Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1559010
MD5: af00fae5bf606001c0c6ef0b98fb54d0
SHA1: a24fe73ec0b2d0190d3f6f068ca3c13a6cde4fd3
SHA256: 8b1fbd75e6fcdf963260148537cae0d876130656c343518a5d7623937d4f0881
Tags: exeuser-Bitsight
Infos:

Detection

Stealc
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found evaded block containing many API calls
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

AV Detection

barindex
Source: file.exe Avira: detected
Source: http://185.215.113.206/c4becf79229cb002.phpktop Avira URL Cloud: Label: malware
Source: http://185.215.113.206/c4becf79229cb002.php/ug Avira URL Cloud: Label: malware
Source: http://185.215.113.206/c4becf79229cb002.phpaoNw Avira URL Cloud: Label: malware
Source: http://185.215.113.206/c4becf79229cb002.phpmoZw Avira URL Cloud: Label: malware
Source: http://185.215.113.206/c4becf79229cb002.phpyo&w Avira URL Cloud: Label: malware
Source: http://185.215.113.206/c4becf79229cb002.php/Pg Avira URL Cloud: Label: malware
Source: file.exe.1228.0.memstrmin Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/c4becf79229cb002.php", "Botnet": "mars"}
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Source: file.exe Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003A4C50 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrcpy,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy, 0_2_003A4C50
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003C40B0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA, 0_2_003C40B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003A60D0 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,GetProcessHeap,RtlAllocateHeap,lstrlen,lstrlen,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy, 0_2_003A60D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003B6960 lstrcpy,SHGetFolderPathA,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,LocalAlloc,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetProcessHeap,RtlAllocateHeap,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrlen,lstrlen,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy, 0_2_003B6960
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003AEA30 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat, 0_2_003AEA30
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003A9B20 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree, 0_2_003A9B20
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003B6B79 lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetProcessHeap,RtlAllocateHeap,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,StrStrA,lstrlen,lstrcpy,lstrcpy,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrlen,lstrlen,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy, 0_2_003B6B79
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003A9B80 CryptUnprotectData,LocalAlloc,LocalFree, 0_2_003A9B80
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003A7750 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree, 0_2_003A7750
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003B18A0 lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose, 0_2_003B18A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003B3910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,DeleteFileA,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose, 0_2_003B3910
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003BE210 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose, 0_2_003BE210
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003B1269 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose, 0_2_003B1269
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003B1250 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose, 0_2_003B1250
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003B4B29 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA, 0_2_003B4B29
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003B4B10 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose, 0_2_003B4B10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003B23A9 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA, 0_2_003B23A9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003ADB99 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose, 0_2_003ADB99
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003B2390 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA, 0_2_003B2390
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003ADB80 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,GetFileAttributesA,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose, 0_2_003ADB80
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003BCBE0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose, 0_2_003BCBE0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003BDD30 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,lstrcpy, 0_2_003BDD30
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003BD530 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,FindNextFileA,FindClose, 0_2_003BD530
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003A16B9 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA, 0_2_003A16B9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003A16A0 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose, 0_2_003A16A0

Networking

barindex
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.7:49705 -> 185.215.113.206:80
Source: Malware configuration extractor URLs: http://185.215.113.206/c4becf79229cb002.php
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FIEGCBKEGCFCBFIDBFIIHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 49 45 47 43 42 4b 45 47 43 46 43 42 46 49 44 42 46 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 32 44 36 46 44 43 37 32 37 33 43 32 30 30 32 32 39 35 36 32 30 0d 0a 2d 2d 2d 2d 2d 2d 46 49 45 47 43 42 4b 45 47 43 46 43 42 46 49 44 42 46 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 46 49 45 47 43 42 4b 45 47 43 46 43 42 46 49 44 42 46 49 49 2d 2d 0d 0a Data Ascii: ------FIEGCBKEGCFCBFIDBFIIContent-Disposition: form-data; name="hwid"12D6FDC7273C2002295620------FIEGCBKEGCFCBFIDBFIIContent-Disposition: form-data; name="build"mars------FIEGCBKEGCFCBFIDBFII--
Source: Joe Sandbox View IP Address: 185.215.113.206 185.215.113.206
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003A4C50 lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,InternetOpenA,StrCmpCA,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,InternetConnectA,HttpOpenRequestA,lstrcpy,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,lstrlen,lstrcpy,lstrcat,lstrcpy,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy, 0_2_003A4C50
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: unknown HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FIEGCBKEGCFCBFIDBFIIHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 49 45 47 43 42 4b 45 47 43 46 43 42 46 49 44 42 46 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 32 44 36 46 44 43 37 32 37 33 43 32 30 30 32 32 39 35 36 32 30 0d 0a 2d 2d 2d 2d 2d 2d 46 49 45 47 43 42 4b 45 47 43 46 43 42 46 49 44 42 46 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 46 49 45 47 43 42 4b 45 47 43 46 43 42 46 49 44 42 46 49 49 2d 2d 0d 0a Data Ascii: ------FIEGCBKEGCFCBFIDBFIIContent-Disposition: form-data; name="hwid"12D6FDC7273C2002295620------FIEGCBKEGCFCBFIDBFIIContent-Disposition: form-data; name="build"mars------FIEGCBKEGCFCBFIDBFII--
Source: file.exe, 00000000.00000002.1519984196.0000000000F0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206
Source: file.exe, 00000000.00000002.1519984196.0000000000F53000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1519984196.0000000000F6A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/
Source: file.exe, 00000000.00000002.1519984196.0000000000F6A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/L
Source: file.exe, 00000000.00000002.1519984196.0000000000F6A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php
Source: file.exe, 00000000.00000002.1519984196.0000000000F6A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php/Pg
Source: file.exe, 00000000.00000002.1519984196.0000000000F6A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php/ug
Source: file.exe, 00000000.00000002.1519984196.0000000000F6A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpaoNw
Source: file.exe, 00000000.00000002.1519984196.0000000000F6A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpktop
Source: file.exe, 00000000.00000002.1519984196.0000000000F6A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpmoZw
Source: file.exe, 00000000.00000002.1519984196.0000000000F6A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpyo&w
Source: file.exe, 00000000.00000002.1519984196.0000000000F6A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/ws
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003A9770 memset,memset,lstrcat,lstrcat,lstrcat,memset,wsprintfA,OpenDesktopA,CreateDesktopA,lstrcat,lstrcat,lstrcat,memset,SHGetFolderPathA,lstrcpy,StrStrA,lstrcpyn,lstrlen,wsprintfA,lstrcpy,Sleep,CloseDesktop, 0_2_003A9770

System Summary

barindex
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0075A82F 0_2_0075A82F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003C48B0 0_2_003C48B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0076317B 0_2_0076317B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0075F94F 0_2_0075F94F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006D99F6 0_2_006D99F6
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006DFA20 0_2_006DFA20
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007822CA 0_2_007822CA
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005FEB6A 0_2_005FEB6A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0062D359 0_2_0062D359
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00733B2A 0_2_00733B2A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0075C318 0_2_0075C318
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00764BF4 0_2_00764BF4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00654DE0 0_2_00654DE0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007575BE 0_2_007575BE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0075DE59 0_2_0075DE59
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006FA627 0_2_006FA627
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006AA639 0_2_006AA639
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00761610 0_2_00761610
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006A475B 0_2_006A475B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00742740 0_2_00742740
Source: C:\Users\user\Desktop\file.exe Code function: String function: 003A4A60 appears 316 times
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exe Static PE information: Section: bvkzsckp ZLIB complexity 0.9949526579483695
Source: classification engine Classification label: mal100.troj.evad.winEXE@1/0@0/1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003C3A50 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, 0_2_003C3A50
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003BCAE0 CoCreateInstance,MultiByteToWideChar,lstrcpyn, 0_2_003BCAE0
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\2N9DECTF.htm Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: file.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32 Jump to behavior
Source: file.exe Static file information: File size 1801728 > 1048576
Source: file.exe Static PE information: Raw size of bvkzsckp is bigger than: 0x100000 < 0x19e000

