
              Disable or Modify Tools              		LSASS Memory23
              Virtualization/Sandbox Evasion              		Remote Desktop ProtocolData from Removable Media1
              Non-Application Layer Protocol              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)2
              Process Injection              		Security Account Manager2
              Process Discovery              		SMB/Windows Admin SharesData from Network Shared Drive11
              Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
              Obfuscated Files or Information              		NTDS222
              System Information Discovery              		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
              Software Packing              		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              DLL Side-Loading              		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              file.exe50%ReversingLabsWin32.Trojan.Generic
              file.exe100%AviraTR/Crypt.TPM.Gen
              file.exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://185.215.113.37/100%URL Reputationmalware
              http://upx.sf.net0%URL Reputationsafe
              http://185.215.113.37100%URL Reputationmalware
              http://185.215.113.37/e2b1563c6670f193.php100%URL Reputationmalware

              Domains and IPs

              Contacted Domains

              No contacted domains info

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://185.215.113.37/true
              • URL Reputation: malware
              		unknown
              http://185.215.113.37/e2b1563c6670f193.phptrue
              • URL Reputation: malware
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://upx.sf.netAmcache.hve.5.drfalse
              • URL Reputation: safe
              		unknown
              http://185.215.113.37/Ufile.exe, 00000000.00000002.2549334421.000000000133E000.00000004.00000020.00020000.00000000.sdmptrue
                		unknown
                http://185.215.113.37file.exe, 00000000.00000002.2549334421.000000000133E000.00000004.00000020.00020000.00000000.sdmptrue
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/7file.exe, 00000000.00000002.2549334421.000000000133E000.00000004.00000020.00020000.00000000.sdmptrue
                  		unknown

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  185.215.113.37
                  		unknownPortugal
                  		206894WHOLESALECONNECTIONSNLtrue

                  General Information

                  Joe Sandbox version:41.0.0 Charoite
                  Analysis ID:1542329
                  Start date and time:2024-10-25 19:45:49 +02:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 4m 55s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:8
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:file.exe
                  Detection:MAL
                  Classification:mal100.troj.evad.winEXE@2/5@0/1
                  EGA Information:Failed
                  HCA Information:Failed
                  Cookbook Comments:
                  • Found application associated with file extension: .exe

                  Warnings

                  • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                  • Excluded IPs from analysis (whitelisted): 20.42.73.29
                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, d.4.1.9.1.6.7.1.0.0.0.0.0.0.0.0.1.0.0.9.0.0.1.f.1.1.1.0.1.0.a.2.ip6.arpa, fe3cr.delivery.mp.microsoft.com
                  • Execution Graph export aborted for target file.exe, PID 1272 because there are no executed function
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • VT rate limit hit for: file.exe

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  13:47:28API Interceptor1x Sleep call for process: WerFault.exe modified

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  185.215.113.37file.exeGet hashmaliciousStealc, VidarBrowse
                  • 185.215.113.37/e2b1563c6670f193.php
                  file.exeGet hashmaliciousStealcBrowse
                  • 185.215.113.37/e2b1563c6670f193.php
                  file.exeGet hashmaliciousStealc, VidarBrowse
                  • 185.215.113.37/e2b1563c6670f193.php
                  file.exeGet hashmaliciousStealcBrowse
                  • 185.215.113.37/e2b1563c6670f193.php
                  file.exeGet hashmaliciousStealc, VidarBrowse
                  • 185.215.113.37/e2b1563c6670f193.php
                  file.exeGet hashmaliciousStealc, VidarBrowse
                  • 185.215.113.37/e2b1563c6670f193.php
                  file.exeGet hashmaliciousStealcBrowse
                  • 185.215.113.37/e2b1563c6670f193.php
                  file.exeGet hashmaliciousStealc, VidarBrowse
                  • 185.215.113.37/e2b1563c6670f193.php
                  file.exeGet hashmaliciousStealcBrowse
                  • 185.215.113.37/e2b1563c6670f193.php
                  file.exeGet hashmaliciousStealc, VidarBrowse
                  • 185.215.113.37/e2b1563c6670f193.php

