Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1502383
MD5:d6bf1c871bcb459f85a6cffc7367ebd2
SHA1:0fbb9c88ec4e9e3b02be1e53a737ce5d2a632451
SHA256:6a3d6a5974bbd540286b02095fea0e50746094dd90e2b39a6552e9479428cbe9
Tags:exe
Infos:

Detection

Amadey
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Amadeys stealer DLL
AI detected suspicious sample
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Drops PE files
Entry point lies outside standard sections
PE file contains an invalid checksum
PE file contains sections with non-standard names
Uses 32bit PE files

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 3236 cmdline: "C:\Users\user\Desktop\file.exe" MD5: D6BF1C871BCB459F85A6CFFC7367EBD2)
    • explorti.exe (PID: 1700 cmdline: "C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe" MD5: D6BF1C871BCB459F85A6CFFC7367EBD2)
  • explorti.exe (PID: 6740 cmdline: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe MD5: D6BF1C871BCB459F85A6CFFC7367EBD2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AmadeyAmadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000003.1651424668.0000000004980000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
    00000001.00000002.1727702527.00000000004B1000.00000040.00000001.01000000.00000007.sdmpJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
      00000001.00000003.1685833008.0000000004CA0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
        00000000.00000002.1691825005.0000000000191000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
          00000002.00000003.1692232383.00000000051F0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
            Click to see the 1 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            1.2.explorti.exe.4b0000.0.unpackJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
              2.2.explorti.exe.4b0000.0.unpackJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
                0.2.file.exe.190000.0.unpackJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security

                  Sigma Signatures

                  No Sigma rule has matched

                  Suricata Signatures

                  No Suricata rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: file.exeAvira: detected
                  Antivirus detection for dropped file
                  Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exeAvira: detection malicious, Label: TR/Crypt.TPM.Gen
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exeVirustotal: Detection: 56%Perma Link
                  Multi AV Scanner detection for submitted file
                  Source: file.exeVirustotal: Detection: 56%Perma Link
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for dropped file
                  Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exeJoe Sandbox ML: detected
                  Machine Learning detection for sample
                  Source: file.exeJoe Sandbox ML: detected
                  Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

                  System Summary

                  barindex
                  PE file contains section with special chars
                  Source: file.exeStatic PE information: section name:
                  Source: file.exeStatic PE information: section name: .idata
                  Source: file.exeStatic PE information: section name:
                  Source: explorti.exe.0.drStatic PE information: section name:
                  Source: explorti.exe.0.drStatic PE information: section name: .idata
                  Source: explorti.exe.0.drStatic PE information: section name:
                  Source: C:\Users\user\Desktop\file.exeFile created: C:\Windows\Tasks\explorti.jobJump to behavior
                  Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: file.exeStatic PE information: Section: ZLIB complexity 0.9994236680327869
                  Source: file.exeStatic PE information: Section: xfsxygai ZLIB complexity 0.9944450463521254
                  Source: explorti.exe.0.drStatic PE information: Section: ZLIB complexity 0.9994236680327869
                  Source: explorti.exe.0.drStatic PE information: Section: xfsxygai ZLIB complexity 0.9944450463521254
                  Source: classification engineClassification label: mal100.spyw.evad.winEXE@4/3@0/0
                  Source: C:\Users\user\Desktop\file.exeMutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
                  Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7Jump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: file.exeVirustotal: Detection: 56%
                  Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                  Source: explorti.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                  Source: explorti.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                  Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe "C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"
                  Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe "C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe" Jump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: mstask.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: dui70.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: duser.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: chartv.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: oleacc.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: atlthunk.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: textinputframework.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: coreuicomponents.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: wtsapi32.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: winsta.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: textshaping.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: explorerframe.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32Jump to behavior
                  Source: file.exeStatic file information: File size 1901568 > 1048576
                  Source: file.exeStatic PE information: Raw size of xfsxygai is bigger than: 0x100000 < 0x19ea00

                  Data Obfuscation

                  barindex
                  Detected unpacking (changes PE section rights)
                  Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.190000.0.unpack :EW;.rsrc:W;.idata :W; :EW;xfsxygai:EW;lrtpjxrb:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;xfsxygai:EW;lrtpjxrb:EW;.taggant:EW;
                  Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exeUnpacked PE file: 1.2.explorti.exe.4b0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;xfsxygai:EW;lrtpjxrb:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;xfsxygai:EW;lrtpjxrb:EW;.taggant:EW;
                  Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exeUnpacked PE file: 2.2.explorti.exe.4b0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;xfsxygai:EW;lrtpjxrb:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;xfsxygai:EW;lrtpjxrb:EW;.taggant:EW;
                  Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                  Source: explorti.exe.0.drStatic PE information: real checksum: 0x1df482 should be: 0x1db883
                  Source: file.exeStatic PE information: real checksum: 0x1df482 should be: 0x1db883
                  Source: file.exeStatic PE information: section name:
                  Source: file.exeStatic PE information: section name: .idata
                  Source: file.exeStatic PE information: section name:
                  Source: file.exeStatic PE information: section name: xfsxygai
                  Source: file.exeStatic PE information: section name: lrtpjxrb
                  Source: file.exeStatic PE information: section name: .taggant
                  Source: explorti.exe.0.drStatic PE information: section name:
                  Source: explorti.exe.0.drStatic PE information: section name: .idata
                  Source: explorti.exe.0.drStatic PE information: section name:
                  Source: explorti.exe.0.drStatic PE information: section name: xfsxygai
                  Source: explorti.exe.0.drStatic PE information: section name: lrtpjxrb
                  Source: explorti.exe.0.drStatic PE information: section name: .taggant
                  Source: file.exeStatic PE information: section name: entropy: 7.974328731626917
                  Source: file.exeStatic PE information: section name: xfsxygai entropy: 7.9539400654889505
                  Source: explorti.exe.0.drStatic PE information: section name: entropy: 7.974328731626917
                  Source: explorti.exe.0.drStatic PE information: section name: xfsxygai entropy: 7.9539400654889505
                  Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exeJump to dropped file