Data Obfuscation

barindex
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.3a0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;bvkzsckp:EW;wpxlzhew:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;bvkzsckp:EW;wpxlzhew:EW;.taggant:EW;
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003C6390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_003C6390
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
Source: file.exe Static PE information: real checksum: 0x1c41a7 should be: 0x1ba7c6
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: bvkzsckp
Source: file.exe Static PE information: section name: wpxlzhew
Source: file.exe Static PE information: section name: .taggant
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007F9877 push 53CC1ED9h; mov dword ptr [esp], esi 0_2_007F9898
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0081C08B push 6F3F86BBh; mov dword ptr [esp], esi 0_2_0081C0A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007FA04D push ecx; mov dword ptr [esp], 132F791Eh 0_2_007FA07C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007FA04D push ecx; mov dword ptr [esp], ebp 0_2_007FA0D6
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007FA04D push 2ACD2504h; mov dword ptr [esp], ebx 0_2_007FA198
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008188B8 push 0EC53120h; mov dword ptr [esp], edx 0_2_008188D7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A310E6 push edx; mov dword ptr [esp], ecx 0_2_00A3111C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0078002B push 7297C4E7h; mov dword ptr [esp], ebp 0_2_007800D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0078002B push eax; mov dword ptr [esp], ebp 0_2_0078016F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0078C020 push 776AB19Eh; mov dword ptr [esp], esi 0_2_0078C044
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0078C020 push edx; mov dword ptr [esp], edi 0_2_0078C0E2
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0075A82F push 3590226Dh; mov dword ptr [esp], eax 0_2_0075A83A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0075A82F push edi; mov dword ptr [esp], ebp 0_2_0075A8C7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0075A82F push 7650A7CEh; mov dword ptr [esp], edi 0_2_0075A97B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0075A82F push edi; mov dword ptr [esp], ebx 0_2_0075AA0E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0075A82F push esi; mov dword ptr [esp], edx 0_2_0075AAD1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0075A82F push eax; mov dword ptr [esp], esi 0_2_0075AB5F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0075A82F push 0930FA61h; mov dword ptr [esp], edi 0_2_0075AB73
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0075A82F push eax; mov dword ptr [esp], 7EEF0902h 0_2_0075AB77
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0075A82F push ebx; mov dword ptr [esp], 49043933h 0_2_0075ABF3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0075A82F push 29CD22B8h; mov dword ptr [esp], eax 0_2_0075AC9B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0075A82F push 1A283E76h; mov dword ptr [esp], edi 0_2_0075ADD4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0075A82F push ebp; mov dword ptr [esp], ecx 0_2_0075AE69
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0075A82F push 3266154Dh; mov dword ptr [esp], ebx 0_2_0075AEB6
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0075A82F push 0E013E59h; mov dword ptr [esp], ebx 0_2_0075AED4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0075A82F push ebx; mov dword ptr [esp], 5BFC93E8h 0_2_0075AF00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0075A82F push ebp; mov dword ptr [esp], 2663EE7Ah 0_2_0075AF4E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0075A82F push ecx; mov dword ptr [esp], 4358BB07h 0_2_0075AF97
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0075A82F push edx; mov dword ptr [esp], 7A137CD4h 0_2_0075AFA9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0075A82F push 63C2366Bh; mov dword ptr [esp], ebx 0_2_0075AFF7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0075A82F push ebx; mov dword ptr [esp], ecx 0_2_0075B036
Source: file.exe Static PE information: section name: bvkzsckp entropy: 7.954205119392446

Boot Survival

barindex
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003C6390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_003C6390