                  Domains

                  No context

                  ASNs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealc, VidarBrowse
                  • 185.215.113.37
                  file.exeGet hashmaliciousNetSupport RATBrowse
                  • 185.215.113.67
                  file.exeGet hashmaliciousNetSupport RATBrowse
                  • 185.215.113.67
                  file.exeGet hashmaliciousStealcBrowse
                  • 185.215.113.37
                  file.exeGet hashmaliciousStealc, VidarBrowse
                  • 185.215.113.37
                  file.exeGet hashmaliciousStealcBrowse
                  • 185.215.113.37
                  file.exeGet hashmaliciousStealc, VidarBrowse
                  • 185.215.113.37
                  file.exeGet hashmaliciousStealc, VidarBrowse
                  • 185.215.113.37
                  file.exeGet hashmaliciousStealcBrowse
                  • 185.215.113.37
                  file.exeGet hashmaliciousStealc, VidarBrowse
                  • 185.215.113.37

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  No context

                  Created / dropped Files

                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_819e5e45b8a757e26ca9bd44e6d9284b79b3342d_a5cec3f2_f9e08bca-3b45-4977-9b29-af39d12daa7a\Report.wer

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):65536
                  Entropy (8bit):0.9484488716931103
                  Encrypted:false
                  SSDEEP:192:kzXzMG53vqPlI0BU/7E3juCZr+dQzuiFGZ24IO8ThB:yX7qNjBU/AjWyzuiFGY4IO8r
                  MD5:A1FD8265FE1D0FA10C4A18CC3589DDB7
                  SHA1:EFE88DC5E0C2B0F77E453C14323A9D98E70A620D
                  SHA-256:3B1A57CDFB6BC6FC82C95665FF957BEEE3673424A9F64E87763F3362CF870B12
                  SHA-512:870AEC247B67B68EFD5EA2B46CAEE83329A144A3A2CF7285B7A5A8AC9471E6EE15ABCC36ED8586922CD96C5EB57922F94CA57E1757D73CBDB67C80290F246791
                  Malicious:true
                  Reputation:low
                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.4.3.5.2.0.3.2.1.9.2.6.2.6.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.4.3.5.2.0.3.3.0.3.6.3.8.7.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.9.e.0.8.b.c.a.-.3.b.4.5.-.4.9.7.7.-.9.b.2.9.-.a.f.3.9.d.1.2.d.a.a.7.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.0.2.9.9.f.2.f.-.8.7.0.2.-.4.0.3.4.-.b.6.9.c.-.2.2.a.e.0.3.9.b.7.5.d.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.4.f.8.-.0.0.0.1.-.0.0.1.4.-.9.6.9.f.-.c.1.d.b.0.5.2.7.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.e.4.9.2.d.7.6.8.e.7.9.7.3.1.6.2.4.b.c.d.f.2.e.7.6.1.5.f.9.1.8.0.0.0.0.f.f.f.f.!.0.0.0.0.f.2.1.d.3.1.7.e.8.a.2.2.7.7.5.e.b.b.b.7.7.c.b.2.5.6.a.f.7.d.0.4.b.b.8.3.8.5.a.1.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.9.

                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER355D.tmp.dmp

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:Mini DuMP crash report, 14 streams, Fri Oct 25 17:47:12 2024, 0x1205a4 type
                  Category:dropped
                  Size (bytes):276534
                  Entropy (8bit):1.3169291868811661
                  Encrypted:false
                  SSDEEP:768:uMd9aBReEOxK6/aONjt9jERoSEqUkN3wMhARMr:uMd9kF6zxtmjVN3ZhaMr
                  MD5:C1E30BC68C382847EA81CB17476A7ABF
                  SHA1:7D09ECF9EC52D1E08BB672DAC5AFE8213906EB7E
                  SHA-256:5DC68D7AA07C2A15B5AEC3A33F5CE41078DB01DEC50029FCA349051ACEACDF37
                  SHA-512:54500B31342FC83ABB9628F006C9840C92FE2A410910D1564035D75FE778835EC8B40E8F45A2A4CECD58EA269020870F27C8544914975065ADF0C1111E7F24E4
                  Malicious:false
                  Reputation:low
                  Preview:MDMP..a..... ..........g............d...............l.......................T.......8...........T........... ;..............."..........t$..............................................................................eJ.......%......GenuineIntel............T..............g.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER36D5.tmp.WERInternalMetadata.xml