                  Boot Survival

                  barindex
                  Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                  Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                  Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                  Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                  Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                  Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exeWindow searched: window name: FilemonClassJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exeWindow searched: window name: RegmonClassJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exeWindow searched: window name: FilemonClassJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exeWindow searched: window name: FilemonClassJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exeWindow searched: window name: RegmonClassJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exeWindow searched: window name: FilemonClassJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile created: C:\Windows\Tasks\explorti.jobJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Tries to detect sandboxes / dynamic malware analysis system (registry check)
                  Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                  Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                  Tries to detect virtualization through RDTSC time measurements
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 37E9F4 second address: 37E9F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 37E9F8 second address: 37E9FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 37E9FC second address: 37EA0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F77F53AF7BDh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 37EE34 second address: 37EE38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3812EE second address: 381315 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F77F53AF7C0h 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 push eax 0x00000013 push edx 0x00000014 push esi 0x00000015 jns 00007F77F53AF7B6h 0x0000001b pop esi 0x0000001c rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3813B5 second address: 3813B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3813B9 second address: 3813C3 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F77F53AF7B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3813C3 second address: 3813D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F77F50326BDh 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3813D4 second address: 3813D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3813D8 second address: 38141A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push eax 0x0000000c call 00007F77F50326B8h 0x00000011 pop eax 0x00000012 mov dword ptr [esp+04h], eax 0x00000016 add dword ptr [esp+04h], 00000017h 0x0000001e inc eax 0x0000001f push eax 0x00000020 ret 0x00000021 pop eax 0x00000022 ret 0x00000023 mov si, 5AC4h 0x00000027 push 00000000h 0x00000029 add ecx, 0FEAAC24h 0x0000002f call 00007F77F50326B9h 0x00000034 pushad 0x00000035 push eax 0x00000036 push edx 0x00000037 pushad 0x00000038 popad 0x00000039 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 38141A second address: 381473 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F77F53AF7C7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnp 00007F77F53AF7B8h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 push eax 0x00000013 push esi 0x00000014 jne 00007F77F53AF7B8h 0x0000001a pop esi 0x0000001b mov eax, dword ptr [esp+04h] 0x0000001f jmp 00007F77F53AF7C6h 0x00000024 mov eax, dword ptr [eax] 0x00000026 jnp 00007F77F53AF7C2h 0x0000002c jl 00007F77F53AF7BCh 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 381473 second address: 381481 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov dword ptr [esp+04h], eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d pop ebx 0x0000000e rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 381481 second address: 3814F2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F77F53AF7BDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a adc cl, 0000001Ah 0x0000000d push 00000003h 0x0000000f push 00000000h 0x00000011 push eax 0x00000012 call 00007F77F53AF7B8h 0x00000017 pop eax 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c add dword ptr [esp+04h], 00000017h 0x00000024 inc eax 0x00000025 push eax 0x00000026 ret 0x00000027 pop eax 0x00000028 ret 0x00000029 mov edi, dword ptr [ebp+122D2E59h] 0x0000002f or si, 8421h 0x00000034 mov ecx, 4731E152h 0x00000039 push 00000000h 0x0000003b pushad 0x0000003c and eax, dword ptr [ebp+122D2A1Bh] 0x00000042 mov dword ptr [ebp+122D2D3Dh], eax 0x00000048 popad 0x00000049 sub esi, dword ptr [ebp+122D2C57h] 0x0000004f push 00000003h 0x00000051 jbe 00007F77F53AF7B9h 0x00000057 and dh, FFFFFFBBh 0x0000005a push B5630AC3h 0x0000005f push eax 0x00000060 push edx 0x00000061 pushad 0x00000062 push eax 0x00000063 push edx 0x00000064 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3814F2 second address: 381507 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F77F50326C0h 0x00000009 popad 0x0000000a rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3815A1 second address: 3815A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3815A9 second address: 3815C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jnl 00007F77F50326C1h 0x0000000f jmp 00007F77F50326BBh 0x00000014 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3815C3 second address: 3815C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3815C9 second address: 3815CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3815CD second address: 3815F1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c jmp 00007F77F53AF7BFh 0x00000011 mov eax, dword ptr [eax] 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3815F1 second address: 3815F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3815F6 second address: 381624 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F77F53AF7CDh 0x00000008 jmp 00007F77F53AF7C7h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 jns 00007F77F53AF7C0h 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 381624 second address: 381689 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop eax 0x00000008 mov cl, 8Eh 0x0000000a push 00000003h 0x0000000c or dword ptr [ebp+122D2D50h], eax 0x00000012 push 00000000h 0x00000014 xor dword ptr [ebp+122D1B29h], eax 0x0000001a sub dword ptr [ebp+122D1B39h], edx 0x00000020 push 00000003h 0x00000022 or esi, 5B11C1D0h 0x00000028 call 00007F77F50326B9h 0x0000002d push edi 0x0000002e jmp 00007F77F50326C9h 0x00000033 pop edi 0x00000034 push eax 0x00000035 pushad 0x00000036 pushad 0x00000037 jmp 00007F77F50326C4h 0x0000003c push eax 0x0000003d push edx 0x0000003e rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 381689 second address: 3816B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F77F53AF7BBh 0x0000000a popad 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f jbe 00007F77F53AF7BEh 0x00000015 push ecx 0x00000016 jp 00007F77F53AF7B6h 0x0000001c pop ecx 0x0000001d mov eax, dword ptr [eax] 0x0000001f push eax 0x00000020 push edx 0x00000021 push ecx 0x00000022 pushad 0x00000023 popad 0x00000024 pop ecx 0x00000025 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3816B4 second address: 3816B9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3816B9 second address: 3816D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F77F53AF7B6h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp+04h], eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push edi 0x00000014 pushad 0x00000015 popad 0x00000016 pop edi 0x00000017 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3816D0 second address: 38171C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 mov ecx, dword ptr [ebp+122D2C07h] 0x0000000f lea ebx, dword ptr [ebp+12456201h] 0x00000015 jmp 00007F77F50326C1h 0x0000001a xchg eax, ebx 0x0000001b jmp 00007F77F50326C5h 0x00000020 push eax 0x00000021 pushad 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F77F50326BCh 0x00000029 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 38171C second address: 381720 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 381720 second address: 381729 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3817B1 second address: 3817B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3817B5 second address: 3817CC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F77F50326C3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3817CC second address: 38185D instructions: 0x00000000 rdtsc 0x00000002 jng 00007F77F53AF7B8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d js 00007F77F53AF7CEh 0x00000013 pushad 0x00000014 jc 00007F77F53AF7B6h 0x0000001a jmp 00007F77F53AF7C0h 0x0000001f popad 0x00000020 mov eax, dword ptr [esp+04h] 0x00000024 push esi 0x00000025 pushad 0x00000026 jmp 00007F77F53AF7BDh 0x0000002b jmp 00007F77F53AF7C9h 0x00000030 popad 0x00000031 pop esi 0x00000032 mov eax, dword ptr [eax] 0x00000034 jmp 00007F77F53AF7C9h 0x00000039 mov dword ptr [esp+04h], eax 0x0000003d push eax 0x0000003e push edx 0x0000003f jmp 00007F77F53AF7C7h 0x00000044 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 38185D second address: 3818BE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 mov dword ptr [ebp+122D3047h], eax 0x0000000f push 00000003h 0x00000011 movsx edi, dx 0x00000014 push 00000000h 0x00000016 mov dh, FFh 0x00000018 push 00000003h 0x0000001a add esi, 42BB83E0h 0x00000020 call 00007F77F50326B9h 0x00000025 pushad 0x00000026 jmp 00007F77F50326C5h 0x0000002b jbe 00007F77F50326C2h 0x00000031 jmp 00007F77F50326BCh 0x00000036 popad 0x00000037 push eax 0x00000038 push eax 0x00000039 push edx 0x0000003a jp 00007F77F50326BCh 0x00000040 je 00007F77F50326B6h 0x00000046 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3818BE second address: 3818E7 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F77F53AF7C9h 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f push eax 0x00000010 push edx 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 pop edx 0x00000015 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3818E7 second address: 3818EC instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3818EC second address: 381915 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 push ecx 0x0000000a jmp 00007F77F53AF7C4h 0x0000000f pop ecx 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 381915 second address: 38191F instructions: 0x00000000 rdtsc 0x00000002 jl 00007F77F50326B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A2B9F second address: 3A2BA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A2BA3 second address: 3A2BB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F77F50326B6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 367152 second address: 367177 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F77F53AF7C0h 0x0000000a push edi 0x0000000b pushad 0x0000000c popad 0x0000000d pop edi 0x0000000e popad 0x0000000f jng 00007F77F53AF7C6h 0x00000015 pushad 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 367177 second address: 36717D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A0D2C second address: 3A0D48 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F77F53AF7BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jnp 00007F77F53AF7B6h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A0D48 second address: 3A0D4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A0D4C second address: 3A0D50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A0D50 second address: 3A0D60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jbe 00007F77F50326BCh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A0D60 second address: 3A0D64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A11CE second address: 3A11D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A11D4 second address: 3A11DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A175C second address: 3A1769 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push ebx 0x00000008 pushad 0x00000009 push eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A1769 second address: 3A176F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A1B75 second address: 3A1B79 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A1B79 second address: 3A1B91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 pushad 0x00000008 jnc 00007F77F53AF7BCh 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A1B91 second address: 3A1B95 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A1CC4 second address: 3A1CC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A1CC8 second address: 3A1CDB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F77F50326BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A1CDB second address: 3A1CDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A1CDF second address: 3A1CE5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A1CE5 second address: 3A1CEA instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A1CEA second address: 3A1D11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 ja 00007F77F50326CAh 0x0000000f jmp 00007F77F50326BEh 0x00000014 ja 00007F77F50326B6h 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A1D11 second address: 3A1D1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F77F53AF7B6h 0x0000000a rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A1D1B second address: 3A1D1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A1D1F second address: 3A1D2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F77F53AF7B6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A234D second address: 3A236A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F77F50326C8h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A236A second address: 3A2372 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A2761 second address: 3A2779 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F77F50326C2h 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A73BB second address: 3A73BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A73BF second address: 3A7420 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F77F50326BFh 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jc 00007F77F50326B8h 0x00000014 pushad 0x00000015 popad 0x00000016 pop edx 0x00000017 mov eax, dword ptr [esp+04h] 0x0000001b pushad 0x0000001c push esi 0x0000001d js 00007F77F50326B6h 0x00000023 pop esi 0x00000024 push ecx 0x00000025 push eax 0x00000026 pop eax 0x00000027 pop ecx 0x00000028 popad 0x00000029 mov eax, dword ptr [eax] 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e jmp 00007F77F50326C4h 0x00000033 jmp 00007F77F50326C4h 0x00000038 popad 0x00000039 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3A7420 second address: 3A7448 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jo 00007F77F53AF7B6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 pushad 0x00000013 js 00007F77F53AF7BCh 0x00000019 je 00007F77F53AF7B6h 0x0000001f pushad 0x00000020 jp 00007F77F53AF7B6h 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3AE82B second address: 3AE831 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3ADBF7 second address: 3ADC3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push edi 0x00000006 pushad 0x00000007 popad 0x00000008 pop edi 0x00000009 jc 00007F77F53AF7CEh 0x0000000f jmp 00007F77F53AF7C8h 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 jnc 00007F77F53AF7CEh 0x0000001d rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3ADDBF second address: 3ADDCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3ADDCB second address: 3ADDE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F77F53AF7C1h 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3ADF3D second address: 3ADF42 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3AE09E second address: 3AE0BB instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 pop eax 0x00000005 jmp 00007F77F53AF7C3h 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3AE0BB second address: 3AE0BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3AE0BF second address: 3AE0C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3AF08B second address: 3AF0A1 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F77F50326B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jno 00007F77F50326B6h 0x00000016 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3AF0A1 second address: 3AF0BE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F77F53AF7C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3AF0BE second address: 3AF0D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F77F50326C6h 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3AF0D8 second address: 3AF134 instructions: 0x00000000 rdtsc 0x00000002 js 00007F77F53AF7B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 jnc 00007F77F53AF7D3h 0x00000016 pop eax 0x00000017 push 00000000h 0x00000019 push ecx 0x0000001a call 00007F77F53AF7B8h 0x0000001f pop ecx 0x00000020 mov dword ptr [esp+04h], ecx 0x00000024 add dword ptr [esp+04h], 00000017h 0x0000002c inc ecx 0x0000002d push ecx 0x0000002e ret 0x0000002f pop ecx 0x00000030 ret 0x00000031 push AFCF67C3h 0x00000036 pushad 0x00000037 pushad 0x00000038 push eax 0x00000039 push edx 0x0000003a rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3AF2B4 second address: 3AF2B9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3AF596 second address: 3AF5AA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F77F53AF7C0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3AF5AA second address: 3AF5B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F77F50326B6h 0x0000000a rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3AFD52 second address: 3AFD56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3AFDEA second address: 3AFE05 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F77F50326BCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jo 00007F77F50326C8h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3AFE05 second address: 3AFE09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3AFEE9 second address: 3AFEEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3AFEEF second address: 3AFEF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3AFF6F second address: 3AFF73 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3AFF73 second address: 3AFF81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnc 00007F77F53AF7B6h 0x0000000e rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3AFF81 second address: 3AFF85 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B011F second address: 3B0123 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B0123 second address: 3B0129 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B0129 second address: 3B0138 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F77F53AF7BBh 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B375A second address: 3B3772 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F77F50326B6h 0x0000000a push esi 0x0000000b pop esi 0x0000000c popad 0x0000000d push ebx 0x0000000e jne 00007F77F50326B6h 0x00000014 pop ebx 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B3772 second address: 3B377A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 368BD1 second address: 368BD5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B3DA7 second address: 3B3DAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B3DAB second address: 3B3DB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B3DB1 second address: 3B3DB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B3DB5 second address: 3B3DB9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B4EBE second address: 3B4EC3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B64B5 second address: 3B6506 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jp 00007F77F50326B6h 0x0000000b push edx 0x0000000c pop edx 0x0000000d popad 0x0000000e popad 0x0000000f nop 0x00000010 cmc 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push ebp 0x00000016 call 00007F77F50326B8h 0x0000001b pop ebp 0x0000001c mov dword ptr [esp+04h], ebp 0x00000020 add dword ptr [esp+04h], 00000014h 0x00000028 inc ebp 0x00000029 push ebp 0x0000002a ret 0x0000002b pop ebp 0x0000002c ret 0x0000002d mov esi, dword ptr [ebp+122D2CFCh] 0x00000033 push 00000000h 0x00000035 mov esi, dword ptr [ebp+122D2C03h] 0x0000003b xchg eax, ebx 0x0000003c push eax 0x0000003d push edx 0x0000003e push edi 0x0000003f jmp 00007F77F50326BFh 0x00000044 pop edi 0x00000045 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B6506 second address: 3B6531 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F77F53AF7C3h 0x00000008 jmp 00007F77F53AF7BDh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 push eax 0x00000014 pop eax 0x00000015 jmp 00007F77F53AF7BDh 0x0000001a popad 0x0000001b rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B6F76 second address: 3B6F80 instructions: 0x00000000 rdtsc 0x00000002 je 00007F77F50326B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B6F80 second address: 3B6FB2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F77F53AF7C2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jmp 00007F77F53AF7C6h 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B7BE9 second address: 3B7BED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B7BED second address: 3B7BF3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B7BF3 second address: 3B7BF9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B6D05 second address: 3B6D0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B6D0B second address: 3B6D0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3BB868 second address: 3BB86C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3BDEAE second address: 3BDEB8 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F77F50326B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3BEECD second address: 3BEED1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3BEED1 second address: 3BEEEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F77F50326BFh 0x00000010 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3BEEEB second address: 3BEEEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3BFE35 second address: 3BFE48 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007F77F50326B6h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3BFE48 second address: 3BFE99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007F77F53AF7BBh 0x0000000c popad 0x0000000d nop 0x0000000e mov ebx, dword ptr [ebp+122D2D8Ch] 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push ecx 0x00000019 call 00007F77F53AF7B8h 0x0000001e pop ecx 0x0000001f mov dword ptr [esp+04h], ecx 0x00000023 add dword ptr [esp+04h], 00000015h 0x0000002b inc ecx 0x0000002c push ecx 0x0000002d ret 0x0000002e pop ecx 0x0000002f ret 0x00000030 push 00000000h 0x00000032 xchg eax, esi 0x00000033 push ebx 0x00000034 push