Malware Analysis System Evasion

barindex
Source: C:\Users\user\Desktop\file.exe Evasive API call chain: GetUserDefaultLangID, ExitProcess
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F0412 second address: 5EFC67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 push eax 0x00000007 jmp 00007F292CD152F1h 0x0000000c nop 0x0000000d add dword ptr [ebp+122D18F0h], edx 0x00000013 push dword ptr [ebp+122D169Dh] 0x00000019 js 00007F292CD152ECh 0x0000001f mov dword ptr [ebp+122D1A7Ch], eax 0x00000025 call dword ptr [ebp+122D2B67h] 0x0000002b pushad 0x0000002c jnl 00007F292CD152F0h 0x00000032 xor eax, eax 0x00000034 jmp 00007F292CD152F0h 0x00000039 mov edx, dword ptr [esp+28h] 0x0000003d mov dword ptr [ebp+122D318Bh], edi 0x00000043 mov dword ptr [ebp+122D3B33h], eax 0x00000049 mov dword ptr [ebp+122D3442h], eax 0x0000004f cmc 0x00000050 mov esi, 0000003Ch 0x00000055 jng 00007F292CD152EEh 0x0000005b add esi, dword ptr [esp+24h] 0x0000005f js 00007F292CD152ECh 0x00000065 mov dword ptr [ebp+122D318Bh], ecx 0x0000006b lodsw 0x0000006d cmc 0x0000006e add eax, dword ptr [esp+24h] 0x00000072 jmp 00007F292CD152ECh 0x00000077 mov ebx, dword ptr [esp+24h] 0x0000007b mov dword ptr [ebp+122D30E3h], ebx 0x00000081 nop 0x00000082 jg 00007F292CD152F0h 0x00000088 push eax 0x00000089 push eax 0x0000008a push edx 0x0000008b pushad 0x0000008c pushad 0x0000008d popad 0x0000008e jp 00007F292CD152E6h 0x00000094 popad 0x00000095 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 769B03 second address: 769B18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F292CD65AA6h 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d je 00007F292CD65AA6h 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 769B18 second address: 769B1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 769DE0 second address: 769E07 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F292CD65AADh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jc 00007F292CD65AAEh 0x00000011 pop ebx 0x00000012 push edi 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 769F64 second address: 769F8A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007F292CD152EAh 0x0000000c pushad 0x0000000d popad 0x0000000e push esi 0x0000000f pop esi 0x00000010 pushad 0x00000011 push eax 0x00000012 pop eax 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a jmp 00007F292CD152ECh 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 769F8A second address: 769F8E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 769F8E second address: 769F94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 76A0E1 second address: 76A0E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 76A0E5 second address: 76A113 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F292CD152F1h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F292CD152F7h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 76A113 second address: 76A128 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 pushad 0x00000006 popad 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jo 00007F292CD65AACh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 76CF65 second address: 76CF69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 76D11A second address: 76D120 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 76D120 second address: 76D125 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 76D125 second address: 76D189 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F292CD65AA8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push edx 0x00000011 jl 00007F292CD65ABDh 0x00000017 jmp 00007F292CD65AB7h 0x0000001c pop edx 0x0000001d mov eax, dword ptr [eax] 0x0000001f pushad 0x00000020 jmp 00007F292CD65AACh 0x00000025 jne 00007F292CD65AB7h 0x0000002b jmp 00007F292CD65AB1h 0x00000030 popad 0x00000031 mov dword ptr [esp+04h], eax 0x00000035 jne 00007F292CD65ABBh 0x0000003b push eax 0x0000003c push edx 0x0000003d pushad 0x0000003e popad 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 76D246 second address: 76D24A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 76D24A second address: 76D2BE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ecx 0x0000000d call 00007F292CD65AA8h 0x00000012 pop ecx 0x00000013 mov dword ptr [esp+04h], ecx 0x00000017 add dword ptr [esp+04h], 0000001Dh 0x0000001f inc ecx 0x00000020 push ecx 0x00000021 ret 0x00000022 pop ecx 0x00000023 ret 0x00000024 call 00007F292CD65AAAh 0x00000029 xor edx, dword ptr [ebp+122D3A87h] 0x0000002f pop ecx 0x00000030 push 00000000h 0x00000032 jbe 00007F292CD65AB2h 0x00000038 jo 00007F292CD65AACh 0x0000003e mov dword ptr [ebp+122D18F0h], ecx 0x00000044 call 00007F292CD65AA9h 0x00000049 jmp 00007F292CD65AB1h 0x0000004e push eax 0x0000004f push eax 0x00000050 push eax 0x00000051 push edx 0x00000052 push eax 0x00000053 push edx 0x00000054 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 76D2BE second address: 76D2C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 76D2C2 second address: 76D2F5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F292CD65AAFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F292CD65AB7h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 76D2F5 second address: 76D2FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 76D2FB second address: 76D301 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 76D301 second address: 76D39A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F292CD152F9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [eax] 0x0000000d jo 00007F292CD152F8h 0x00000013 push ebx 0x00000014 jmp 00007F292CD152F0h 0x00000019 pop ebx 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e jg 00007F292CD152EEh 0x00000024 pop eax 0x00000025 mov dword ptr [ebp+122D1913h], ecx 0x0000002b push 00000003h 0x0000002d xor edi, dword ptr [ebp+122D2044h] 0x00000033 mov edi, 1FBE1FB5h 0x00000038 push 00000000h 0x0000003a mov dword ptr [ebp+122D1A00h], edi 0x00000040 push 00000003h 0x00000042 push 00000000h 0x00000044 push ebp 0x00000045 call 00007F292CD152E8h 0x0000004a pop ebp 0x0000004b mov dword ptr [esp+04h], ebp 0x0000004f add dword ptr [esp+04h], 00000019h 0x00000057 inc ebp 0x00000058 push ebp 0x00000059 ret 0x0000005a pop ebp 0x0000005b ret 0x0000005c or dword ptr [ebp+122D19A6h], edx 0x00000062 push B27F8246h 0x00000067 pushad 0x00000068 push ebx 0x00000069 push eax 0x0000006a push edx 0x0000006b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 76D42B second address: 76D42F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 76D42F second address: 76D435 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 76D435 second address: 76D4A1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F292CD65AB7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F292CD65AB0h 0x0000000f nop 0x00000010 pushad 0x00000011 mov dword ptr [ebp+122D30E3h], ebx 0x00000017 mov cx, 3AB2h 0x0000001b popad 0x0000001c push 00000000h 0x0000001e push 00000000h 0x00000020 push ebx 0x00000021 call 00007F292CD65AA8h 0x00000026 pop ebx 0x00000027 mov dword ptr [esp+04h], ebx 0x0000002b add dword ptr [esp+04h], 00000016h 0x00000033 inc ebx 0x00000034 push ebx 0x00000035 ret 0x00000036 pop ebx 0x00000037 ret 0x00000038 push edx 0x00000039 mov dl, 71h 0x0000003b pop esi 0x0000003c call 00007F292CD65AA9h 0x00000041 push eax 0x00000042 push edx 0x00000043 push esi 0x00000044 pushad 0x00000045 popad 0x00000046 pop esi 0x00000047 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 76D4A1 second address: 76D4BA instructions: 0x00000000 rdtsc 0x00000002 jg 00007F292CD152E8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jp 00007F292CD152E6h 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 76D4BA second address: 76D4CE instructions: 0x00000000 rdtsc 0x00000002 jne 00007F292CD65AA8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e push eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 76D4CE second address: 76D4E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop eax 0x00000006 mov eax, dword ptr [eax] 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F292CD152ECh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 76D4E5 second address: 76D583 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b jmp 00007F292CD65AABh 0x00000010 pop eax 0x00000011 xor cx, DBF0h 0x00000016 push 00000003h 0x00000018 mov dword ptr [ebp+122D323Fh], eax 0x0000001e push 00000000h 0x00000020 push 00000000h 0x00000022 push edi 0x00000023 call 00007F292CD65AA8h 0x00000028 pop edi 0x00000029 mov dword ptr [esp+04h], edi 0x0000002d add dword ptr [esp+04h], 00000015h 0x00000035 inc edi 0x00000036 push edi 0x00000037 ret 0x00000038 pop edi 0x00000039 ret 0x0000003a mov esi, dword ptr [ebp+122D3AEBh] 0x00000040 mov dword ptr [ebp+122D2AADh], ebx 0x00000046 push 00000003h 0x00000048 mov cx, 466Ah 0x0000004c push 70BB4B49h 0x00000051 pushad 0x00000052 pushad 0x00000053 jmp 00007F292CD65AB9h 0x00000058 jmp 00007F292CD65AB3h 0x0000005d popad 0x0000005e push eax 0x0000005f push edx 0x00000060 jmp 00007F292CD65AB3h 0x00000065 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 76D583 second address: 76D5AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 add dword ptr [esp], 4F44B4B7h 0x0000000e jnc 00007F292CD152ECh 0x00000014 lea ebx, dword ptr [ebp+12450EABh] 0x0000001a mov edi, 65030B0Bh 0x0000001f xchg eax, ebx 0x00000020 push ebx 0x00000021 pushad 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 76D5AD second address: 76D5C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F292CD65AA6h 0x0000000a popad 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 76D5C0 second address: 76D5C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 76D5C4 second address: 76D5CA instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 77E036 second address: 77E04A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F292CD152F0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 77E04A second address: 77E04F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 77E04F second address: 77E05D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 77E05D second address: 77E066 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 77E066 second address: 77E06A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 77E06A second address: 77E06E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 78DB62 second address: 78DB78 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F292CD152E6h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 jne 00007F292CD152E6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 78BE2F second address: 78BE3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jng 00007F292CD65AACh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 78BF9E second address: 78BFA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 78BFA4 second address: 78BFA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 78BFA8 second address: 78BFAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 78C3DC second address: 78C3E6 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F292CD65AACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 78C8F5 second address: 78C920 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F292CD152E6h 0x0000000a jng 00007F292CD152E6h 0x00000010 popad 0x00000011 push esi 0x00000012 jmp 00007F292CD152F4h 0x00000017 pop esi 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 78D4D0 second address: 78D4DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jng 00007F292CD65AAAh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 78D4DF second address: 78D4EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jc 00007F292CD152E6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 78084A second address: 780865 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F292CD65AB7h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 780865 second address: 78087B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F292CD152EDh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 793083 second address: 793087 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 791A4B second address: 791A50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 791A50 second address: 791A55 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7932E7 second address: 7932ED instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7932ED second address: 7932F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F292CD65AA6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7932F7 second address: 79335E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jmp 00007F292CD152F2h 0x0000000f jmp 00007F292CD152EDh 0x00000014 popad 0x00000015 mov eax, dword ptr [esp+04h] 0x00000019 pushad 0x0000001a jng 00007F292CD152ECh 0x00000020 jl 00007F292CD152E6h 0x00000026 jg 00007F292CD152ECh 0x0000002c popad 0x0000002d mov eax, dword ptr [eax] 0x0000002f jmp 00007F292CD152F4h 0x00000034 mov dword ptr [esp+04h], eax 0x00000038 push eax 0x00000039 push edx 0x0000003a pushad 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79335E second address: 793369 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F292CD65AA6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 794710 second address: 794724 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F292CD152F0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 794724 second address: 79472A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79472A second address: 79472E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79472E