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):8326
                  Entropy (8bit):3.693718896649888
                  Encrypted:false
                  SSDEEP:192:R6l7wVeJqCQ6nEe6YEIvSU6GjgmfBETpr089b+fsfiKm:R6lXJ+6N6YEQSU66gmf+/+Efm
                  MD5:06A45DA7F12A8D9F434A01D4DCA2797A
                  SHA1:54EA5075DB6114598F5A657728E5D28CCBDFBA0D
                  SHA-256:C93C08E62721556A1BF5BD9F2AB45C90A6864DA52977C53E7129521541443D0B
                  SHA-512:C47F5BD0F7E7A088FABDD777894653D6A76DA4D2A31D43C71AB7EB807599B461F883CCE004553DC50FE58DD21D48A0CFAA1DF9DE7823E596ED448EF95565C8E8
                  Malicious:false
                  Reputation:low
                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.2.7.2.<./.P.i.

                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER3714.tmp.xml

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):4558
                  Entropy (8bit):4.435804712506073
                  Encrypted:false
                  SSDEEP:48:cvIwWl8zsgJg77aI9/8WpW8VYoYm8M4JVeFeG+q818y6mhd:uIjfmI7p17V4Js5y9hd
                  MD5:C917A1EABD92DFAF8D4831F6F71402E6
                  SHA1:2AB29F452DC3F8C658942305D4EA77F075D2838F
                  SHA-256:296722B33781E174F0577FA4134AC915B97102784A1062C8E0C5566FD44F1960
                  SHA-512:FE0164BE3723D56913A3CFCC09BF5620D8554E6E94777113DB902805CDF2B2BC15ADA93B0A0D8F5FBE159EBE5689D4925E5052C8D0C75083F6848D6A245CBB5D
                  Malicious:false
                  Reputation:low
                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="559249" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                  C:\Windows\appcompat\Programs\Amcache.hve

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):1835008
                  Entropy (8bit):4.421344163188144
                  Encrypted:false
                  SSDEEP:6144:eSvfpi6ceLP/9skLmb0OToWSPHaJG8nAgeMZMMhA2fX4WABlEnN20uhiTw:9vloToW+EZMM6DFy403w
                  MD5:62B7B11423DFC495268A1D6606EA85E3
                  SHA1:171E633E380E458FDDC9969B9745B81CF6AC2921
                  SHA-256:8ABD01F45DC44C68B4280BDA611548C8F5C5D2C781DBDBB4CA41E4201276DA83
                  SHA-512:97A4E746A5B8EE0B30F3F63F5F68BDE24A668D3B2B573973953B581506DAC19D4679630D0CF5A27D1559275FEDF2A62F6E71FF9E2E21F328F9964B8010D073F0
                  Malicious:false
                  Reputation:low
                  Preview:regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmv....'...............................................................................................................................................................................................................................................................................................................................................-..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  Static File Info

                  General

                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                  Entropy (8bit):7.946658674300828
                  TrID:
                  • Win32 Executable (generic) a (10002005/4) 99.96%
                  • Generic Win/DOS Executable (2004/3) 0.02%
                  • DOS Executable Generic (2002/1) 0.02%
                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                  File name:file.exe
                  File size:1'853'952 bytes
                  MD5:e79fcf06f6f663837c3abfec736125c3
                  SHA1:f21d317e8a22775ebbb77cb256af7d04bb8385a1
                  SHA256:1e38b032b9cf04afe0921c32af4ec9cddfe66ef25c327bacdc71a3085d2cc0e6
                  SHA512:3694a497ed17f0b595d51ec2bbb599c57134fe9a567266e93f5a25858aceec31d9daf54dc4ca6f7b66cffd791d40d0d603e9f58322368375027738bba42ff18d
                  SSDEEP:49152:NnyBld2/i7/mAC7pIYF/kNK6KwgkmUJ72BxaP8alV:ClC/pSK+g4KxaUa
                  TLSH:248533740551AFE2F2CA4B308345AAC45D284BC0F5FD1259F6E395B662E3D8122FBD8A
                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...J..f...........