edx 0x00000035 jnc 00007F77F53AF7B6h 0x0000003b pop edx 0x0000003c pop ebx 0x0000003d push eax 0x0000003e push eax 0x0000003f push edx 0x00000040 js 00007F77F53AF7B8h 0x00000046 push esi 0x00000047 pop esi 0x00000048 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B8FB2 second address: 3B8FB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B8FB6 second address: 3B8FCA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F77F53AF7BAh 0x0000000f rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B8FCA second address: 3B8FCF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C4EC0 second address: 3C4EC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C4EC5 second address: 3C4F23 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F77F50326C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov dword ptr [ebp+122D1C04h], ebx 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push ebx 0x00000017 call 00007F77F50326B8h 0x0000001c pop ebx 0x0000001d mov dword ptr [esp+04h], ebx 0x00000021 add dword ptr [esp+04h], 00000014h 0x00000029 inc ebx 0x0000002a push ebx 0x0000002b ret 0x0000002c pop ebx 0x0000002d ret 0x0000002e jmp 00007F77F50326BEh 0x00000033 push 00000000h 0x00000035 mov di, si 0x00000038 push eax 0x00000039 push eax 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d pushad 0x0000003e popad 0x0000003f rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C4F23 second address: 3C4F3B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F77F53AF7C4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C9020 second address: 3C9031 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F77F50326B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C9031 second address: 3C9038 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C9038 second address: 3C90A3 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F77F50326BCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push ebp 0x0000000e call 00007F77F50326B8h 0x00000013 pop ebp 0x00000014 mov dword ptr [esp+04h], ebp 0x00000018 add dword ptr [esp+04h], 0000001Bh 0x00000020 inc ebp 0x00000021 push ebp 0x00000022 ret 0x00000023 pop ebp 0x00000024 ret 0x00000025 push 00000000h 0x00000027 sub edi, 3E711DB7h 0x0000002d push 00000000h 0x0000002f mov ebx, dword ptr [ebp+122D2908h] 0x00000035 xchg eax, esi 0x00000036 push eax 0x00000037 jc 00007F77F50326BCh 0x0000003d pop eax 0x0000003e push eax 0x0000003f push eax 0x00000040 push edx 0x00000041 push eax 0x00000042 push edx 0x00000043 jmp 00007F77F50326C3h 0x00000048 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C90A3 second address: 3C90A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3BF0BA second address: 3BF0CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F77F50326C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3BF0CF second address: 3BF0E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F77F53AF7C5h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3BE177 second address: 3BE17D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C0FD6 second address: 3C0FDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3CB0FC second address: 3CB100 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C310C second address: 3C3110 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C3110 second address: 3C3114 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C413D second address: 3C4142 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C50D7 second address: 3C50DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C50DB second address: 3C50E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C50E1 second address: 3C50E6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C6296 second address: 3C629A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C821A second address: 3C821F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C821F second address: 3C823A instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F77F53AF7B8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F77F53AF7BCh 0x00000012 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C823A second address: 3C82D2 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F77F50326BCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push ecx 0x0000000e call 00007F77F50326B8h 0x00000013 pop ecx 0x00000014 mov dword ptr [esp+04h], ecx 0x00000018 add dword ptr [esp+04h], 00000014h 0x00000020 inc ecx 0x00000021 push ecx 0x00000022 ret 0x00000023 pop ecx 0x00000024 ret 0x00000025 mov bx, 524Dh 0x00000029 push dword ptr fs:[00000000h] 0x00000030 cld 0x00000031 mov dword ptr fs:[00000000h], esp 0x00000038 mov edi, ebx 0x0000003a jmp 00007F77F50326BBh 0x0000003f mov eax, dword ptr [ebp+122D06FDh] 0x00000045 push 00000000h 0x00000047 push edi 0x00000048 call 00007F77F50326B8h 0x0000004d pop edi 0x0000004e mov dword ptr [esp+04h], edi 0x00000052 add dword ptr [esp+04h], 0000001Dh 0x0000005a inc edi 0x0000005b push edi 0x0000005c ret 0x0000005d pop edi 0x0000005e ret 0x0000005f mov bh, dh 0x00000061 call 00007F77F50326C1h 0x00000066 movzx ebx, bx 0x00000069 pop ebx 0x0000006a push FFFFFFFFh 0x0000006c cmc 0x0000006d nop 0x0000006e pushad 0x0000006f push eax 0x00000070 push edx 0x00000071 pushad 0x00000072 popad 0x00000073 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C82D2 second address: 3C82D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C82D6 second address: 3C82DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3CB30E second address: 3CB314 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3CB314 second address: 3CB318 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 372D5D second address: 372D67 instructions: 0x00000000 rdtsc 0x00000002 je 00007F77F53AF7B6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3D4EF1 second address: 3D4F01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jnp 00007F77F50326BEh 0x0000000c push edi 0x0000000d pop edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3D4F01 second address: 3D4F08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3D505C second address: 3D5079 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jmp 00007F77F50326C0h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3D5079 second address: 3D508B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 jmp 00007F77F53AF7BBh 0x0000000b pop esi 0x0000000c rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3D508B second address: 3D50A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F77F50326C5h 0x00000009 push edx 0x0000000a pop edx 0x0000000b rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3D924F second address: 3D927A instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F77F53AF7B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F77F53AF7C0h 0x0000000f popad 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F77F53AF7BAh 0x0000001b rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3D927A second address: 3D927F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3D934B second address: 3D9351 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3DE8AD second address: 3DE8CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F77F50326C8h 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3DEA3A second address: 3DEA3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3DEA3E second address: 3DEA48 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F77F50326B6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3DEA48 second address: 3DEA51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3DF36E second address: 3DF38A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007F77F50326C6h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3E3814 second address: 3E381D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push edx 0x00000006 push edx 0x00000007 pop edx 0x00000008 pop edx 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3E39B7 second address: 3E39BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3E39BB second address: 3E39D1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F77F53AF7BCh 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3E3B35 second address: 3E3B44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 js 00007F77F50326B6h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3E3B44 second address: 3E3B71 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F77F53AF7BBh 0x00000007 jne 00007F77F53AF7C9h 0x0000000d jmp 00007F77F53AF7C3h 0x00000012 pop edx 0x00000013 pop eax 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 pop eax 0x00000019 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3E3B71 second address: 3E3B75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3E3B75 second address: 3E3B82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3E4114 second address: 3E4129 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F77F50326BAh 0x00000008 jnp 00007F77F50326B6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3E4129 second address: 3E4136 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jc 00007F77F53AF7BCh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3E458B second address: 3E45A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F77F50326C1h 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3E4883 second address: 3E4889 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3E4889 second address: 3E48D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push edi 0x00000009 pop edi 0x0000000a popad 0x0000000b jno 00007F77F50326BCh 0x00000011 jp 00007F77F50326B8h 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b jmp 00007F77F50326BFh 0x00000020 pushad 0x00000021 popad 0x00000022 jc 00007F77F50326B6h 0x00000028 popad 0x00000029 push esi 0x0000002a jmp 00007F77F50326BCh 0x0000002f pop esi 0x00000030 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3E48D2 second address: 3E48DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3E8721 second address: 3E8740 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F77F50326B6h 0x0000000a popad 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F77F50326C1h 0x00000013 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3E8740 second address: 3E8746 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3E8746 second address: 3E8750 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F77F50326B6h 0x0000000a rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3E8750 second address: 3E8756 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3ECD16 second address: 3ECD20 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F77F50326B6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B9968 second address: 3B998E instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F77F53AF7B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jo 00007F77F53AF7BCh 0x00000010 jno 00007F77F53AF7B6h 0x00000016 popad 0x00000017 push eax 0x00000018 jng 00007F77F53AF7D9h 0x0000001e push eax 0x0000001f push edx 0x00000020 jg 00007F77F53AF7B6h 0x00000026 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B9B58 second address: 3B9B61 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B9E50 second address: 3B9E67 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F77F53AF7BBh 0x00000011 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3BA01E second address: 3BA040 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007F77F50326C7h 0x0000000a popad 0x0000000b push eax 0x0000000c push esi 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3BA040 second address: 3BA046 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3BA046 second address: 3BA058 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3BA058 second address: 3BA07B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F77F53AF7C8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3BA07B second address: 3BA07F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3BA07F second address: 3BA083 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3BA083 second address: 3BA0A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jc 00007F77F50326C3h 0x00000013 jmp 00007F77F50326BDh 0x00000018 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3BA241 second address: 3BA264 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F77F53AF7B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f jmp 00007F77F53AF7C3h 0x00000014 pop ebx 0x00000015 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3BA43D second address: 3BA453 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F77F50326BCh 0x00000008 je 00007F77F50326B6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3BA453 second address: 3BA457 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3BA457 second address: 3BA45B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3BA58C second address: 3BA5FB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F77F53AF7BFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push ebx 0x0000000f call 00007F77F53AF7B8h 0x00000014 pop ebx 0x00000015 mov dword ptr [esp+04h], ebx 0x00000019 add dword ptr [esp+04h], 00000014h 0x00000021 inc ebx 0x00000022 push ebx 0x00000023 ret 0x00000024 pop ebx 0x00000025 ret 0x00000026 movzx edx, dx 0x00000029 sub ch, 00000003h 0x0000002c push 00000004h 0x0000002e push 00000000h 0x00000030 push eax 0x00000031 call 00007F77F53AF7B8h 0x00000036 pop eax 0x00000037 mov dword ptr [esp+04h], eax 0x0000003b add dword ptr [esp+04h], 00000019h 0x00000043 inc eax 0x00000044 push eax 0x00000045 ret 0x00000046 pop eax 0x00000047 ret 0x00000048 push edi 0x00000049 and dx, 3BF1h 0x0000004e pop edx 0x0000004f xor edx, dword ptr [ebp+122D2AB7h] 0x00000055 push eax 0x00000056 push eax 0x00000057 push edx 0x00000058 push ebx 0x00000059 pushad 0x0000005a popad 0x0000005b pop ebx 0x0000005c rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3BA5FB second address: 3BA605 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F77F50326BCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3BAB8C second address: 3BAB96 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F77F53AF7BCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3BAC58 second address: 3BAC67 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F77F50326BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3BAC67 second address: 3BAC6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3BAC6D second address: 3BACE5 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F77F50326C9h 0x0000000e nop 0x0000000f push 00000000h 0x00000011 push ebx 0x00000012 call 00007F77F50326B8h 0x00000017 pop ebx 0x00000018 mov dword ptr [esp+04h], ebx 0x0000001c add dword ptr [esp+04h], 0000001Dh 0x00000024 inc ebx 0x00000025 push ebx 0x00000026 ret 0x00000027 pop ebx 0x00000028 ret 0x00000029 sub dword ptr [ebp+122D27FCh], edi 0x0000002f lea eax, dword ptr [ebp+1248E6DAh] 0x00000035 mov edi, 0BE8746Ah 0x0000003a push eax 0x0000003b pushad 0x0000003c push ecx 0x0000003d jmp 00007F77F50326C8h 0x00000042 pop ecx 0x00000043 push eax 0x00000044 push eax 0x00000045 push edx 0x00000046 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3BACE5 second address: 3BAD31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 or edx, dword ptr [ebp+122D2CD3h] 0x0000000f lea eax, dword ptr [ebp+1248E696h] 0x00000015 push 00000000h 0x00000017 push ecx 0x00000018 call 00007F77F53AF7B8h 0x0000001d pop ecx 0x0000001e mov dword ptr [esp+04h], ecx 0x00000022 add dword ptr [esp+04h], 00000019h 0x0000002a inc ecx 0x0000002b push ecx 0x0000002c ret 0x0000002d pop ecx 0x0000002e ret 0x0000002f mov ecx, dword ptr [ebp+122D2C3Bh] 0x00000035 nop 0x00000036 jng 00007F77F53AF7C4h 0x0000003c pushad 0x0000003d jnc 00007F77F53AF7B6h 0x00000043 push eax 0x00000044 push edx 0x00000045 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3EBE5C second address: 3EBEBA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F77F50326C6h 0x00000007 jnp 00007F77F50326B6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007F77F50326C5h 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 jng 00007F77F50326C5h 0x0000001d jmp 00007F77F50326BFh 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F77F50326BFh 0x00000029 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3EBEBA second address: 3EBECE instructions: 0x00000000 rdtsc 0x00000002 je 00007F77F53AF7B6h 0x00000008 jmp 00007F77F53AF7BAh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3EC033 second address: 3EC049 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 jmp 00007F77F50326BBh 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3EC190 second address: 3EC19C instructions: 0x00000000 rdtsc 0x00000002 jne 00007F77F53AF7B6h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3EC2E7 second address: 3EC2F1 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F77F50326B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3EC5F4 second address: 3EC610 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007F77F53AF7C2h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3EC610 second address: 3EC616 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3EC616 second address: 3EC61C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3EC61C second address: 3EC622 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3EC622 second address: 3EC638 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jnp 00007F77F53AF7B6h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jnl 00007F77F53AF7B6h 0x00000016 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3EC638 second address: 3EC63E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3F07DA second address: 3F07DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3F6B8C second address: 3F6B96 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3F6B96 second address: 3F6B9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3F6B9A second address: 3F6B9E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3F6B9E second address: 3F6BC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F77F53AF7C9h 0x0000000d popad 0x0000000e pushad 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3F5A19 second address: 3F5A2D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F77F50326BAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3F5A2D second address: 3F5A33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3F5A33 second address: 3F5A37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3F5A37 second address: 3F5A3D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3F5A3D second address: 3F5A5A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F77F50326C8h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3F5B7C second address: 3F5B82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3F56DE second address: 3F5702 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F77F50326C9h 0x00000009 popad 0x0000000a pushad 0x0000000b push esi 0x0000000c pop esi 0x0000000d push edi 0x0000000e pop edi 0x0000000f popad 0x00000010 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3F5702 second address: 3F572B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007F77F53AF7B6h 0x00000009 jmp 00007F77F53AF7C3h 0x0000000e jmp 00007F77F53AF7BBh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3F6609 second address: 3F6615 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F77F50326B6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3F6615 second address: 3F6619 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3F8F78 second address: 3F8F97 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F77F50326C3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jng 00007F77F50326C2h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3F8F97 second address: 3F8FA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F77F53AF7B6h 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push edi 0x0000000f pop edi 0x00000010 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3F8FA7 second address: 3F8FAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3F8AE5 second address: 3F8B03 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F77F53AF7BDh 0x00000007 jmp 00007F77F53AF7BDh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3FBA24 second address: 3FBA37 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jbe 00007F77F50326B6h 0x0000000f push edx 0x00000010 pop edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3FBA37 second address: 3FBA3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3FBA3E second address: 3FBA7C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F77F50326C5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c jbe 00007F77F50326B6h 0x00000012 jmp 00007F77F50326C5h 0x00000017 pop ebx 0x00000018 push eax 0x00000019 push esi 0x0000001a pop esi 0x0000001b pushad 0x0000001c popad 0x0000001d pop eax 0x0000001e rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3FBA7C second address: 3FBA9D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F77F53AF7C8h 0x00000008 pushad 0x00000009 popad 0x0000000a push edx 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3FBD94 second address: 3FBD99 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3FBD99 second address: 3FBDA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3FBF15 second address: 3FBF1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4013FA second address: 40141E instructions: 0x00000000 rdtsc 0x00000002 jno 00007F77F53AF7B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jl 00007F77F53AF7B6h 0x00000013 jnp 00007F77F53AF7B6h 0x00000019 push eax 0x0000001a pop eax 0x0000001b push edx 0x0000001c pop edx 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 popad 0x00000022 pushad 0x00000023 popad 0x00000024 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 40141E second address: 401424 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4015A3 second address: 4015A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3BA80A second address: 3BA80E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 401AB5 second address: 401ACE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F77F53AF7C4h 0x00000009 popad 0x0000000a rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 401ACE second address: 401AD3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 401C7D second address: 401C83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 401C83 second address: 401C9C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F77F50326BDh 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 407485 second address: 40748E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edi 0x00000007 pop edi 0x00000008 pop eax 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 40748E second address: 4074A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F77F50326BDh 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4074A1 second address: 4074AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4074AE second address: 4074B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4066B1 second address: 4066BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F77F53AF7B6h 0x0000000a popad 0x0000000b rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 406853 second address: 40688C instructions: 0x00000000 rdtsc 0x00000002 js 00007F77F50326B6h 0x00000008 jns 00007F77F50326B6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push ebx 0x00000012 jmp 00007F77F50326C2h 0x00000017 jmp 00007F77F50326BDh 0x0000001c pop ebx 0x0000001d push ecx 0x0000001e pushad 0x0000001f popad 0x00000020 pop ecx 0x00000021 push edi 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4069D6 second address: 4069EA instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F77F53AF7BAh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4069EA second address: 4069EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4069EE second address: 4069F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4069F2 second address: 406A00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 406A00 second address: 406A04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 406A04 second address: 406A08 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 406A08 second address: 406A0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 406A0E second address: 406A2B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007F77F50326C7h 0x0000000b rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 406B8E second address: 406BA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F77F53AF7BBh 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 406BA4 second address: 406BBD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F77F50326C2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 40A536 second address: 40A545 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jne 00007F77F53AF7B6h 0x0000000b push eax 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 40A545 second address: 40A561 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F77F50326C3h 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 40A561 second address: 40A567 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 40A567 second address: 40A56B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 409C4B second address: 409C83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F77F53AF7C5h 0x00000009 popad 0x0000000a pushad 0x0000000b jmp 00007F77F53AF7BFh 0x00000010 js 00007F77F53AF7C2h 0x00000016 jno 00007F77F53AF7B6h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 409C83 second address: 409C8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 pop eax 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 409DD1 second address: 409DDB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F77F53AF7B6h 0x0000000a rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 409DDB second address: 409DDF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 409DDF second address: 409DEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 409DEA second address: 409E04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F77F50326BEh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 409E04 second address: 409E1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jmp 00007F77F53AF7C0h 0x0000000b popad 0x0000000c rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 409E1B second address: 409E28 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007F77F50326B6h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 409E28 second address: 409E31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 409E31 second address: 409E35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 409E35 second address: 409E3B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 409F8D second address: 409F9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F77F50326B6h 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 40FCC9 second address: 40FCD0 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 40FCD0 second address: 40FCD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 40FCD9 second address: 40FCEF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F77F53AF7C2h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 40FCEF second address: 40FD12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F77F50326C2h 0x00000010 jnp 00007F77F50326B6h 0x00000016 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4103E4 second address: 4103EE instructions: 0x00000000 rdtsc 0x00000002 jp 00007F77F53AF7B6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4103EE second address: 4103F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4103F4 second address: 4103F9 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4103F9 second address: 410432 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F77F50326C9h 0x00000009 pop edi 0x0000000a jmp 00007F77F50326BFh 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jne 00007F77F50326C2h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 410432 second address: 410438 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 410438 second address: 41043C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 410723 second address: 410727 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 410727 second address: 410731 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 410A2E second address: 410A32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 410A32 second address: 410A36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 410A36 second address: 410A5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F77F53AF7BBh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F77F53AF7C8h 0x00000010 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 41102A second address: 411030 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 411030 second address: 411045 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007F77F53AF7BAh 0x0000000c popad 0x0000000d push ebx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 41131E second address: 411325 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 411325 second address: 411357 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F77F53AF7C2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a jns 00007F77F53AF7C3h 0x00000010 jng 00007F77F53AF7BCh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 411924 second address: 411928 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 41687A second address: 416882 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 416882 second address: 4168E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 popad 0x00000009 jmp 00007F77F50326BFh 0x0000000e jmp 00007F77F50326C8h 0x00000013 popad 0x00000014 pushad 0x00000015 jng 00007F77F50326C7h 0x0000001b jmp 00007F77F50326C1h 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F77F50326C4h 0x00000027 push ecx 0x00000028 pop ecx 0x00000029 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4168E3 second address: 4168E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4160FB second address: 41611B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F77F50326BEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jng 00007F77F50326BEh 0x0000000f rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 41611B second address: 41614F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F77F53AF7C7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F77F53AF7C5h 0x00000012 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 41614F second address: 416159 instructions: 0x00000000 rdtsc 0x00000002 js 00007F77F50326B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 416159 second address: 416170 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jbe 00007F77F53AF7B6h 0x0000000b jno 00007F77F53AF7B6h 0x00000011 popad 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 41642D second address: 416431 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 416431 second address: 416441 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F77F53AF7B6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 416441 second address: 416447 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 41C8CB second address: 41C8ED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F77F53AF7C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a push ecx 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 41C8ED second address: 41C8FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jbe 00007F77F50326BCh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 422877 second address: 42287B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42287B second address: 422881 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 423377 second address: 423386 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F77F53AF7BAh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4234BA second address: 4234BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4234BF second address: 4234CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F77F53AF7B6h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4234CB second address: 4234D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 423CB6 second address: 423CBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 423CBB second address: 423CD7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F77F50326C5h 0x00000007 push edi 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 423CD7 second address: 423D0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 jmp 00007F77F53AF7C0h 0x0000000d jmp 00007F77F53AF7C5h 0x00000012 push esi 0x00000013 pushad 0x00000014 popad 0x00000015 pop esi 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42D6FE second address: 42D703 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42D703 second address: 42D708 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 43B8D2 second address: 43B8D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 43BA49 second address: 43BA67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F77F53AF7B6h 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F77F53AF7BFh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 43BA67 second address: 43BA6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 43BA6B second address: 43BA9F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F77F53AF7C7h 0x00000007 jmp 00007F77F53AF7C9h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4405E3 second address: 44061B instructions: 0x00000000 rdtsc 0x00000002 jno 00007F77F50326BCh 0x00000008 jmp 00007F77F50326C0h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 jl 00007F77F50326B6h 0x00000018 jmp 00007F77F50326BDh 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 44061B second address: 440620 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 445726 second address: 44573C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push edi 0x00000006 jmp 00007F77F50326BCh 0x0000000b pop edi 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 44573C second address: 44575A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F77F53AF7BCh 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jng 00007F77F53AF7B6h 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 44575A second address: 445777 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F77F50326C7h 0x0000000b rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 445777 second address: 44577D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 44D537 second address: 44D53D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 44D32E second address: 44D334 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 44D334 second address: 44D390 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F77F50326BEh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007F77F50326BCh 0x00000011 jmp 00007F77F50326BEh 0x00000016 ja 00007F77F50326B6h 0x0000001c jmp 00007F77F50326BAh 0x00000021 popad 0x00000022 jmp 00007F77F50326C9h 0x00000027 pushad 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 44D390 second address: 44D398 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4566B0 second address: 4566B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 456B35 second address: 456B3D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 456DFD second address: 456E04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edi 0x00000007 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 457A2F second address: 457A4D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 jnp 00007F77F53AF7CEh 0x0000000d jne 00007F77F53AF7BEh 0x00000013 jns 00007F77F53AF7B6h 0x00000019 pushad 0x0000001a popad 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 46B162 second address: 46B16C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 46B16C second address: 46B172 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 46B172 second address: 46B176 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 46B176 second address: 46B17C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 46CB79 second address: 46CB86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jng 00007F77F50326B6h 0x0000000d rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 46CB86 second address: 46CBB1 instructions: 0x00000000 rdtsc 0x00000002 je 00007F77F53AF7B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F77F53AF7C6h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jl 00007F77F53AF7BCh 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 46CBB1 second address: 46CBB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 46CBB5 second address: 46CBD7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F77F53AF7C8h 0x00000007 push eax 0x00000008 push edx 0x00000009 jo 00007F77F53AF7B6h 0x0000000f rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 46CBD7 second address: 46CBDB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 46CBDB second address: 46CBE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 468EB3 second address: 468ECF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F77F50326C4h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 468ECF second address: 468ED3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 468ED3 second address: 468ED7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 468ED7 second address: 468EDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 468EDD second address: 468EE2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47A299 second address: 47A2A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F77F53AF7B6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 493295 second address: 4932B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F77F50326C7h 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 493411 second address: 493417 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 493417 second address: 49341B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49341B second address: 49341F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49341F second address: 49342A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49403F second address: 49404D instructions: 0x00000000 rdtsc 0x00000002 jl 00007F77F53AF7B8h 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 497126 second address: 497138 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 jmp 00007F77F50326BAh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4987E6 second address: 498809 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F77F53AF7C9h 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 498809 second address: 49880F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49880F second address: 49882F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 jl 00007F77F53AF7D8h 0x0000000e jbe 00007F77F53AF7B8h 0x00000014 push edi 0x00000015 pop edi 0x00000016 push eax 0x00000017 push edx 0x00000018 jno 00007F77F53AF7B6h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49882F second address: 498833 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 498833 second address: 498837 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49B31F second address: 49B33A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jne 00007F77F50326B6h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jno 00007F77F50326BCh 0x00000015 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49B33A second address: 49B34C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F77F53AF7BDh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49B34C second address: 49B38A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 sub dword ptr [ebp+122D1BABh], ebx 0x0000000e push 00000004h 0x00000010 push 00000000h 0x00000012 push ecx 0x00000013 call 00007F77F50326B8h 0x00000018 pop ecx 0x00000019 mov dword ptr [esp+04h], ecx 0x0000001d add dword ptr [esp+04h], 0000001Bh 0x00000025 inc ecx 0x00000026 push ecx 0x00000027 ret 0x00000028 pop ecx 0x00000029 ret 0x0000002a clc 0x0000002b push 24CCD197h 0x00000030 push eax 0x00000031 push edx 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49B38A second address: 49B38F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49B625 second address: 49B629 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49B629 second address: 49B62F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49B62F second address: 49B634 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B60008 second address: 4B6000C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B6000C second address: 4B60012 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B60012 second address: 4B60018 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B60018 second address: 4B6001C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B6001C second address: 4B60020 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B60020 second address: 4B60041 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F77F50326C4h 0x00000012 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B60041 second address: 4B60047 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B60047 second address: 4B6004D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B6004D second address: 4B6007C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F77F53AF7C8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F77F53AF7BEh 0x00000013 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B6007C second address: 4B60082 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B60082 second address: 4B60086 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B60086 second address: 4B60103 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a mov dx, 3E3Ah 0x0000000e jmp 00007F77F50326BBh 0x00000013 popad 0x00000014 mov ebp, esp 0x00000016 pushad 0x00000017 jmp 00007F77F50326C4h 0x0000001c jmp 00007F77F50326C2h 0x00000021 popad 0x00000022 pop ebp 0x00000023 pushad 0x00000024 pushfd 0x00000025 jmp 00007F77F50326BEh 0x0000002a or ch, 00000008h 0x0000002d jmp 00007F77F50326BBh 0x00000032 popfd 0x00000033 push eax 0x00000034 push edx 0x00000035 call 00007F77F50326C6h 0x0000003a pop ecx 0x0000003b rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B40F0F second address: 4B40F15 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B40F15 second address: 4B40F19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B40F19 second address: 4B40F2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d movsx ebx, ax 0x00000010 popad 0x00000011 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B90594 second address: 4B905E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 pushad 0x00000007 popad 0x00000008 pop ebx 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c call 00007F77F50326C1h 0x00000011 mov eax, 384DB057h 0x00000016 pop esi 0x00000017 popad 0x00000018 xchg eax, ebp 0x00000019 pushad 0x0000001a mov cl, D5h 0x0000001c mov cx, bx 0x0000001f popad 0x00000020 mov ebp, esp 0x00000022 jmp 00007F77F50326C3h 0x00000027 pop ebp 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b pushad 0x0000002c popad 0x0000002d mov ebx, 0B63D1D4h 0x00000032 popad 0x00000033 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B200C1 second address: 4B200D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F77F53AF7BCh 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B200D1 second address: 4B200D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B200D5 second address: 4B200FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 jmp 00007F77F53AF7BCh 0x0000000e mov dword ptr [esp], ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F77F53AF7BAh 0x0000001a rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B200FB second address: 4B20101 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B20101 second address: 4B20107 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B20107 second address: 4B2010B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B2010B second address: 4B2016A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F77F53AF7C8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d jmp 00007F77F53AF7C0h 0x00000012 push dword ptr [ebp+04h] 0x00000015 jmp 00007F77F53AF7C0h 0x0000001a push dword ptr [ebp+0Ch] 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F77F53AF7C7h 0x00000024 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B40C59 second address: 4B40C5F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B40C5F second address: 4B40C65 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B40C65 second address: 4B40C69 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B40C69 second address: 4B40CA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov ax, di 0x0000000d jmp 00007F77F53AF7BFh 0x00000012 popad 0x00000013 xchg eax, ebp 0x00000014 jmp 00007F77F53AF7C6h 0x00000019 mov ebp, esp 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B40CA5 second address: 4B40CA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B40CA9 second address: 4B40CAF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B40CAF second address: 4B40CD3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, eax 0x00000005 mov si, 6C7Dh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ebp 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F77F50326C4h 0x00000015 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B40831 second address: 4B40835 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B40835 second address: 4B4083B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B4083B second address: 4B40860 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dh, cl 0x00000005 mov dl, 22h 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F77F53AF7C6h 0x00000014 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B40860 second address: 4B4086F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F77F50326BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B4086F second address: 4B40875 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B40875 second address: 4B4088D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F77F50326BDh 0x00000010 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B4088D second address: 4B4089D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F77F53AF7BCh 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B4089D second address: 4B408A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B408A1 second address: 