second address: 79474D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jmp 00007F292CD65AB2h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79474D second address: 794762 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F292CD152F0h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 794762 second address: 794767 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 794767 second address: 794784 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F292CD152F7h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79BEDA second address: 79BEDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79BEDE second address: 79BEE2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79BF8D second address: 79BF94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79BF94 second address: 79BFAE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007F292CD152E6h 0x00000009 jns 00007F292CD152E6h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 mov dword ptr [esp+04h], eax 0x00000016 push eax 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C591 second address: 79C595 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C756 second address: 79C75B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79C75B second address: 79C761 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79CD2B second address: 79CD2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79CEEA second address: 79CEEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79D8ED second address: 79D8F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79FFB0 second address: 79FFBA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F292CD65AA6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79FFBA second address: 79FFBE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A0902 second address: 7A0940 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F292CD65AACh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F292CD65AB4h 0x0000000e popad 0x0000000f nop 0x00000010 add dword ptr [ebp+122D185Eh], ecx 0x00000016 push 00000000h 0x00000018 xor edi, dword ptr [ebp+122D294Bh] 0x0000001e push 00000000h 0x00000020 movzx edi, cx 0x00000023 xchg eax, ebx 0x00000024 push edi 0x00000025 pushad 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A0940 second address: 7A0970 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F292CD152F8h 0x00000009 popad 0x0000000a pop edi 0x0000000b push eax 0x0000000c pushad 0x0000000d push ebx 0x0000000e jc 00007F292CD152E6h 0x00000014 pop ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 jne 00007F292CD152E6h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A06EF second address: 7A070C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F292CD65AB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A1E54 second address: 7A1E58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A1E58 second address: 7A1E5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A1E5C second address: 7A1EDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push 00000000h 0x0000000b push edx 0x0000000c call 00007F292CD152E8h 0x00000011 pop edx 0x00000012 mov dword ptr [esp+04h], edx 0x00000016 add dword ptr [esp+04h], 00000015h 0x0000001e inc edx 0x0000001f push edx 0x00000020 ret 0x00000021 pop edx 0x00000022 ret 0x00000023 mov esi, dword ptr [ebp+122D1A29h] 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push edi 0x0000002e call 00007F292CD152E8h 0x00000033 pop edi 0x00000034 mov dword ptr [esp+04h], edi 0x00000038 add dword ptr [esp+04h], 00000019h 0x00000040 inc edi 0x00000041 push edi 0x00000042 ret 0x00000043 pop edi 0x00000044 ret 0x00000045 pushad 0x00000046 mov dword ptr [ebp+122D30F0h], ecx 0x0000004c mov dx, 8F46h 0x00000050 popad 0x00000051 jmp 00007F292CD152F8h 0x00000056 xchg eax, ebx 0x00000057 jo 00007F292CD152F8h 0x0000005d push eax 0x0000005e push edx 0x0000005f push eax 0x00000060 push edx 0x00000061 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A1EDA second address: 7A1EDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A1EDE second address: 7A1EF7 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F292CD152E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F292CD152ECh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A270D second address: 7A2713 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A5699 second address: 7A569D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A569D second address: 7A56A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A56A1 second address: 7A56BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007F292CD152ECh 0x0000000c popad 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jnc 00007F292CD152E6h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A56BF second address: 7A56C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A56C3 second address: 7A56C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A5BBA second address: 7A5C34 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F292CD65AB7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push esi 0x0000000d call 00007F292CD65AA8h 0x00000012 pop esi 0x00000013 mov dword ptr [esp+04h], esi 0x00000017 add dword ptr [esp+04h], 00000014h 0x0000001f inc esi 0x00000020 push esi 0x00000021 ret 0x00000022 pop esi 0x00000023 ret 0x00000024 mov ebx, eax 0x00000026 push 00000000h 0x00000028 jnl 00007F292CD65AACh 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push esi 0x00000033 call 00007F292CD65AA8h 0x00000038 pop esi 0x00000039 mov dword ptr [esp+04h], esi 0x0000003d add dword ptr [esp+04h], 0000001Dh 0x00000045 inc esi 0x00000046 push esi 0x00000047 ret 0x00000048 pop esi 0x00000049 ret 0x0000004a mov bx, 1A72h 0x0000004e push eax 0x0000004f push eax 0x00000050 push edx 0x00000051 push eax 0x00000052 push edx 0x00000053 pushad 0x00000054 popad 0x00000055 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A5C34 second address: 7A5C38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A5C38 second address: 7A5C3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7AA28D second address: 7AA2A4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007F292CD152F1h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 758895 second address: 758899 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7AAAD9 second address: 7AAADD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 758899 second address: 7588BA instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F292CD65AA6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ebx 0x0000000d pushad 0x0000000e jmp 00007F292CD65AB1h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7AAADD second address: 7AAAF9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F292CD152EBh 0x0000000b popad 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 jnp 00007F292CD152E6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7588BA second address: 7588C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7AAAF9 second address: 7AAB03 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7AAB03 second address: 7AAB07 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7AE1C6 second address: 7AE235 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F292CD152F6h 0x00000008 jng 00007F292CD152E6h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push ecx 0x00000013 push eax 0x00000014 pushad 0x00000015 popad 0x00000016 pop eax 0x00000017 pop ecx 0x00000018 nop 0x00000019 push 00000000h 0x0000001b push ebx 0x0000001c call 00007F292CD152E8h 0x00000021 pop ebx 0x00000022 mov dword ptr [esp+04h], ebx 0x00000026 add dword ptr [esp+04h], 0000001Ch 0x0000002e inc ebx 0x0000002f push ebx 0x00000030 ret 0x00000031 pop ebx 0x00000032 ret 0x00000033 ja 00007F292CD152ECh 0x00000039 push 00000000h 0x0000003b mov dword ptr [ebp+122D2A7Dh], ebx 0x00000041 push 00000000h 0x00000043 mov ebx, 52BE9404h 0x00000048 xchg eax, esi 0x00000049 push edi 0x0000004a push eax 0x0000004b push edx 0x0000004c push eax 0x0000004d push edx 0x0000004e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7AE235 second address: 7AE239 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7AE239 second address: 7AE25C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F292CD152F8h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7AF1D9 second address: 7AF248 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F292CD65AB5h 0x0000000e nop 0x0000000f push 00000000h 0x00000011 push ebp 0x00000012 call 00007F292CD65AA8h 0x00000017 pop ebp 0x00000018 mov dword ptr [esp+04h], ebp 0x0000001c add dword ptr [esp+04h], 0000001Bh 0x00000024 inc ebp 0x00000025 push ebp 0x00000026 ret 0x00000027 pop ebp 0x00000028 ret 0x00000029 push 00000000h 0x0000002b mov bl, 96h 0x0000002d push 00000000h 0x0000002f mov bl, 97h 0x00000031 call 00007F292CD65AB3h 0x00000036 mov edi, dword ptr [ebp+122D390Bh] 0x0000003c pop ebx 0x0000003d push eax 0x0000003e jo 00007F292CD65AB0h 0x00000044 push eax 0x00000045 push edx 0x00000046 pushad 0x00000047 popad 0x00000048 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7AF375 second address: 7AF382 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F292CD152E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7B115E second address: 7B1168 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7B1168 second address: 7B11A2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a mov bh, 6Bh 0x0000000c movzx ebx, dx 0x0000000f push 00000000h 0x00000011 mov ebx, dword ptr [ebp+122D19B2h] 0x00000017 push 00000000h 0x00000019 mov ebx, dword ptr [ebp+122D39E3h] 0x0000001f push eax 0x00000020 push eax 0x00000021 push edx 0x00000022 jnl 00007F292CD152F8h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7B0313 second address: 7B0317 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7B0317 second address: 7B031B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7B72BC second address: 7B72E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007F292CD65AA6h 0x00000009 jmp 00007F292CD65AB2h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jg 00007F292CD65AACh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7B92EA second address: 7B9307 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F292CD152F5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7B9307 second address: 7B930B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7B930B second address: 7B9327 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b jmp 00007F292CD152F0h 0x00000010 pop esi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7B9327 second address: 7B932C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7B932C second address: 7B9388 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov ebx, dword ptr [ebp+122D1CAAh] 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push edi 0x00000017 call 00007F292CD152E8h 0x0000001c pop edi 0x0000001d mov dword ptr [esp+04h], edi 0x00000021 add dword ptr [esp+04h], 00000018h 0x00000029 inc edi 0x0000002a push edi 0x0000002b ret 0x0000002c pop edi 0x0000002d ret 0x0000002e mov ebx, edx 0x00000030 mov edi, dword ptr [ebp+122D2B6Dh] 0x00000036 jmp 00007F292CD152F0h 0x0000003b push eax 0x0000003c push eax 0x0000003d push edx 0x0000003e jmp 00007F292CD152EDh 0x00000043 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7B9388 second address: 7B9392 instructions: 0x00000000 rdtsc 0x00000002 js 00007F292CD65AACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7B32EC second address: 7B3301 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 jne 00007F292CD152E6h 0x0000000e jno 00007F292CD152E6h 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7B426C second address: 7B4270 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7B6388 second address: 7B638D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7B7533 second address: 7B7539 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7B7539 second address: 7B753D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7B753D second address: 7B7541 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7B8546 second address: 7B854D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7B854D second address: 7B8552 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7B8614 second address: 7B8618 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7B95B9 second address: 7B95BE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7BD781 second address: 7BD78B instructions: 0x00000000 rdtsc 0x00000002 jng 00007F292CD152ECh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7C22ED second address: 7C22F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7C22F2 second address: 7C22F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7C22F8 second address: 7C22FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7C258D second address: 7C25A5 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F292CD152E6h 0x00000008 jnp 00007F292CD152E6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jp 00007F292CD152E6h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7C88D7 second address: 7C88DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop ebx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CABAE second address: 7CABB4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CABB4 second address: 7CABC5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F292CD65AADh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CACA2 second address: 7CACA8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CAE18 second address: 5EFC67 