                  File Icon

                  Icon Hash:00928e8e8686b000

                  Static PE Info

                  General

                  Entrypoint:0xa9e000
                  Entrypoint Section:.taggant
                  Digitally signed:false
                  Imagebase:0x400000
                  Subsystem:windows gui
                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                  DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                  Time Stamp:0x66F99A4A [Sun Sep 29 18:19:54 2024 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:
                  OS Version Major:5
                  OS Version Minor:1
                  File Version Major:5
                  File Version Minor:1
                  Subsystem Version Major:5
                  Subsystem Version Minor:1
                  Import Hash:2eabe9054cad5152567f0699947a2c5b

                  Entrypoint Preview

                  Instruction
                  jmp 00007F3828FCF0DAh
                  movaps xmm3, dqword ptr [eax+eax]
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  jmp 00007F3828FD10D5h
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al

                  Rich Headers

                  Programming Language:
                  • [C++] VS2010 build 30319
                  • [ASM] VS2010 build 30319
                  • [ C ] VS2010 build 30319
                  • [ C ] VS2008 SP1 build 30729
                  • [IMP] VS2008 SP1 build 30729
                  • [LNK] VS2010 build 30319

                  Data Directories

                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                  Sections

                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  0x10000x25b0000x22800ab437d92668d9cd1ac51b16b8ed7956aunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  0x25e0000x2a00000x2008f796a8d9234d1a0f826ac5cfd83c56bunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  bcrkrvhx0x4fe0000x19f0000x19e8000372f96dfccc426f5cc8d7aafba29efaFalse0.9948627393697226data7.953714908129621IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  qmlvtclo0x69d0000x10000x40043917ec015a371ed74670cfff2b8e71dFalse0.828125data6.326834485524474IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  .taggant0x69e0000x30000x22002d1d35c6cbeca1587521d4c5ca9eaed8False0.006548713235294118DOS executable (COM)0.019571456231530684IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                  Imports

                  DLLImport
                  kernel32.dlllstrcpy

                  Network Behavior

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Oct 25, 2024 19:46:49.537285089 CEST4970480192.168.2.5185.215.113.37
                  Oct 25, 2024 19:46:49.542737007 CEST8049704185.215.113.37192.168.2.5
                  Oct 25, 2024 19:46:49.542844057 CEST4970480192.168.2.5185.215.113.37
                  Oct 25, 2024 19:46:49.543051958 CEST4970480192.168.2.5185.215.113.37
                  Oct 25, 2024 19:46:49.548312902 CEST8049704185.215.113.37192.168.2.5
                  Oct 25, 2024 19:46:58.035417080 CEST8049704185.215.113.37192.168.2.5
                  Oct 25, 2024 19:46:58.035576105 CEST4970480192.168.2.5185.215.113.37
                  Oct 25, 2024 19:46:58.035734892 CEST4970480192.168.2.5185.215.113.37
                  Oct 25, 2024 19:46:58.041004896 CEST8049704185.215.113.37192.168.2.5

                  UDP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Oct 25, 2024 19:47:32.624254942 CEST5360646162.159.36.2192.168.2.5
                  Oct 25, 2024 19:47:33.284425974 CEST53517091.1.1.1192.168.2.5

                  HTTP Request Dependency Graph

                  • 185.215.113.37

                  HTTP Packets

                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  0192.168.2.549704185.215.113.37801272C:\Users\user\Desktop\file.exe
                  TimestampBytes transferredDirectionData
                  Oct 25, 2024 19:46:49.543051958 CEST89OUTGET / HTTP/1.1
                  Host: 185.215.113.37
                  Connection: Keep-Alive
                  Cache-Control: no-cache


                  Statistics

                  CPU Usage

                  Click to jump to process

                  Memory Usage

                  Click to jump to process

                  High Level Behavior Distribution

                  Click to dive into process behavior distribution

                  Behavior

                  Click to jump to process

                  System Behavior

                  General

                  Target ID:0
                  Start time:13:46:45
                  Start date:25/10/2024
                  Path:C:\Users\user\Desktop\file.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\Desktop\file.exe"
                  Imagebase:0x710000
                  File size:1'853'952 bytes
                  MD5 hash:E79FCF06F6F663837C3ABFEC736125C3
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2548586234.0000000000711000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2549334421.000000000133E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.2104870730.00000000050C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2548586234.00000000007AA000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                  Reputation:low
                  Has exited:true

                  General

                  Target ID:5
                  Start time:13:47:12
                  Start date:25/10/2024
                  Path:C:\Windows\SysWOW64\WerFault.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1272 -s 1500
                  Imagebase:0x2d0000
                  File size:483'680 bytes
                  MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  Disassembly

                  No disassembly