4B408DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007F77F53AF7C7h 0x0000000e mov ebp, esp 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F77F53AF7C5h 0x00000017 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B408DA second address: 4B408E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B408E0 second address: 4B408E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B408E4 second address: 4B40901 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F77F50326C2h 0x00000010 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B40901 second address: 4B40906 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B407A4 second address: 4B407A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B407A8 second address: 4B407AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B407AC second address: 4B407B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B407B2 second address: 4B407E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, 35531235h 0x00000008 call 00007F77F53AF7C2h 0x0000000d pop eax 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov ebp, esp 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F77F53AF7BCh 0x0000001a rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B5022A second address: 4B5022E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B5022E second address: 4B50232 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B50232 second address: 4B50238 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B50238 second address: 4B5025B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F77F53AF7C0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F77F53AF7BAh 0x00000013 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B5025B second address: 4B50261 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B50261 second address: 4B5028E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F77F53AF7BEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F77F53AF7C7h 0x00000012 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B5028E second address: 4B502A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F77F50326C4h 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B60534 second address: 4B60538 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B60538 second address: 4B60555 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F77F50326C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B60555 second address: 4B60573 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F77F53AF7C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B60573 second address: 4B60577 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B60577 second address: 4B6057D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B6057D second address: 4B60583 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B60583 second address: 4B60587 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B60587 second address: 4B6058B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B6058B second address: 4B605F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F77F53AF7C6h 0x00000011 or ah, 00000048h 0x00000014 jmp 00007F77F53AF7BBh 0x00000019 popfd 0x0000001a call 00007F77F53AF7C8h 0x0000001f mov si, 9DC1h 0x00000023 pop esi 0x00000024 popad 0x00000025 mov eax, dword ptr [ebp+08h] 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007F77F53AF7C8h 0x0000002f rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B605F7 second address: 4B6064D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F77F50326BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and dword ptr [eax], 00000000h 0x0000000c jmp 00007F77F50326C6h 0x00000011 and dword ptr [eax+04h], 00000000h 0x00000015 jmp 00007F77F50326C0h 0x0000001a pop ebp 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F77F50326C7h 0x00000022 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B406ED second address: 4B40722 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F77F53AF7C1h 0x00000008 pop eax 0x00000009 mov edx, 2158AB24h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 xchg eax, ebp 0x00000012 pushad 0x00000013 mov di, 3ABCh 0x00000017 mov esi, edx 0x00000019 popad 0x0000001a mov ebp, esp 0x0000001c pushad 0x0000001d mov cx, 599Fh 0x00000021 popad 0x00000022 pop ebp 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 popad 0x00000029 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B40722 second address: 4B40739 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F77F50326C3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B50F0E second address: 4B50F20 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F77F53AF7BEh 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B6030A second address: 4B60339 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F77F50326C1h 0x0000000a add eax, 540A10B6h 0x00000010 jmp 00007F77F50326C1h 0x00000015 popfd 0x00000016 popad 0x00000017 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B60339 second address: 4B6037D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F77F53AF7C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F77F53AF7C6h 0x00000014 adc esi, 7E3B9638h 0x0000001a jmp 00007F77F53AF7BBh 0x0000001f popfd 0x00000020 popad 0x00000021 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B6037D second address: 4B603AA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F77F50326C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F77F50326BDh 0x00000011 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B808A0 second address: 4B808F1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F77F53AF7C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F77F53AF7C3h 0x00000014 add cx, E7BEh 0x00000019 jmp 00007F77F53AF7C9h 0x0000001e popfd 0x0000001f movzx esi, di 0x00000022 popad 0x00000023 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B808F1 second address: 4B808F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B808F7 second address: 4B808FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B808FB second address: 4B8091A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ecx 0x00000009 pushad 0x0000000a mov bx, si 0x0000000d mov esi, 0BC19EC9h 0x00000012 popad 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 mov esi, 08C23EE7h 0x0000001c pushad 0x0000001d popad 0x0000001e popad 0x0000001f rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B8091A second address: 4B809DD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F77F53AF7C5h 0x00000009 and si, 4E06h 0x0000000e jmp 00007F77F53AF7C1h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 xchg eax, ecx 0x00000018 pushad 0x00000019 mov edi, 7183348Eh 0x0000001e popad 0x0000001f mov eax, dword ptr [76FB65FCh] 0x00000024 pushad 0x00000025 jmp 00007F77F53AF7BBh 0x0000002a pushad 0x0000002b pushad 0x0000002c popad 0x0000002d pushfd 0x0000002e jmp 00007F77F53AF7C4h 0x00000033 add ah, 00000008h 0x00000036 jmp 00007F77F53AF7BBh 0x0000003b popfd 0x0000003c popad 0x0000003d popad 0x0000003e test eax, eax 0x00000040 pushad 0x00000041 mov ecx, 2E21369Bh 0x00000046 movzx eax, di 0x00000049 popad 0x0000004a je 00007F7867762781h 0x00000050 jmp 00007F77F53AF7C3h 0x00000055 mov ecx, eax 0x00000057 jmp 00007F77F53AF7C6h 0x0000005c xor eax, dword ptr [ebp+08h] 0x0000005f push eax 0x00000060 push edx 0x00000061 jmp 00007F77F53AF7BCh 0x00000066 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B809DD second address: 4B80A42 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F77F50326BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and ecx, 1Fh 0x0000000c pushad 0x0000000d mov esi, 0743AC4Bh 0x00000012 pushfd 0x00000013 jmp 00007F77F50326C0h 0x00000018 jmp 00007F77F50326C5h 0x0000001d popfd 0x0000001e popad 0x0000001f ror eax, cl 0x00000021 pushad 0x00000022 mov dx, si 0x00000025 pushad 0x00000026 mov cl, 6Dh 0x00000028 mov bh, 7Ch 0x0000002a popad 0x0000002b popad 0x0000002c leave 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 mov al, dh 0x00000032 call 00007F77F50326C0h 0x00000037 pop eax 0x00000038 popad 0x00000039 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B80A42 second address: 4B80A58 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, ax 0x00000006 mov ebx, esi 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b retn 0004h 0x0000000e nop 0x0000000f mov esi, eax 0x00000011 lea eax, dword ptr [ebp-08h] 0x00000014 xor esi, dword ptr [001F2014h] 0x0000001a push eax 0x0000001b push eax 0x0000001c push eax 0x0000001d lea eax, dword ptr [ebp-10h] 0x00000020 push eax 0x00000021 call 00007F77F9D80216h 0x00000026 push FFFFFFFEh 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d popad 0x0000002e rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B80A58 second address: 4B80A69 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F77F50326BDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B80A69 second address: 4B80A6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B80A6F second address: 4B80A73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B80A73 second address: 4B80A97 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 jmp 00007F77F53AF7BFh 0x0000000e ret 0x0000000f nop 0x00000010 push eax 0x00000011 call 00007F77F9D8024Bh 0x00000016 mov edi, edi 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b movsx ebx, si 0x0000001e mov edx, ecx 0x00000020 popad 0x00000021 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B80A97 second address: 4B80AEA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F77F50326BFh 0x00000009 xor ah, FFFFFF9Eh 0x0000000c jmp 00007F77F50326C9h 0x00000011 popfd 0x00000012 push eax 0x00000013 pop ebx 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 xchg eax, ebp 0x00000018 pushad 0x00000019 mov di, si 0x0000001c mov bx, si 0x0000001f popad 0x00000020 push eax 0x00000021 pushad 0x00000022 mov ebx, 2AB8D762h 0x00000027 mov dh, 07h 0x00000029 popad 0x0000002a xchg eax, ebp 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e mov di, DD12h 0x00000032 pushad 0x00000033 popad 0x00000034 popad 0x00000035 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B80AEA second address: 4B80B03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F77F53AF7C5h 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B30078 second address: 4B3007E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B3007E second address: 4B300EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F77F53AF7BBh 0x00000009 or esi, 4F95713Eh 0x0000000f jmp 00007F77F53AF7C9h 0x00000014 popfd 0x00000015 pushfd 0x00000016 jmp 00007F77F53AF7C0h 0x0000001b and esi, 19F09E38h 0x00000021 jmp 00007F77F53AF7BBh 0x00000026 popfd 0x00000027 popad 0x00000028 pop edx 0x00000029 pop eax 0x0000002a and esp, FFFFFFF8h 0x0000002d pushad 0x0000002e jmp 00007F77F53AF7C4h 0x00000033 push eax 0x00000034 push edx 0x00000035 pushad 0x00000036 popad 0x00000037 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B300EF second address: 4B30121 instructions: 0x00000000 rdtsc 0x00000002 mov bx, ax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 xchg eax, ecx 0x00000009 jmp 00007F77F50326C8h 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F77F50326BEh 0x00000016 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B30121 second address: 4B30127 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B30127 second address: 4B3017C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ecx 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007F77F50326BFh 0x00000010 sub ecx, 10CFFB6Eh 0x00000016 jmp 00007F77F50326C9h 0x0000001b popfd 0x0000001c movzx esi, bx 0x0000001f popad 0x00000020 push esi 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007F77F50326C2h 0x0000002a rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B3017C second address: 4B3018B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F77F53AF7BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B3018B second address: 4B30193 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, ax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B30193 second address: 4B301A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], ebx 0x0000000a pushad 0x0000000b push esi 0x0000000c mov si, di 0x0000000f pop edi 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B301A7 second address: 4B301AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B301AB second address: 4B301F9 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F77F53AF7BEh 0x00000008 sub ecx, 3B3443A8h 0x0000000e jmp 00007F77F53AF7BBh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 popad 0x00000017 mov ebx, dword ptr [ebp+10h] 0x0000001a jmp 00007F77F53AF7C6h 0x0000001f xchg eax, esi 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F77F53AF7BAh 0x00000029 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B301F9 second address: 4B301FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B301FD second address: 4B30203 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B30203 second address: 4B3024B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F77F50326C3h 0x00000009 and si, 76FEh 0x0000000e jmp 00007F77F50326C9h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F77F50326BCh 0x0000001f rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B3024B second address: 4B30251 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B30251 second address: 4B30255 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B30255 second address: 4B30259 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B30259 second address: 4B302AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, esi 0x00000009 pushad 0x0000000a mov cx, bx 0x0000000d pushfd 0x0000000e jmp 00007F77F50326BBh 0x00000013 and eax, 271951BEh 0x00000019 jmp 00007F77F50326C9h 0x0000001e popfd 0x0000001f popad 0x00000020 mov esi, dword ptr [ebp+08h] 0x00000023 jmp 00007F77F50326BEh 0x00000028 xchg eax, edi 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c mov bl, 28h 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B302AC second address: 4B302B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B302B1 second address: 4B3031E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, AEA6h 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e mov ecx, 6E9845DFh 0x00000013 pushfd 0x00000014 jmp 00007F77F50326C4h 0x00000019 adc ax, D448h 0x0000001e jmp 00007F77F50326BBh 0x00000023 popfd 0x00000024 popad 0x00000025 xchg eax, edi 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 pushfd 0x0000002a jmp 00007F77F50326BBh 0x0000002f adc eax, 76141E8Eh 0x00000035 jmp 00007F77F50326C9h 0x0000003a popfd 0x0000003b mov edx, eax 0x0000003d popad 0x0000003e rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B3031E second address: 4B30391 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F77F53AF7C3h 0x00000009 sub eax, 648F3C9Eh 0x0000000f jmp 00007F77F53AF7C9h 0x00000014 popfd 0x00000015 call 00007F77F53AF7C0h 0x0000001a pop eax 0x0000001b popad 0x0000001c pop edx 0x0000001d pop eax 0x0000001e test esi, esi 0x00000020 jmp 00007F77F53AF7C1h 0x00000025 je 00007F78677ADA4Fh 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007F77F53AF7BDh 0x00000032 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B30391 second address: 4B30397 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B30397 second address: 4B3039B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B3039B second address: 4B3039F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B3039F second address: 4B303C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F77F53AF7C2h 0x00000016 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B303C2 second address: 4B3041B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, dx 0x00000006 mov di, A570h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d je 00007F7867430912h 0x00000013 pushad 0x00000014 call 00007F77F50326C5h 0x00000019 pushfd 0x0000001a jmp 00007F77F50326C0h 0x0000001f sbb cx, 14E8h 0x00000024 jmp 00007F77F50326BBh 0x00000029 popfd 0x0000002a pop esi 0x0000002b mov cx, dx 0x0000002e popad 0x0000002f mov edx, dword ptr [esi+44h] 0x00000032 push eax 0x00000033 push edx 0x00000034 push eax 0x00000035 push edx 0x00000036 pushad 0x00000037 popad 0x00000038 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B3041B second address: 4B30437 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F77F53AF7C8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B30437 second address: 4B30451 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F77F50326BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 or edx, dword ptr [ebp+0Ch] 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f mov esi, 11ADDCC1h 0x00000014 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B30451 second address: 4B304E9 instructions: 0x00000000 rdtsc 0x00000002 mov al, 83h 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushfd 0x00000007 jmp 00007F77F53AF7C3h 0x0000000c jmp 00007F77F53AF7C3h 0x00000011 popfd 0x00000012 popad 0x00000013 test edx, 61000000h 0x00000019 pushad 0x0000001a pushfd 0x0000001b jmp 00007F77F53AF7C4h 0x00000020 and ax, 7E68h 0x00000025 jmp 00007F77F53AF7BBh 0x0000002a popfd 0x0000002b pushfd 0x0000002c jmp 00007F77F53AF7C8h 0x00000031 or cx, 50C8h 0x00000036 jmp 00007F77F53AF7BBh 0x0000003b popfd 0x0000003c popad 0x0000003d jne 00007F78677AD966h 0x00000043 push eax 0x00000044 push edx 0x00000045 pushad 0x00000046 movsx edi, cx 0x00000049 mov ax, 36D3h 0x0000004d popad 0x0000004e rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B304E9 second address: 4B30526 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F77F50326C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test byte ptr [esi+48h], 00000001h 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F77F50326C8h 0x00000016 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B30526 second address: 4B3052C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B3052C second address: 4B30584 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop edx 0x00000005 mov ah, 60h 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jne 00007F7867430821h 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F77F50326C1h 0x00000017 sbb si, A356h 0x0000001c jmp 00007F77F50326C1h 0x00000021 popfd 0x00000022 popad 0x00000023 test bl, 00000007h 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007F77F50326C8h 0x0000002d rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B2072E second address: 4B20734 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B20734 second address: 4B2073A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B2073A second address: 4B2075F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F77F53AF7C8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B2075F second address: 4B20765 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B20765 second address: 4B207CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F77F53AF7C2h 0x00000009 jmp 00007F77F53AF7C5h 0x0000000e popfd 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push eax 0x00000015 jmp 00007F77F53AF7C7h 0x0000001a xchg eax, ebp 0x0000001b jmp 00007F77F53AF7C6h 0x00000020 mov ebp, esp 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 popad 0x00000028 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B207CD second address: 4B207EA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F77F50326C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B207EA second address: 4B2081F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, ax 0x00000006 call 00007F77F53AF7C8h 0x0000000b pop ecx 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f and esp, FFFFFFF8h 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F77F53AF7BDh 0x0000001a rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B20973 second address: 4B209F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, 11668C25h 0x00000008 movzx eax, dx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e je 00007F78674380C3h 0x00000014 jmp 00007F77F50326BDh 0x00000019 cmp dword ptr [esi+08h], DDEEDDEEh 0x00000020 pushad 0x00000021 mov cx, 8513h 0x00000025 call 00007F77F50326C8h 0x0000002a pushad 0x0000002b popad 0x0000002c pop ecx 0x0000002d popad 0x0000002e mov ecx, esi 0x00000030 jmp 00007F77F50326C7h 0x00000035 je 00007F7867438084h 0x0000003b push eax 0x0000003c push edx 0x0000003d jmp 00007F77F50326C5h 0x00000042 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B209F2 second address: 4B209F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B209F8 second address: 4B20A1C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test byte ptr [76FB6968h], 00000002h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F77F50326C1h 0x00000018 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B20A1C second address: 4B20A20 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B20A20 second address: 4B20A26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B20A26 second address: 4B20A2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                  Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B20A2C second address: 4B20A30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                  Tries to evade debugger and weak emulator (self modifying code)
                  Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 3CDEE9 instructions caused by: Self-modifying code
                  Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 3B9AFA instructions caused by: Self-modifying code
                  Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 42ECC3 instructions caused by: Self-modifying code
                  Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exeSpecial instruction interceptor: First address: 6EDEE9 instructions caused by: Self-modifying code
                  Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exeSpecial instruction interceptor: First address: 6D9AFA instructions caused by: Self-modifying code
                  Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exeSpecial instruction interceptor: First address: 74ECC3 instructions caused by: Self-modifying code
                  Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_04BB01B4 rdtsc 0_2_04BB01B4
                  Source: C:\Users\user\Desktop\file.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: explorti.exe, explorti.exe, 00000002.00000002.1732460581.00000000006A6000.00000040.00000001.01000000.00000007.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                  Source: file.exe, 00000000.00000003.1665115550.0000000000C7D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 5c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                  Source: file.exe, 00000000.00000002.1691955466.0000000000386000.00000040.00000001.01000000.00000003.sdmp, explorti.exe, 00000001.00000002.1727761176.00000000006A6000.00000040.00000001.01000000.00000007.sdmp, explorti.exe, 00000002.00000002.1732460581.00000000006A6000.00000040.00000001.01000000.00000007.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                  Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                  Anti Debugging