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F292CD65AA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b xor dword ptr [esp], 4348974Ah 0x00000012 clc 0x00000013 push dword ptr [ebp+122D169Dh] 0x00000019 ja 00007F292CD65AB3h 0x0000001f call dword ptr [ebp+122D2B67h] 0x00000025 pushad 0x00000026 jnl 00007F292CD65AB0h 0x0000002c pushad 0x0000002d mov si, 008Ch 0x00000031 mov dx, 773Dh 0x00000035 popad 0x00000036 xor eax, eax 0x00000038 jmp 00007F292CD65AB0h 0x0000003d mov edx, dword ptr [esp+28h] 0x00000041 mov dword ptr [ebp+122D318Bh], edi 0x00000047 mov dword ptr [ebp+122D3B33h], eax 0x0000004d mov dword ptr [ebp+122D3442h], eax 0x00000053 cmc 0x00000054 mov esi, 0000003Ch 0x00000059 jng 00007F292CD65AAEh 0x0000005f add esi, dword ptr [esp+24h] 0x00000063 js 00007F292CD65AACh 0x00000069 mov dword ptr [ebp+122D318Bh], ecx 0x0000006f lodsw 0x00000071 cmc 0x00000072 add eax, dword ptr [esp+24h] 0x00000076 jmp 00007F292CD65AACh 0x0000007b mov ebx, dword ptr [esp+24h] 0x0000007f mov dword ptr [ebp+122D30E3h], ebx 0x00000085 nop 0x00000086 jg 00007F292CD65AB0h 0x0000008c push eax 0x0000008d push eax 0x0000008e push edx 0x0000008f pushad 0x00000090 pushad 0x00000091 popad 0x00000092 jp 00007F292CD65AA6h 0x00000098 popad 0x00000099 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CFD41 second address: 7CFD47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CFD47 second address: 7CFD4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CEAF1 second address: 7CEAFB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CEAFB second address: 7CEAFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CEAFF second address: 7CEB03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CF080 second address: 7CF086 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CF086 second address: 7CF08A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CF08A second address: 7CF08E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CF08E second address: 7CF09E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007F292CD152EAh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CF09E second address: 7CF0A3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CF61A second address: 7CF621 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CF621 second address: 7CF62D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F292CD65AA6h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CF77A second address: 7CF786 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b pop edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CF786 second address: 7CF7BD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F292CD65AB3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jmp 00007F292CD65AB5h 0x00000011 jo 00007F292CD65AA6h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CF7BD second address: 7CF7C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CF7C3 second address: 7CF7DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F292CD65AB3h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CF7DE second address: 7CF7E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CF7E3 second address: 7CF7EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7D45AD second address: 7D45B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop ecx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7D45B4 second address: 7D45BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F292CD65AA6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7D4755 second address: 7D4780 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F292CD152E6h 0x00000008 jmp 00007F292CD152F3h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jo 00007F292CD152F2h 0x00000015 jne 00007F292CD152E6h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7D4780 second address: 7D479A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F292CD65AAEh 0x0000000a jl 00007F292CD65AA6h 0x00000010 push esi 0x00000011 pop esi 0x00000012 popad 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7D479A second address: 7D479E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7D4ABA second address: 7D4AEC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F292CD65AB5h 0x00000007 jnl 00007F292CD65AAEh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 ja 00007F292CD65AA6h 0x00000018 push eax 0x00000019 pop eax 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7D4AEC second address: 7D4AF0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7D4AF0 second address: 7D4AFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7D4AFC second address: 7D4B00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7D4C70 second address: 7D4C8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F292CD65AB4h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7D4C8B second address: 7D4CA1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F292CD152F2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7D41D5 second address: 7D41E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 je 00007F292CD65AA6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7D550A second address: 7D550F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7D550F second address: 7D5515 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7D9CCD second address: 7D9CD3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7D9CD3 second address: 7D9CD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A3B44 second address: 7A3B48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A3B48 second address: 7A3BAF instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 pushad 0x00000009 push edx 0x0000000a jng 00007F292CD65AA6h 0x00000010 pop edx 0x00000011 jmp 00007F292CD65AB8h 0x00000016 popad 0x00000017 nop 0x00000018 push 00000000h 0x0000001a push eax 0x0000001b call 00007F292CD65AA8h 0x00000020 pop eax 0x00000021 mov dword ptr [esp+04h], eax 0x00000025 add dword ptr [esp+04h], 00000016h 0x0000002d inc eax 0x0000002e push eax 0x0000002f ret 0x00000030 pop eax 0x00000031 ret 0x00000032 push eax 0x00000033 xor ecx, 6966F501h 0x00000039 pop edi 0x0000003a lea eax, dword ptr [ebp+12487865h] 0x00000040 mov dword ptr [ebp+122D58FDh], edi 0x00000046 push eax 0x00000047 js 00007F292CD65AB0h 0x0000004d pushad 0x0000004e push eax 0x0000004f push edx 0x00000050 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A3BAF second address: 78087B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ecx 0x0000000d call 00007F292CD152E8h 0x00000012 pop ecx 0x00000013 mov dword ptr [esp+04h], ecx 0x00000017 add dword ptr [esp+04h], 0000001Ch 0x0000001f inc ecx 0x00000020 push ecx 0x00000021 ret 0x00000022 pop ecx 0x00000023 ret 0x00000024 mov dx, 583Bh 0x00000028 call dword ptr [ebp+122D2347h] 0x0000002e ja 00007F292CD15315h 0x00000034 pushad 0x00000035 push eax 0x00000036 push edx 0x00000037 jmp 00007F292CD152EDh 0x0000003c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A4022 second address: 5EFC67 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 nop 0x00000008 ja 00007F292CD65AA7h 0x0000000e push dword ptr [ebp+122D169Dh] 0x00000014 mov cx, 1F71h 0x00000018 call dword ptr [ebp+122D2B67h] 0x0000001e pushad 0x0000001f jnl 00007F292CD65AB0h 0x00000025 xor eax, eax 0x00000027 jmp 00007F292CD65AB0h 0x0000002c mov edx, dword ptr [esp+28h] 0x00000030 mov dword ptr [ebp+122D318Bh], edi 0x00000036 mov dword ptr [ebp+122D3B33h], eax 0x0000003c mov dword ptr [ebp+122D3442h], eax 0x00000042 cmc 0x00000043 mov esi, 0000003Ch 0x00000048 jng 00007F292CD65AAEh 0x0000004e add esi, dword ptr [esp+24h] 0x00000052 js 00007F292CD65AACh 0x00000058 mov dword ptr [ebp+122D318Bh], ecx 0x0000005e lodsw 0x00000060 cmc 0x00000061 add eax, dword ptr [esp+24h] 0x00000065 jmp 00007F292CD65AACh 0x0000006a mov ebx, dword ptr [esp+24h] 0x0000006e mov dword ptr [ebp+122D30E3h], ebx 0x00000074 nop 0x00000075 jg 00007F292CD65AB0h 0x0000007b push eax 0x0000007c push eax 0x0000007d push edx 0x0000007e pushad 0x0000007f pushad 0x00000080 popad 0x00000081 jp 00007F292CD65AA6h 0x00000087 popad 0x00000088 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A40C0 second address: 7A4116 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F292CD152F9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F292CD152EFh 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 pushad 0x00000014 jnc 00007F292CD152FCh 0x0000001a jnl 00007F292CD152ECh 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A4116 second address: 7A4122 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov eax, dword ptr [eax] 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A4122 second address: 7A4127 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A4127 second address: 7A4197 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F292CD65AACh 0x00000008 jng 00007F292CD65AA6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 je 00007F292CD65AAAh 0x0000001a push edx 0x0000001b push edx 0x0000001c pop edx 0x0000001d pop edx 0x0000001e pop eax 0x0000001f call 00007F292CD65AB4h 0x00000024 jl 00007F292CD65AA9h 0x0000002a pop ecx 0x0000002b mov edx, ecx 0x0000002d call 00007F292CD65AA9h 0x00000032 jg 00007F292CD65ABDh 0x00000038 pushad 0x00000039 jmp 00007F292CD65AB3h 0x0000003e push eax 0x0000003f pop eax 0x00000040 popad 0x00000041 push eax 0x00000042 push eax 0x00000043 push edx 0x00000044 jns 00007F292CD65AA8h 0x0000004a pushad 0x0000004b popad 0x0000004c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A4197 second address: 7A419D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A419D second address: 7A41A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A41A1 second address: 7A41C9 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c jmp 00007F292CD152EEh 0x00000011 mov eax, dword ptr [eax] 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F292CD152EAh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A41C9 second address: 7A41D4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007F292CD65AA6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A41D4 second address: 7A41E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A41E4 second address: 7A41EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A41EA second address: 7A41EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A41EF second address: 7A41F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A41F5 second address: 7A41F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A42B2 second address: 7A42B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A4420 second address: 7A444A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007F292CD152E6h 0x00000009 jmp 00007F292CD152F8h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A444A second address: 7A444E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A444E second address: 7A4452 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A4452 second address: 7A4469 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F292CD65AA8h 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e popad 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 push esi 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A4469 second address: 7A4479 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop esi 0x00000008 mov eax, dword ptr [eax] 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pushad 0x0000000e popad 0x0000000f pop ebx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A4479 second address: 7A447F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A447F second address: 7A4483 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A4483 second address: 7A44B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F292CD65AADh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007F292CD65AB2h 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A4B40 second address: 7A4B44 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A4F10 second address: 7A4F15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A4F15 second address: 7A4F1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A4F1B second address: 7A4F1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A4F1F second address: 7A4FD0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F292CD152F5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d jnc 00007F292CD152ECh 0x00000013 jmp 00007F292CD152F0h 0x00000018 popad 0x00000019 nop 0x0000001a jng 00007F292CD152EBh 0x00000020 or dx, 9994h 0x00000025 lea eax, dword ptr [ebp+124878A9h] 0x0000002b push 00000000h 0x0000002d push ebx 0x0000002e call 00007F292CD152E8h 0x00000033 pop ebx 0x00000034 mov dword ptr [esp+04h], ebx 0x00000038 add dword ptr [esp+04h], 00000016h 0x00000040 inc ebx 0x00000041 push ebx 0x00000042 ret 0x00000043 pop ebx 0x00000044 ret 0x00000045 cmc 0x00000046 jmp 00007F292CD152F2h 0x0000004b push eax 0x0000004c jmp 00007F292CD152EBh 0x00000051 mov dword ptr [esp], eax 0x00000054 mov dword ptr [ebp+122D2962h], ecx 0x0000005a lea eax, dword ptr [ebp+12487865h] 0x00000060 mov edx, dword ptr [ebp+122D2D47h] 0x00000066 add cx, B427h 0x0000006b nop 0x0000006c push esi 0x0000006d push ebx 0x0000006e push esi 0x0000006f pop esi 0x00000070 pop ebx 0x00000071 pop esi 0x00000072 push eax 0x00000073 push eax 0x00000074 push edx 0x00000075 push eax 0x00000076 push edx 0x00000077 pushad 0x00000078 popad 0x00000079 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A4FD0 second address: 7A4FD4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A4FD4 second address: 7A4FDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A4FDA second address: 781515 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007F292CD65AA6h 0x00000009 jmp 00007F292CD65AB0h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 nop 0x00000012 push 00000000h 0x00000014 push esi 0x00000015 call 00007F292CD65AA8h 0x0000001a pop esi 0x0000001b mov dword ptr [esp+04h], esi 0x0000001f add dword ptr [esp+04h], 00000016h 0x00000027 inc esi 0x00000028 push esi 0x00000029 ret 0x0000002a pop esi 0x0000002b ret 0x0000002c mov edi, 00C88D64h 0x00000031 call dword ptr [ebp+122D194Dh] 0x00000037 pushad 0x00000038 push ebx 0x00000039 push ebx 0x0000003a pop ebx 0x0000003b push edi 0x0000003c pop edi 0x0000003d pop ebx 0x0000003e pushad 0x0000003f push eax 0x00000040 push edx 0x00000041 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7DA0D5 second address: 7DA0E4 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F292CD152E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7DA0E4 second address: 7DA0F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop ebx 0x00000007 jmp 00007F292CD65AACh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7DA0F7 second address: 7DA11B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007F292CD152E6h 0x00000009 jmp 00007F292CD152EAh 0x0000000e jne 00007F292CD152E6h 0x00000014 push esi 0x00000015 pop esi 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 jo 00007F292CD152E6h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7DA26F second address: 7DA28C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F292CD65AB9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7DA28C second address: 7DA2A4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F292CD152F1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7DA5A2 second address: 7DA5BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F292CD65AAFh 0x00000009 jnl 00007F292CD65AA6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7DA5BB second address: 7DA5C5 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F292CD152E6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7DAA45 second address: 7DAA80 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F292CD65AACh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a pushad 0x0000000b jmp 00007F292CD65AB7h 0x00000010 jng 00007F292CD65AA6h 0x00000016 push eax 0x00000017 pop eax 0x00000018 popad 0x00000019 pushad 0x0000001a jns 00007F292CD65AA6h 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7DF811 second address: 7DF81F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jno 00007F292CD152E6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7DF81F second address: 7DF823 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7DF823 second address: 7DF82F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7DFD80 second address: 7DFD84 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7DFD84 second address: 7DFD8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E019B second address: 7E01DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007F292CD65AB6h 0x0000000a pushad 0x0000000b jmp 00007F292CD65AB6h 0x00000010 jl 00007F292CD65AA6h 0x00000016 popad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E01DA second address: 7E01DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E0371 second address: 7E0377 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E0C4F second address: 7E0C78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F292CD152E6h 0x0000000a popad 0x0000000b pushad 0x0000000c jl 00007F292CD152E6h 0x00000012 jmp 00007F292CD152F5h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E0C78 second address: 7E0C84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push ebx 0x00000007 push ebx 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E3FE8 second address: 7E401C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F292CD152EFh 0x00000007 jmp 00007F292CD152F4h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jnp 00007F292CD152E6h 0x00000015 pushad 0x00000016 popad 0x00000017 push edi 0x00000018 pop edi 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F3C2C second address: 7F3C31 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F3C31 second address: 7F3C3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F3C3A second address: 7F3C40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F3C40 second address: 7F3C4D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F3C4D second address: 7F3C53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F3C53 second address: 7F3C57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F3DC5 second address: 7F3DDF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F292CD65AB3h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F3DDF second address: 7F3DE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F8FD3 second address: 7F8FD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F8FD7 second address: 7F8FF3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F292CD152F8h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F917A second address: 7F917E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F917E second address: 7F9184 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F9184 second address: 7F918B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F918B second address: 7F9191 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F9191 second address: 7F91A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jl 00007F292CD65AB2h 0x0000000d jnc 00007F292CD65AA6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F930C second address: 7F9311 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F9461 second address: 7F9465 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F9465 second address: 7F9469 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F9469 second address: 7F9485 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F292CD65AA6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F292CD65AACh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F9485 second address: 7F9489 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F9489 second address: 7F948F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F948F second address: 7F94AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jl 00007F292CD152E6h 0x0000000d push edi 0x0000000e pop edi 0x0000000f jp 00007F292CD152E6h 0x00000015 popad 0x00000016 popad 0x00000017 push esi 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A4999 second address: 7A499D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A499D second address: 7A49A7 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F292CD152E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7FF246 second address: 7FF24C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7FF24C second address: 7FF255 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop esi 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7FF255 second address: 7FF261 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7FF261 second address: 7FF265 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7FE4FC second address: 7FE505 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 805179 second address: 805184 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 pop ebx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 805DB9 second address: 805DBD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 80AF16 second address: 80AF2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F292CD152EFh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 80B1F1 second address: 80B1FF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F292CD65AAAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 80B1FF second address: 80B205 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 80B205 second address: 80B20B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 80B20B second address: 80B20F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 80B354 second address: 80B35A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 80B8FA second address: 80B90D instructions: 0x00000000 rdtsc 0x00000002 je 00007F292CD152E6h 0x00000008 jg 00007F292CD152E6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 80B90D second address: 80B913 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 80B913 second address: 80B919 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8181A0 second address: 8181A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8181A6 second address: 8181C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F292CD152F9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8182F7 second address: 818302 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 push eax 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 81862B second address: 818631 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 818956 second address: 81896E instructions: 0x00000000 rdtsc 0x00000002 jp 00007F292CD65AA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jne 00007F292CD65AAEh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 81896E second address: 818984 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F292CD152F1h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 818984 second address: 81899E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jnc 00007F292CD65AA6h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 jp 00007F292CD65AC5h 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 818B19 second address: 818B44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F292CD152F1h 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F292CD152F1h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 818E32 second address: 818E51 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F292CD65AB8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 818E51 second address: 818E57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 817D22 second address: 817D26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 817D26 second address: 817D55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c pop eax 0x0000000d jmp 00007F292CD152F0h 0x00000012 jmp 00007F292CD152F1h 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 82212E second address: 822138 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 822138 second address: 82213E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 82213E second address: 82214B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c pop edi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 82D2D8 second address: 82D2ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F292CD152EFh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 82D2ED second address: 82D2F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 830411 second address: 830415 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 830415 second address: 83042B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F292CD65AA6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ebx 0x0000000d pushad 0x0000000e push esi 0x0000000f push eax 0x00000010 pop eax 0x00000011 pop esi 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 83042B second address: 830435 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F292CD152E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 830435 second address: 830449 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F292CD65AACh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 848509 second address: 848515 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F292CD152E6h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 848515 second address: 848520 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 ja 00007F292CD65AA6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 848520 second address: 84854D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007F292CD152F8h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jo 00007F292CD15316h 0x00000012 jbe 00007F292CD15302h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 846CD5 second address: 846CF2 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F292CD65AA6h 0x00000008 jmp 00007F292CD65AAEh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 846E7E second address: 846E86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 846E86 second address: 846E8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 846E8C second address: 846E91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 84703A second address: 84705F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push edi 0x00000007 pop edi 0x00000008 jns 00007F292CD65AA6h 0x0000000e jl 00007F292CD65AA6h 0x00000014 popad 0x00000015 pop esi 0x00000016 pushad 0x00000017 ja 00007F292CD65AB2h 0x0000001d jno 00007F292CD65AA6h 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 84705F second address: 847091 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F292CD152EAh 0x0000000a jnp 00007F292CD15300h 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007F292CD152F8h 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 847091 second address: 847097 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 847097 second address: 84709B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8474F7 second address: 84751F instructions: 0x00000000 rdtsc 0x00000002 jno 00007F292CD65AA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jp 00007F292CD65AAEh 0x00000010 pop edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F292CD65AADh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 