                  barindex
                  Hides threads from debuggers
                  Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exeThread information set: HideFromDebuggerJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exeThread information set: HideFromDebuggerJump to behavior
                  Tries to detect sandboxes and other dynamic analysis tools (window names)
                  Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exeOpen window title or class name: regmonclass
                  Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exeOpen window title or class name: gbdyllo
                  Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                  Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exeOpen window title or class name: procmon_window_class
                  Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                  Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exeOpen window title or class name: ollydbg
                  Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exeOpen window title or class name: filemonclass
                  Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                  Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exeFile opened: NTICE
                  Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exeFile opened: SICE
                  Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exeFile opened: SIWVID
                  Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_04BB01B4 rdtsc 0_2_04BB01B4
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe "C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe" Jump to behavior
                  Source: explorti.exe, explorti.exe, 00000002.00000002.1732460581.00000000006A6000.00000040.00000001.01000000.00000007.sdmpBinary or memory string: Program Manager

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Amadeys stealer DLL
                  Source: Yara matchFile source: 1.2.explorti.exe.4b0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.explorti.exe.4b0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.190000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000003.1651424668.0000000004980000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.1727702527.00000000004B1000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000003.1685833008.0000000004CA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1691825005.0000000000191000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000003.1692232383.00000000051F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.1732393400.00000000004B1000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                  Command and Scripting Interpreter                  		1
                  Scheduled Task/Job                  		12
                  Process Injection                  		1
                  Masquerading                  		OS Credential Dumping741
                  Security Software Discovery                  		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault Accounts1
                  Scheduled Task/Job                  		1
                  DLL Side-Loading                  		1
                  Scheduled Task/Job                  		23
                  Virtualization/Sandbox Evasion                  		LSASS Memory23
                  Virtualization/Sandbox Evasion                  		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                  DLL Side-Loading                  		12
                  Software Packing                  		Security Account Manager2
                  Process Discovery                  		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
                  Process Injection                  		NTDS1
                  File and Directory Discovery                  		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  DLL Side-Loading                  		LSA Secrets23
                  System Information Discovery                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  Obfuscated Files or Information                  		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  file.exe57%VirustotalBrowse
                  file.exe100%AviraTR/Crypt.TPM.Gen
                  file.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe100%AviraTR/Crypt.TPM.Gen
                  C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe57%VirustotalBrowse

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  No Antivirus matches

                  Domains and IPs

                  Contacted Domains

                  No contacted domains info

                  World Map of Contacted IPs

                  No contacted IP infos

                  General Information

                  Joe Sandbox version:40.0.0 Tourmaline
                  Analysis ID:1502383
                  Start date and time:2024-09-01 03:59:06 +02:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 4m 27s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:8
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:file.exe
                  Detection:MAL
                  Classification:mal100.spyw.evad.winEXE@4/3@0/0
                  EGA Information:Failed
                  HCA Information:Failed
                  Cookbook Comments:
                  • Found application associated with file extension: .exe

                  Warnings

                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                  • Execution Graph export aborted for target explorti.exe, PID 1700 because there are no executed function
                  • Execution Graph export aborted for target explorti.exe, PID 6740 because there are no executed function
                  • Execution Graph export aborted for target file.exe, PID 3236 because it is empty
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  02:59:56Task SchedulerRun new task: explorti path: C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

                  Joe Sandbox View / Context

                  IPs

                  No context

                  Domains

                  No context

                  ASNs

                  No context

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  No context

                  Created / dropped Files

                  C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

                  Download File
                  Process:C:\Users\user\Desktop\file.exe
                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                  Category:dropped
                  Size (bytes):1901568
                  Entropy (8bit):7.948792240954086
                  Encrypted:false
                  SSDEEP:49152:Ks9y5mrbLuxziJZzrySK4UpdsU9qR5m99:EmnLuxmJZzrg/sTR49
                  MD5:D6BF1C871BCB459F85A6CFFC7367EBD2
                  SHA1:0FBB9C88EC4E9E3B02BE1E53A737CE5D2A632451
                  SHA-256:6A3D6A5974BBD540286B02095FEA0E50746094DD90E2B39A6552E9479428CBE9
                  SHA-512:9F0978211D8A4A4E0430FCA449B40474C6FB361498337A0062F39E7B7525C7E6205161C1DE3EF32157FBDD718CF538B1E9EDF84344DB7EB393B4A89A5A903AAD
                  Malicious:true
                  Antivirus:
                  • Antivirus: Avira, Detection: 100%
                  • Antivirus: Joe Sandbox ML, Detection: 100%
                  • Antivirus: Virustotal, Detection: 57%, Browse
                  Reputation:low
                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........PJ.r>..r>..r>...=..r>...;.(r>.].:..r>.].=..r>.].;..r>...:..r>...?..r>..r?.^r>...7..r>......r>...<..r>.Rich.r>.................PE..L....A.f..............................K...........@...........................K...........@.................................W...k............................gK..............................gK..................................................... . ............................@....rsrc...............................@....idata ............................@... ..*.........................@...xfsxygai......1.....................@...lrtpjxrb.....pK.....................@....taggant.0....K.."..................@...........................................................................................................................................................................................................................

                  C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe:Zone.Identifier

                  Download File
                  Process:C:\Users\user\Desktop\file.exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:modified
                  Size (bytes):26
                  Entropy (8bit):3.95006375643621
                  Encrypted:false
                  SSDEEP:3:ggPYV:rPYV
                  MD5:187F488E27DB4AF347237FE461A079AD
                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                  Malicious:true
                  Reputation:high, very likely benign file
                  Preview:[ZoneTransfer]....ZoneId=0

                  C:\Windows\Tasks\explorti.job

                  Download File
                  Process:C:\Users\user\Desktop\file.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):288
                  Entropy (8bit):3.3833329267550787
                  Encrypted:false
                  SSDEEP:6:30a3wt1YRRKUEZ+lX1cI1l6lm6tPjgsW2YRZuy0lFXS1:301zYRRKQ1cag7jzvYRQV41
                  MD5:6679E70085C2A6E566F795B3E976D639
                  SHA1:3C4DF3DC58E6EC0FB5523CF0484762AA647101D6
                  SHA-256:F54EE32AA158477291136754D21C48941A78C610372E8553D68F42830811158B
                  SHA-512:D8EE693DF36B00C3FE568A8912C94775FF8EF973F26F4B7FF718D75D0F53DF515C78A244DFB1BB08F8DFF97B76DDEE7B0BD161709D6F7DDEC8A2FE19DB97A5D3
                  Malicious:false
                  Reputation:low
                  Preview:......r..@...g....F.......<... .....s.......... ....................:.C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.0.d.8.f.5.e.b.8.a.7.\.e.x.p.l.o.r.t.i...e.x.e.........J.O.N.E.S.-.P.C.\.j.o.n.e.s...................0.................;.............................

                  Static File Info

                  General

                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                  Entropy (8bit):7.948792240954086
                  TrID:
                  • Win32 Executable (generic) a (10002005/4) 99.96%
                  • Generic Win/DOS Executable (2004/3) 0.02%
                  • DOS Executable Generic (2002/1) 0.02%
                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                  File name:file.exe
                  File size:1'901'568 bytes
                  MD5:d6bf1c871bcb459f85a6cffc7367ebd2
                  SHA1:0fbb9c88ec4e9e3b02be1e53a737ce5d2a632451
                  SHA256:6a3d6a5974bbd540286b02095fea0e50746094dd90e2b39a6552e9479428cbe9
                  SHA512:9f0978211d8a4a4e0430fca449b40474c6fb361498337a0062f39e7b7525c7e6205161c1de3ef32157fbdd718cf538b1e9edf84344db7eb393b4a89a5a903aad
                  SSDEEP:49152:Ks9y5mrbLuxziJZzrySK4UpdsU9qR5m99:EmnLuxmJZzrg/sTR49
                  TLSH:7895334124C925B6EBF0C0FF99F9DB50B5E4E64BB11F8E592B0AC135824FD8E64489CB
                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........PJ.r>..r>..r>...=..r>...;.(r>.].:..r>.].=..r>.].;..r>...:..r>...?..r>..r?.^r>...7..r>......r>...<..r>.Rich.r>................

                  File Icon

                  Icon Hash:90cececece8e8eb0

                  Static PE Info

                  General

                  Entrypoint:0x8b8000
                  Entrypoint Section:.taggant
                  Digitally signed:false
                  Imagebase:0x400000
                  Subsystem:windows gui
                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                  DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                  Time Stamp:0x66A24110 [Thu Jul 25 12:12:00 2024 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:
                  OS Version Major:6
                  OS Version Minor:0
                  File Version Major:6
                  File Version Minor:0
                  Subsystem Version Major:6
                  Subsystem Version Minor:0
                  Import Hash:2eabe9054cad5152567f0699947a2c5b

                  Entrypoint Preview

                  Instruction
                  jmp 00007F77F5178EFAh
                  psrad mm3, qword ptr [eax+eax]
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  jmp 00007F77F517AEF5h
                  add byte ptr [eax+eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  and al, 00h
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  or dword ptr [eax+00000000h], eax
                  add byte ptr [eax], al
                  adc byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add ecx, dword ptr [edx]
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al

                  Data Directories

                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IMPORT0x6a0570x6b.idata
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x690000x1e0.rsrc
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x4b67e40x10xfsxygai
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x4b67940x18xfsxygai
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                  Sections

                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  0x10000x680000x2dc00540b8c650fcdbaaff6d8437a7493da43False0.9994236680327869data7.974328731626917IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  .rsrc0x690000x1e00x2005f8a3d7f75540abd0ed9d86b7e281a3bFalse0.580078125data4.501410333188931IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  .idata 0x6a0000x10000x200cc76e3822efdc911f469a3e3cc9ce9feFalse0.1484375data1.0428145631430756IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  0x6b0000x2ad0000x2006e03443e21e669af1380109c3141e2cdunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  xfsxygai0x3180000x19f0000x19ea00398158448a2313ee0d336c4a794b8ccbFalse0.9944450463521254data7.9539400654889505IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  lrtpjxrb0x4b70000x10000x60008cf935197ac36e8da9a7f6be28f2e83False0.5416666666666666data4.811818733207401IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  .taggant0x4b80000x30000x220037c96664fa27a99300694df3fb260f03False0.06479779411764706DOS executable (COM)0.7386353969017528IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                  Resources

                  NameRVASizeTypeLanguageCountryZLIB Complexity
                  RT_MANIFEST0x4b67f40x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727

                  Imports

                  DLLImport
                  kernel32.dlllstrcpy

                  Possible Origin

                  Language of compilation systemCountry where language is spokenMap
                  EnglishUnited States

                  Network Behavior

                  No network behavior found

                  Statistics

                  CPU Usage

                  Click to jump to process

                  Memory Usage

                  Click to jump to process

                  High Level Behavior Distribution

                  Click to dive into process behavior distribution

                  Behavior

                  Click to jump to process

                  System Behavior

                  General

                  Target ID:0
                  Start time:21:59:52
                  Start date:31/08/2024
                  Path:C:\Users\user\Desktop\file.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\Desktop\file.exe"
                  Imagebase:0x190000
                  File size:1'901'568 bytes
                  MD5 hash:D6BF1C871BCB459F85A6CFFC7367EBD2
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000003.1651424668.0000000004980000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000002.1691825005.0000000000191000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                  Reputation:low
                  Has exited:true

                  General

                  Target ID:1
                  Start time:21:59:55
                  Start date:31/08/2024
                  Path:C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"
                  Imagebase:0x4b0000
                  File size:1'901'568 bytes
                  MD5 hash:D6BF1C871BCB459F85A6CFFC7367EBD2
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000001.00000002.1727702527.00000000004B1000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000001.00000003.1685833008.0000000004CA0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                  Antivirus matches:
                  • Detection: 100%, Avira
                  • Detection: 100%, Joe Sandbox ML
                  • Detection: 57%, Virustotal, Browse
                  Reputation:low
                  Has exited:true

                  General

                  Target ID:2
                  Start time:21:59:56
                  Start date:31/08/2024
                  Path:C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Users\user\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
                  Imagebase:0x4b0000
                  File size:1'901'568 bytes
                  MD5 hash:D6BF1C871BCB459F85A6CFFC7367EBD2
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000002.00000003.1692232383.00000000051F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000002.00000002.1732393400.00000000004B1000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
                  Reputation:low
                  Has exited:true

                  Disassembly

                  Reset < >

                    Executed Functions

                    Function 04BB01B4 Relevance: .1, Instructions: 55COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1693800120.0000000004BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BB0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4bb0000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: e9adf6fd1ad26431a174170ae44adf0664c58beec9fdf4fc6f36fee61930d08f
                    • Instruction ID: b06df583e700f1042f4aa4ec953960a0ef6f1156c6521ea2a92c32a0031d2cba
                    • Opcode Fuzzy Hash: e9adf6fd1ad26431a174170ae44adf0664c58beec9fdf4fc6f36fee61930d08f
                    • Instruction Fuzzy Hash: D5F046AB20C104FD5D03348217456FB7A1AB59333033080A7F0C388602F6D46B5CB5B1
                    Function 04BB01F7 Relevance: .1, Instructions: 69COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1693800120.0000000004BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BB0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4bb0000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 0637ce910ae9896d3433a0c462b6822b4b6724d112b76a9f7ecd6a939ac30648
                    • Instruction ID: cda9a0d823c1ac4b94518efed12a6005bd720be1ddde3f9d12a9d4ab5cb8cba0
                    • Opcode Fuzzy Hash: 0637ce910ae9896d3433a0c462b6822b4b6724d112b76a9f7ecd6a939ac30648
                    • Instruction Fuzzy Hash: 1E117AA150C381AFCB0392645E996F67F65AF8722032401DAE4D1CF1C3D5DA091ED361
                    Function 04BB026E Relevance: .1, Instructions: 67COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1693800120.0000000004BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BB0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4bb0000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 970ba62f8e1b4c02497f0134f8520f2dc269039a5eaceb2ae9dc86ed301e8238
                    • Instruction ID: e43189cadbb3f8aaef0655b9d34033d6c1cdb65a69961e32feaab8122449f70c
                    • Opcode Fuzzy Hash: 970ba62f8e1b4c02497f0134f8520f2dc269039a5eaceb2ae9dc86ed301e8238
                    • Instruction Fuzzy Hash: E811AB6640C3806ECF1352541A496F77F26EE8723032501DBE4E2CE183E5DA0A5ED7B2
                    Function 04BB01C8 Relevance: .1, Instructions: 51COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1693800120.0000000004BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BB0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4bb0000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 88b5bafb3f1abf57ce321e9d182be407bbe8edbabbb504ee23042a44884b4ca9
                    • Instruction ID: 220898ab3325d7ed5e4f53dd984c892e3cb4f9db32eae2ee6ad68422a1a990d6
                    • Opcode Fuzzy Hash: 88b5bafb3f1abf57ce321e9d182be407bbe8edbabbb504ee23042a44884b4ca9
                    • Instruction Fuzzy Hash: 57F024EB24C114FD5C03348217493FB795AB5A723037040A6B0C785A02F6D8575CB9B2
                    Function 04BB0296 Relevance: .0, Instructions: 47COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1693800120.0000000004BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BB0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_4bb0000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: c671d8e6194aad6e4df42236aabcfc35b53cab887c81e424805a7aa43bc2b716
                    • Instruction ID: 7c9b01bda1677c51cc25a685b0f020023e8c7acf5c7012b1d520bcc6f6505432
                    • Opcode Fuzzy Hash: c671d8e6194aad6e4df42236aabcfc35b53cab887c81e424805a7aa43bc2b716
                    • Instruction Fuzzy Hash: 60F097A3248111AD4D03649216442F72EBBB9C333037010A7F0C3CAA43E2CD590EE6B6