84751F second address: 847526 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 84826E second address: 848274 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 848274 second address: 84827A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 84827A second address: 84827E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 84C047 second address: 84C04D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 84C04D second address: 84C051 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 84C051 second address: 84C06C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F292CD152F3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 84C06C second address: 84C080 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F292CD65AB0h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 84C080 second address: 84C086 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 84C086 second address: 84C0A9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F292CD65AABh 0x00000007 pushad 0x00000008 jmp 00007F292CD65AB3h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 84C0A9 second address: 84C0AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8569CD second address: 856A09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jo 00007F292CD65AA6h 0x0000000c popad 0x0000000d pop edi 0x0000000e push eax 0x0000000f push edx 0x00000010 push edi 0x00000011 jp 00007F292CD65AA6h 0x00000017 pop edi 0x00000018 pushad 0x00000019 pushad 0x0000001a popad 0x0000001b je 00007F292CD65AA6h 0x00000021 jmp 00007F292CD65AB9h 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 856A09 second address: 856A0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 856A0E second address: 856A18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F292CD65AA6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8670CB second address: 8670DC instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jnc 00007F292CD152E6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8670DC second address: 867128 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F292CD65AA6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jp 00007F292CD65ACEh 0x00000012 jmp 00007F292CD65AAFh 0x00000017 jmp 00007F292CD65AB9h 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F292CD65AB0h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 867128 second address: 86712C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 866F16 second address: 866F23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 866F23 second address: 866F2D instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F292CD152E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 866F2D second address: 866F6C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F292CD65AAAh 0x00000007 jmp 00007F292CD65AB7h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push esi 0x0000000f push eax 0x00000010 push edx 0x00000011 jg 00007F292CD65AA6h 0x00000017 jmp 00007F292CD65AB1h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 869D90 second address: 869DA1 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F292CD152E8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 869DA1 second address: 869DA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 86995A second address: 86995E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 86995E second address: 869966 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 869AAE second address: 869ABA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnl 00007F292CD152E6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 87F751 second address: 87F755 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 87F755 second address: 87F775 instructions: 0x00000000 rdtsc 0x00000002 je 00007F292CD152E6h 0x00000008 jmp 00007F292CD152EAh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push esi 0x00000010 push edi 0x00000011 pop edi 0x00000012 push edx 0x00000013 pop edx 0x00000014 pop esi 0x00000015 pop ebx 0x00000016 push ecx 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 87F775 second address: 87F77B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 87FB31 second address: 87FB3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 87FB3A second address: 87FB3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 87FB3E second address: 87FB47 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 87FC6C second address: 87FC70 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 87FC70 second address: 87FC7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007F292CD152E6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 87FC7E second address: 87FC86 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 87FC86 second address: 87FC9F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jmp 00007F292CD152F2h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 87FF75 second address: 87FF7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8800CC second address: 8800D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 880226 second address: 88022C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 88022C second address: 88023B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 jnl 00007F292CD152E6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 88023B second address: 88023F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 88023F second address: 880247 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 882097 second address: 8820B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jp 00007F292CD65AA6h 0x0000000c popad 0x0000000d jmp 00007F292CD65AAEh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8820B2 second address: 8820BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8820BA second address: 8820DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F292CD65AB2h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jne 00007F292CD65AA6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8820DC second address: 882100 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F292CD152F3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jg 00007F292CD152EEh 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 882100 second address: 88211A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F292CD65AACh 0x0000000a jns 00007F292CD65AA6h 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 jne 00007F292CD65AA6h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 88211A second address: 88211E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 884DAC second address: 884DB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F292CD65AA6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 884E70 second address: 884E76 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F402AD second address: 4F402B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F402B1 second address: 4F402B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F402B7 second address: 4F402DA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F292CD65AAEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F292CD65AAEh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F402DA second address: 4F4031C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, DEA4h 0x00000007 call 00007F292CD152EDh 0x0000000c pop esi 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 xchg eax, ebp 0x00000011 pushad 0x00000012 mov bx, 0E40h 0x00000016 mov dh, CEh 0x00000018 popad 0x00000019 mov ebp, esp 0x0000001b pushad 0x0000001c mov di, ax 0x0000001f push eax 0x00000020 push edx 0x00000021 call 00007F292CD152F8h 0x00000026 pop ecx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F4031C second address: 4F4033C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pop ebp 0x00000008 pushad 0x00000009 mov edi, 1EB97DD0h 0x0000000e push eax 0x0000000f push edx 0x00000010 call 00007F292CD65AAFh 0x00000015 pop esi 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F40357 second address: 4F40374 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F292CD152F8h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F40374 second address: 4F40398 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F292CD65AABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F292CD65AB0h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F40398 second address: 4F4039E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F4039E second address: 4F403D3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F292CD65AAEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F292CD65AACh 0x00000013 adc cl, 00000038h 0x00000016 jmp 00007F292CD65AABh 0x0000001b popfd 0x0000001c mov edx, eax 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F403D3 second address: 4F403E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F292CD152F0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F403E7 second address: 4F403FC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F292CD65AAAh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F403FC second address: 4F40402 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F40402 second address: 4F40406 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F40406 second address: 4F4040A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79F2AE second address: 79F2B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79F2B2 second address: 79F2B8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 5EFBFC instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 5EFCA9 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 791C00 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 7BD7CA instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 7A3CBB instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Source: C:\Users\user\Desktop\file.exe Evaded block: after key decision
Source: C:\Users\user\Desktop\file.exe Evasive API call chain: GetSystemTime,DecisionNodes
Source: C:\Users\user\Desktop\file.exe API coverage: 4.8 %
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003B18A0 lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose, 0_2_003B18A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003B3910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,DeleteFileA,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose, 0_2_003B3910
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003BE210 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose, 0_2_003BE210
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003B1269 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose, 0_2_003B1269
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003B1250 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose, 0_2_003B1250
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003B4B29 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA, 0_2_003B4B29
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003B4B10 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose, 0_2_003B4B10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003B23A9 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA, 0_2_003B23A9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003ADB99 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose, 0_2_003ADB99
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003B2390 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA, 0_2_003B2390
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003ADB80 lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcpy,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,StrCmpCA,lstrcpy,GetFileAttributesA,StrCmpCA,lstrcpy,CopyFileA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,StrCmpCA,DeleteFileA,StrCmpCA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,FindNextFileA,FindClose, 0_2_003ADB80
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003BCBE0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,CreateFileA,GetFileSizeEx,CloseHandle,CloseHandle,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose, 0_2_003BCBE0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003BDD30 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,lstrcpy, 0_2_003BDD30
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003BD530 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcpy,FindNextFileA,FindClose, 0_2_003BD530
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003A16B9 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,FindFirstFileA, 0_2_003A16B9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003A16A0 lstrcpy,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,GetFileAttributesA,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcpy,lstrlen,lstrcpy,lstrcat,lstrcpy,lstrcat,lstrcpy,CopyFileA,lstrcpy,lstrcpy,DeleteFileA,FindNextFileA,FindClose, 0_2_003A16A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003C1BF0 lstrcpy,ExitProcess,GetSystemInfo,ExitProcess,GetUserDefaultLangID,ExitProcess,ExitProcess,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrlen,lstrcpy,lstrcat,lstrcpy,OpenEventA,CloseHandle,Sleep,OpenEventA,CreateEventA,CloseHandle,ExitProcess, 0_2_003C1BF0
Source: file.exe, file.exe, 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.1519984196.0000000000F0E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: file.exe, 00000000.00000002.1519984196.0000000000F85000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: file.exe, 00000000.00000002.1519984196.0000000000F53000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW`
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging

barindex
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\file.exe Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe File opened: NTICE
Source: C:\Users\user\Desktop\file.exe File opened: SICE
Source: C:\Users\user\Desktop\file.exe File opened: SIWVID
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003A4A60 VirtualProtect 00000000,00000004,00000100,? 0_2_003A4A60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003C6390 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_003C6390
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003C6390 mov eax, dword ptr fs:[00000030h] 0_2_003C6390
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003C2A40 GetProcessHeap,RtlAllocateHeap,GetUserNameA, 0_2_003C2A40
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\file.exe Memory protected: page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Source: Yara match File source: Process Memory Space: file.exe PID: 1228, type: MEMORYSTR
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003C4610 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,Process32Next,CloseHandle, 0_2_003C4610
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003C46A0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,Process32Next,CloseHandle, 0_2_003C46A0
Source: file.exe Binary or memory string: Program Manager
Source: file.exe, 00000000.00000002.1519403459.0000000000774000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Program Manager
Source: C:\Users\user\Desktop\file.exe Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree, 0_2_003C2D60
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003C1B20 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess, 0_2_003C1B20
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003C2A40 GetProcessHeap,RtlAllocateHeap,GetUserNameA, 0_2_003C2A40
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_003C2C10 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA, 0_2_003C2C10

Stealing of Sensitive Information

barindex
Source: Yara match File source: 00000000.00000002.1519984196.0000000000F0E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1459234252.0000000004DA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 1228, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP

Remote Access Functionality

barindex
Source: Yara match File source: 00000000.00000002.1519984196.0000000000F0E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1519126327.00000000003A1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1459234252.0000000004DA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 1228, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs